Helping SME’s Demystify Cyber Insurance Webinar

(DESCRIPTION)
A slide presentation is on the left. On the right are speaker and participant videos. From the top down, there is Christopher Scott, Sagar Shah, Chris McMurray, and James Doswell, with 183 other participants below. Slide: Today's agenda. Text: Step-by-Step SME Claim Scenarios. Inside a Business Email Compromise Incident plus Q&A. How a Ransomware Attack Unfolds plus Q&A. Latest Risk Services and How They Support Your Clients. Why Choose Travelers for Cyber. An image shows a person typing at a display on a clear screen. Chris McMurray's name is highlighted as the speaker.

(SPEECH)
MCMURRAY CHRIS: So let's get started with the business email compromise example.

(DESCRIPTION)
Slide: Inside a Business Email Compromise (BEC) Incident. A graphic has seven columns with arrows pointing between them from left to right. First column Text: Profile. Local home renovation firm with 7 staff, specialising in extensions and refurbishments. No online sales or advertising - business built on word-of-mouth and long-standing supplier relationships that have become personal friendships. Annual turnover: 1.5 million pounds. Above the column there is Text: 50% of SME's hit by cyber security breach or attack in last 12 months. Some businesses face the risk of closure following major cyber attacks. Second column Text: Precautions taken. Email is used for quotes, invoices, and order confirmations with customers and suppliers. To manage this safely, they rely on an MSP to filter spam and, while aware of phishing, feel confident spotting attacks. With no online sales and minimal digital presence beyond Trustpilot, they consider their overall cyber risk low. Above the column there is Text: 50% of small businesses and 32% of micro use a Managed Service Provider (MSP). Third column Text: The breach. An employee is targeted in a spear phishing attack, receiving a genuine-looking invoice requiring a login "for security." The login leads to a false webpage, and without multi-factor authentication (MFA), the attacker gains access to their closed mailbox. The employee unknowingly pays 20,000 pounds to the attacker. Above the column there is Text: Almost half of our claims in the past 5 years have included Business Email Compromise (BEC).

Fourth column Text: The Impact. The attack goes unnoticed until a supplier questions the unpaid 20,000-pound invoice - panic sets in. Hackers access confidential emails to redirect payments. The company suffers reputational damage and financial loss, and employees face high stress managing the incident. Above the column there is Text: Cyber attacks often go unnoticed, making the true scale of damage unclear. Standard Management Service Providers (MSPs) aren't breach specialists and. can have businesses exposed during attacks. Fifth column text: The recovery. With support from Travelers' expert response team, the business isolates affected accounts and restores access. Above the column there is Text: 24/7/365 Cyber Support Hotline. Breach coach responds in about 30 minutes. Business Email Compromise (BEC) incidents typically take 1 to 4 weeks to resolve. Sixth column Text: The aftermath. The response team conducts a full system review and implements security upgrades, adding Multi-Factor Authentication (MFA) and checking email logs. Operations are restored, sensitive data secured, and confidence rebuilt. Wellbeing support and counseling is offered to affected employees. Above the column there is Text: Post-Incident Consultation. Multi-Factor Authentication (MFA) implementation support. Cyber wellbeing support. Seventh column text: Summary. The attack was contained quickly but left lasting reputational and supply chain concerns. Third-party liability cover applies if suppliers or customers claim damages due to compromised data or communications. Strong MFA controls will help mitigate future risk. Total recovery costs: 40,000 pounds. Above the column there is Text: Travelers leading Risk Services: Threat monitoring and alerts, plus prepare and prevent guides. Enhanced Protection: Any One Claim Crime Coverage.

(SPEECH)
Now, as I mentioned, this was an SME client of ours, in the construction industry with less than 10 members of staff. And we often think of when a client has a breach that it's got an impact on their ability to trade, such as their website for example. But this particular one, they weren't actually relying upon their website to trade.

They were very much reliant upon word of mouth. And that was where the revenue came from, pretty much, within the industry. We mentioned and said already that this type of thing doesn't tend to make the press because as you see, the ones that are very large in size versus this one, which was revenue of 1.5 million.

