The Travelers Risk Index
The Travelers Risk Index provides an annual snapshot of risk viewpoints from over 1,200 business decision makers across the country.
This 2022 survey looks at the top concerns of U.S. businesses and how companies are dealing with the risks they face every day. The survey participants represent small, mid-sized and large businesses from a variety of industries including construction, real estate, healthcare, technology, retail, transportation, wholesalers, professional services, manufacturing, banking/financial services, publicly traded, nonprofit and public sector.
Overall Business Risk Concerns
Worries about broad economic uncertainty, fluctuations in oil and energy costs, the ability to attract and retain talent and supply chain risks have all increased substantially compared to a year ago.
Despite the current environment and challenges businesses face …
-
Inflation at highest levels in 40 years
-
Millions of employees resigning
-
Unprecedented global supply chain challenges
-
Rapid changes in oil and energy costs
Cyber Risks
In the ninth installment of the Travelers Risk Index, 67% of survey participants said they believe the business world is riskier than it was a year ago.
Participants considered the overall amount of risk faced every day, including risks to employees’ and customers’ safety, business property, financial well-being and general business risks.
Business leaders were asked what their biggest business concern was.
Choosing from a list of concerns including workforce changes, extreme weather, US trade policy, corporate reputation, intellectual property (IP) risks, benefit cost inflation, legal liability, environmental concerns, global economy, financial issues, regulatory concerns and supply chain risks. The top 5 concerns among businesses of all sizes and all industries are:
-
Cyber risks (59%)
-
Broad economic uncertainty (57%)
-
Fluctuations in oil/energy costs (56%)
-
Ability to attract/retain talent (56%)
-
Medical cost inflation (55%)
-
Cyber risks (62%)
-
Increased employee benefit costs (61%)
-
Ability to attract/retain talent (59%)
-
Medical cost inflation (59%)
-
Supply chain risks (58%)
-
Cyber risks (62%)
-
Ability to attract/retain talent (61%)
-
Medical cost inflation (57%)
-
Broad economic uncertainty (55%)
-
Fluctuations in oil/energy costs (55%)
-
Broad economic uncertainty (61%)
-
Fluctuations in oil/energy costs (57%)
-
Cyber risks (54%)
-
Medical cost inflation (51%)
-
Supply chain risks (51%)
More than half (57%) of the participants
think it is inevitable that their business will be a victim of a cyber attack.
Cyber Concerns and Victimization
Cyber attacks are not random and a single attack can shut a company down for a long period of time or worse, put it out of business.
Cyber criminals target companies with certain vulnerabilities. We surveyed business leaders representing a variety of business sizes and industries to understand their viewpoints about cyber risks and threats that exist.
No matter the size of business or industry, business leaders share similar cyber concerns.
Some of their biggest concerns include
Security breach/someone hacking
System glitch causing organizations’ computers to go down
Becoming an extortion/ransomware victim What is RANSOMWARE?
It’s a form of malicious software (“malware”) used by cyber criminals to obtain access to a victim’s network. They can use it to steal data, commit fraud or launch a ransomware attack. This type of attack encrypts a company’s computer system and data and allows the criminals to demand a ransom in return for a decryption key.
Unauthorized access to financial accounts
Security breach/system glitch at a vendor
Having the resources and know-how to recover from cyber-related events
Security breach/someone hacking
System glitch
Becoming an extortion/ransomware victim
Employees putting information/systems at risk
Security breach/system glitch at a vendor
Theft/loss of customer/client records
Security breach/system glitch at a vendor
Having the resources and know-how to recover from cyber-related events
Security breach/someone hacking
System glitch
Becoming an extortion/ransomware victim
Unauthorized access to financial accounts
Unauthorized access to financial accounts
Security breach/someone hacking
System glitch
Becoming an extortion/ransomware victim
Having the resources and know-how to recover from cyber-related events
Failure of operate business/lost income
Given the increase in remote working there is a new set of cyber threats that business leaders are concerned about.
For instance, employees may inadvertently put systems at risk when accessing their email remotely and bad actors may exploit open ports to infiltrate a network, which can lead to ransomware attacks and other cybercrime schemes.
Ransomware is a growing threat that is gaining the attention of more and more business leaders.
What was the 8th biggest concern in 2019 is the 3rd biggest concern today.
Recently, ransomware attackers have become more aggressive, asking businesses to pay six, seven and even eight-figure ransoms. These criminals are deleting backups, and in some cases, threatening to disclose sensitive or confidential data, making it harder for businesses to recover from such an attack.
Victimization by the Numbers
The 2022 Travelers Risk Index can confirm that business leaders have good reason to be worried. For the seventh consecutive year, the number of businesses reporting being victimized by a cyber event has increased.
Since 2015
There has been a 160% increase in the percentage of businesses stating they have experienced a cyber event.
In 2022
26% of those surveyed said their company had been a cyber victim, with nearly half reporting the event happened within the past 12 months.
And businesses that are attacked once have a 71% chance of getting attacked again.
These cyber events are not random – if a business was vulnerable before and didn’t take appropriate action as a result, they continue to be at risk. It’s important to take the prospect of a cyber attack seriously and to put the business in position to successfully manage a likely event.”Tim Francis
Travelers Enterprise Cyber Lead
The top 5 cyber events that businesses are experiencing.