Unfortunately, that isn't uncommon, with almost half of all UK SMEs being hit with a cyber breach in the last 12 months. This is in part due to them being viewed as low-hanging fruit, in some ways, for threat actors, as they don't have the same resources to protect themselves as maybe some of those larger companies.

And often, they form part of a supply chain into those larger entities, which for a threat actor, is often a good way into trying to breach them. There's also the sad fact that some of those SMEs who are breached don't actually survive and ultimately go out of business. And this may be due to not just the initial financial impact, but other factors, rather, such as reputational damage.

As part of the underwriting process, we look at the security controls a client has in place. Coming to you first, James, we know clients need to be proactive in protecting themselves. In this particular example, what measures did they have in place and are they typical for a company of their size?

DOSWELL JAMES: Thanks, Chris. Yes. So certainly, I mean, in terms of precautions taken, the insured use email for quotes, invoices, order confirmations, general communications with customers and suppliers And to manage this safely, they rely on a managed service provider to filter out spam. And they're aware of phishing-- they felt confident in spotting attacks.

With no online sales and minimal digital presence beyond perhaps Trustpilot and similar, they consider themselves relatively overall low-risk where cyber is concerned. And they'd thought about and discussed phishing, but felt relatively safe and that they would spot an attack when it happened.

Sagar, before I talk about the breach, are you able to provide some examples of where our services really complement this type of company and environment?

SHAH SAGAR: Yeah, of course. So as the stat shows, it's very common and understandable for many small businesses to rely on managed service providers. I want to call out two services that we have seen our insureds that use MSPs leverage and the positive feedback that we've gotten about them. The first is eRiskHub, which is an online cyber resource portal offered to all of our insureds. It's a centralised location where clients can learn, prepare, and respond with access to things like training modules, self-service risk assessments, best practise templates, and incident response playbooks.

And secondly, as our insurers are working with their MSPs, looking into eRiskHub questions might come up. And when they do-- or if they even want to run something past our experts-- our team is always available for security consultations throughout their policy period at no additional cost. But with that, let me pass it back to you, James, to see what happens next in our scenario.

DOSWELL JAMES: Certainly. So the breach. In this case, an employee in the finance team was directly targeted in a spear phishing attack and received a genuine-looking invoice as an email attachment. It had the requirement to log in to view it for security. The login actually took the member of staff to a fake but very realistic-looking login page that was actually hosted by the attacker.

The user entered their details and due to a lack of MFA-- Multi-Factor Authentication-- on the user's email account, they literally gave the attacker the full details to log into their cloud-based mailbox in what is potentially a very typical type of phishing attack. The user was then provided with a relatively basic invoice appearing to be from a well-known supplier, and they realised it was a fake, closed it down, deleted it, but it didn't occur to them that this would actually have compromised their login details-- they didn't think about that part.

What happened after this is that the attacker gained access to and quietly monitored that email and the communications in that mailbox for several weeks. And the person whose mailbox it was didn't really think anything more of it. Basically the attacker included a hidden copy-and-forward rule in the mailbox settings, and then waited for a supplier invoice or client payment instruction to come through.

A reasonably large-value payment instruction came through, and the attacker inserted themselves into the genuine email chain, which ended in a change of bank details on a 20,000 pounds supplier payment. Ultimately, this resulted in the payment being sent to the attacker's account instead of the supplier's.

MCMURRAY CHRIS: Thanks for that, James. So this, unfortunately, as we've said, is a very common occurrence. So we've covered here what's happened to this point. Chris Scott, coming to you from a claims hat on, could you give us a little bit more on how that actually impacted upon the business?

SCOTT CHRISTOPHER: Yeah. Sure, Chris. As you mentioned, we see this type of scenario very, very frequently. I mean, certainly about half the cases that we deal with on the claims side are in relation to either social engineering fraud or business email compromise. So threat actors, who are the criminals behind the attacks will be looking for that low-hanging fruit, as you were mentioning earlier.

And it wouldn't be uncommon to see them sitting in the compromised accounts for a period of time, like James was mentioning setting up those malicious rules. So in terms of this particular case, in terms of the policy response, there was a number of clauses engaged there to really assist the insured in dealing with the incident itself. So the policy provided cover for legal experts. They were able to assist the insured with their legal and regulatory requirements arising out of the breach itself.

So that involved notification to the regulators. And the law firm also assisted with the communications for the insured, which really helped minimise the impact on the insured's reputation. Policy also engaged the use of IT forensics vendors who really helped with that containment, investigation and recovery phases. So that gave the reassurance to the insured that there was no further existing threat from the threat actor. And it also helped inform those notifications required to the regulators.

And then the final element of cover was for the funds loss itself. So the policy provided cover for the fraudulent transfer. So obviously, we've talked a little bit there about how the policy itself responds in terms of the notification path that the insured took. So they telephoned the breach response hotline. So that's open on a 24/7 basis. Within 30 minutes of that notification call, they were put on what's the called a breach response call with the experts. So that involves the breach coach, who's the law firm that we work with, one of the IT forensics panel, as well as the assigned client professional from Travelers.

And from there, we all assisted in formulating the resolution strategy for the insured to tackle this incident itself. So in terms of the forensic investigation that I say, helps contain the incident itself, it also confirmed that there hadn't been any exfiltration of any data from the compromised accounts. And like I say, also informed the scope of that notification to the regulators.

There were very regular touch points with the insured all the way through the incident itself. Really just providing them with updates on the progress of the investigation and where we were getting to. So they were typically chaired by the breach coach. I suppose the final point from me is really just to reinforce on that initial breach response call-- so that is complimentary under the policy. We would always encourage insureds to utilise it as quickly as possible. That way, we can really just formulate that resolution strategy to deal with the incident as quickly as possible.

So with that, I'll pass back to you, Chris.

MCMURRAY CHRIS: Yeah, thanks, Chris. That's a good overview of how the claims process works there. So thankfully, once we're through that recovery stage, what happens in the aftermath? So in this particular case, there was a full system review now carried out by the breach response team. And they implemented security upgrades, including adding multi-factor authentication, checking of email logs as part of that process going forward. The client is now at the stage where they're back up and running as normal, but they still have the process of trying to rebuild customer confidence in their reputation.

There's also the often forgotten part of any breach, which is the human element, as the focus tends to be on the likes of the IT and the business disruption. But it's a very stressful time for those within the business on the front line dealing with any attack. Those responsible for IT, for example, they may feel personally responsible, even if that's not actually reasonable. And that's why we provide a unique cyber wellness service to our insureds that provides confidential counselling for insureds following a breach.

Sagar, just on the theme of services, in addition to that wellbeing support, what other services do we provide that can add value here?

SHAH SAGAR: Perfect. And yeah, I can highlight the cyber wellbeing initiative that you mentioned, Chris. Regardless of the size of the organisation when a cyber attack occurs, the amount of time and energy spent getting out of it exhausts employees. And that's even more for smaller organisations.

But going back to the scenario, one of the recommendations was implementing MFA. And we've heard from our insureds that there's complexities and questions that come up when they go through the implementation process. And that's even more for smaller organisations with smaller security teams. And that's why our team offers MFA implementation support to assist our insureds in providing direct guidance as questions come up throughout the process.

And additionally, after things have calmed down from the incident, our team offers a free post-incident consultation. Really, the focus is to review what happened, controls that were in place, provide guidance and really use the incident as a teachable moment so it helps you insured not just become whole, but stronger for the future. And with that, let me give it back to you, Chris.

MCMURRAY CHRIS: Yeah, excellent, Sagar. And thanks for that overview. OK, so having gone through the breach from cradle to grave, we can see that the attack was thankfully contained quite quickly. But there are lasting consequences for the reputation and issues with the supply chain. Under our policy, we do provide full limit coverage for reputational harm, and we also provide some limited coverage for dependent business interruption for both IT and non-IT that will cover those disruptions to ensure if a supplier of theirs cannot supply to them due to them suffering a cyber breach.