A security breach continues to be the most frequently cited cyber event, followed by employees putting information/systems at risk, a company being the target of cyber extortion/ransomware, a system glitch causing organizations’ computers to go down and theft or loss of control of customer or client records.
-
Security Breach (38%)
-
Employees putting information/systems at risk (33%)
-
Extortion/ransomware (28%)
-
System glitch (27%)
-
Theft or loss of customer/client records (26%)
Cyber Preparedness
Effective measures that have proven to reduce the risk of becoming a cyber victim are available, but based on these survey results, not enough companies are taking action. In fact, businesses of all sizes seem to be overconfident in navigating the evolving cyber landscape, which may cause a false sense of security.
93% of business report that they are confident that they have implemented best practices to prevent or mitigate a cyber event.
Yet, most businesses have not implemented basic prevention measures.More than 25% of business are not even implementing the most basic practices, such as firewall/virus protection, data backup and password updates.
64% do not use endpoint detection and response (EDR)
EDR can help protect and monitor an enterprise network by identifying suspicious activity before the rest of the corporate network is exposed to unnecessary risk. An EDR solution can provide far greater capabilities than a traditional antivirus solution as it monitors for anomalous behavior on each system rather than simply searching for malware.
To help Travelers CyberRisk policyholders receive access to the SentinelOneTM EDR Platform for 60 days at no additional cost.
53% do not have an incident response (IR) plan
An IR plan is a document that outlines an organization’s procedures, steps and responsibilities in the event of a cyber event. It prioritizes mission critical functions, identifies the IT systems that support them and documents recovery and response actions to help quickly restore operations. A well-designed IR is a living, breathing document that should be regularly reviewed and updated.
As part of the Travelers eRiskHub®, a web portal for CyberRisk policyholders, an incident response planning roadmap is available as well as other IR planning services and resources.
63% do not have a post breach team on retainer as part of an incident response (IR) plan
When a business suffers a cyber event, minutes matter. Experienced teams of specialized professionals such as data breach coaches, digital forensics experts and public relations professionals, can be engaged to help an organization manage the fallout of an attack. To expedite the process, consider identifying a post breach team prior to a cyber event, and even keeping the team on retainer as part of your organization’s IR plan.
Through our experience and knowledge, Travelers offers CyberRisk policyholders expert resources, including a data breach coach.
48% do not use Multifactor Authentication (MFA) for remote or admin access
MFA is a security method that requires the use of two or more authentication factors to verify a user’s identity prior to gaining access to an organization’s network, access to their email remotely or access to privileged or administrative accounts.
According to Microsoft, 99.9% of account compromise attacks can be blocked by MFA.1
The top reasons provided by respondents for not using MFA:
-
MFA is too inconvenient for users
MFA is simple for businesses to implement and typically requires no external hardware. Once established, the use of a secondary identification method such as a token simplifies the authentication process for users while dramatically improving the security of your network.
-
There are other controls in place
Traditional anti-virus software is no longer sufficient to protect a company’s network. A multi-faceted approach to cybersecurity – including MFA – is essential to protect against these ever-evolving cyber threats.
-
They don’t know what options exist
MFA options can vary, so to help Travelers offers its CyberRisk policyholders access to a one-hour consultation with a HCL Technologies Security Coach who can provide much-needed expertise and help pave the way for a stronger cybersecurity program.
Listen to Tim Francis, Enterprise Cyber Lead, and Ken Morrison, Cyber Risk Management, discuss what MFA is, how it can help protect a business and what an organization should consider when implementing this added layer of protection in this edition of the Travelers Cyber Academy® Podcast
Learn from the expertsSmall businesses are even less prepared.
The likelihood of a cyber event happening is not based on the size of a company. Many times, bad actors target existing vulnerabilities, meaning small businesses could be even more at risk.
STEPPING UP YOUR PROTECTION
Being prepared is still the best defense against cyber threats. And businesses that suffered a cyber event said their company took at least one of these five preventative steps to boost their cybersecurity.
-
Backed up data (68%)
-
Kept systems up to date (67%)
-
Implemented Multifactor Authentication (MFA) (53%)
-
Created an incident response (IR) plan (48%)
-
Used an Endpoint Detection & Response (EDR) tool (46%)
Want to help protect your business?
Watch this video with tips from Travelers Enterprise Cyber Lead, Tim Francis
Cyber Insurance
Prepare your business with cyber insurance coverage and solutions.
72% of business leaders think having cyber insurance is critical…
…yet not all businesses have purchased the protection.No matter the size or industry of the business, many are left vulnerable without cyber insurance:
Small businesses
without cyber insurance
Mid-sized businesses
without cyber insurance
Large businesses
without cyber insurance
Almost half of the businesses in these industries said they do not have cyber insurance to help protect their business assets.
Real Estate
Healthcare
Retail
Wholesale
Professional Services
Nonprofit
Public Sector
What Every Business Leader Should Know
Travelers has long been committed to managing and mitigating cyber risk, with a dedicated team of underwriters, claim professionals and risk control specialists who work to help insure and protect customers’ assets.
Learn more about how Travelers can help businesses prepare for and prevent cyber threats.
Get Ahead of Cyber Risks