We also-- in a recent cyber risk wording update-- widened our crime coverage for incidents like this to any one claim basis from an aggregate. This provides that extra layer of protection should our insured suffer a repeat attack similar to this in the same policy period. Sagar just before we move on to some Q&A in this one, I just wanted to bring you back in here for a last point on the risk services. And if there is anything else that we can offer to help our insurers here.

SHAH SAGAR: Yeah. And I would add that from our experience, when we see what our insureds go through, when a claim does occur, we also look at it as a learning moment for our team, and that feeds into the services that we offer. So 2, I would call that out. First is our continuous dark web monitoring.

That gives firms comfort that if there were threat actors selling stolen credentials, for example, on the dark web, our team would notify them immediately to get ahead of any potential future incidents. We've heard positive feedback regarding this from brokers and insureds, because they think of it as an extension of their security team. And in today's landscape, where it takes a lot of time, money, and energy to keep eyes everywhere.

Secondly, our team can provide templates and guides for incident response plans and business continuity plans, which are key to reference whenever an incident does occur. And as I mentioned before, the eRiskHub -- that also has a huge selection of other policy templates that can help smaller organisations continue to build and enhance their security programme.

Now we're going to touch on this a little bit later, but I just want to give a little teaser. To make it all easy for all of you and your clients, a concise two-pager that gives an overview of all of our cyber risk services is going to be included in both quotes and issued policy documents, and your underwriter can also share it with you if needed outside of that.

This really helps ensure that everyone understands the added value Travelers provides, and there's no extra paperwork or separate enrollment needed. And this way, it can also help you to start having conversations with your insurers early and demonstrate that their policy is more than just coverage, but active risk reduction.

(DESCRIPTION)
The video feeds of participants Christopher Scott, Sagar Shah, Chris McMurray and James Doswell appear to the right of a slide titled How a Ransomware Attack Unfolds. It includes a flow chart with text: In Q1 2025, 2,241 incidents appeared on ransomware leak sites, the highest quarterly total in four years. Chris McMurray.

(SPEECH)
MCMURRAY CHRIS: So you've all likely heard of, as I mentioned earlier, some of those large retail manufacturing examples over the past few months. But what does that look for a small business? So in this case, we had a small bathroom manufacturer. Again, small number of employees. Revenue, a bit higher than the last one-- at 25 million-- but not huge. And like many manufacturers that are heavily reliant on the systems for the production and inventory.

(DESCRIPTION)
Profile, A bathroom manufacturer with 12 employees, relying heavily on digital systems for production and inventory. Annual turnover, 25 million Pounds. SME's often appear as low-hanging fruit, minimal training and over-reliance on Managed Service Providers, MSPs, leave gaps for attacks. Precautions taken, The insured relied on a Managed Service Provider for IT support, assuming security was fully managed. However, network updates had to be requested from the MSP and often went uncompleted. Employee training was minimal, with a, "Why us?" mind set, believing their technology provider automatically handled all protection against potential attacks.

(SPEECH)
Now, ransomware-- certainly from an underwriting standpoint, not just a client standpoint-- it's probably the one that keeps us awake at night and with good reason. If you look at our Travelers Cyber threat report, this really illustrates why-- because in Q1 this year, there was over 2,200 incidents which appeared on ransomware leak sites. And this was actually the highest quarterly total in the four years that we've kept that record. So I think it shows that the threat is very much alive and unfortunately continues to evolve.

James, coming back to you on this one, we're looking here at small manufacturer. Again, we have an MSP involved. But in your mind, what did their overall precautions look like?

(DESCRIPTION)
James Doswell.

(SPEECH)
DOSWELL JAMES: Thanks. So yeah, you're right. The insured used a managed service provider for their IT support. And it was a complete sweep. And they felt confident that security was taken care of. It's worth mentioning here that network equipment requires updates and patches, just as workstations and servers do. But with the MSP, it had to be requested in order for the MSP to actually schedule it in as work and basically organise resource for it.

So the insured had given cyber attacks very little thought and they believed that all of the IT security they required was automatically done for them, and culturally, the firm viewed cyber as very light touch with little employee training. Their line of thought was very much-- why would a hacker come after me? And besides, we've got a proper technology firm to actually run it for us.

(DESCRIPTION)
Text: Ransomware cases are rising. Claims in the UK and Ireland have doubled. This ransom demand was 500,000 pounds, but attacks can reach 10% of annual turnover. Without cyber cover, SME's bear the full financial risk. The breach, Hackers exploited an unpatched firewall vulnerability the IT provider hadn't yet addressed. They disabled antivirus, stole staff credentials and accessed servers, copying documents. Shared files, design plans and production schedules were encrypted. A ransom note appeared. "Your systems are locked. Contact us or your data will be leaked."

(SPEECH)
So coming to the breach, hackers routinely scan internet addresses, and as vulnerabilities come out, they'll use just in an opportunistic fashion. They'll exploit critical, unpatched vulnerabilities. In this case, the insured's firewall had a vulnerability on their SSL VPN. So the attackers exploited that vulnerability, much like a burglar might use a side window that's been accidentally left open, or if it's got a broken latch. And the breach came in via a gap caused by that misunderstanding where the IT provider hadn't yet addressed the patch and they'd simply not been asked to.

So once inside, the attackers ran software, took over admin controls, and were quickly able to gain full control. They ran automated scripts to disable the antivirus software and harvested staff's credentials. They then remotely connected to the servers. They copied multiple documents out of the company-- and in this case, they actually encrypted shared files, design documents, and the production scheduling system.

The first that the insured were aware of it was that a ransom note appeared-- "Your systems are locked. Pay 500,000 pounds in Bitcoin or your data will be leaked." Perhaps somewhat ironic for a bathroom manufacturer, but certainly not a laughing matter for the insured.

(DESCRIPTION)
Chris McMurray.

(SPEECH)
MCMURRAY CHRIS: Thanks for that overview, James. I mean, I think the point that I would make here as well is we've touched upon that ransomware, cases are certainly rising. And that ransomware demand that you mentioned-- a half a million-- I mean, typically, attacks can reach 10% of annual revenue.

And from a client's perspective, if they didn't have that cyber insurance policy in place, park the ransom for a second, they would have obviously to bear that full financial risk themselves. But then they've got the task of running around and trying to pull together their own breach response in terms of vendors, et cetera. So it really does show that cyber policy has more than just essentially paying your claim at the end of the day.

So we've ran through the profile, we went through what's happened, we went through the actual breach and how typical that actually is. Chris Scott, again, coming back to you, how did this actually impact on the client from a claims perspective?

(DESCRIPTION)
Christopher Scott.

(SPEECH)
SCOTT CHRISTOPHER: Thanks, Chris. So, yeah. I mean, the impact of ransomware attacks, really far reaching. Just to I suppose, say, we're seeing the volume of attacks really on the up, so they've doubled from prior years.

(DESCRIPTION)
Some businesses don't survive an attack. Those that do face long-term operational chaos and reputational damage. The impact, Production stops as machines reliant on digital instructions fail. Inventory, supplier records, email and internal drivers are all inaccessible. The overwhelmed IT provider struggles to respond, while the managing director faces ringing phones, missed orders and frustrated clients. Wiping systems and restoring from backup is advised, but the last full backup is three weeks old.

(SPEECH)
So in this particular scenario, the insured was locked out to their systems and it became evident pretty quickly that there was going to be an issue.

So we saw that the MSP was completely overwhelmed and the insured was receiving lots of calls. So we worked with them to alleviate that pressure. So the breach coach themselves were instructed and provided some communication that the management director could use to field off some of those calls.

So from a policy response perspective, again, a number of areas of the policy that are going to be engaged here to assist the insured with this particular incident. So we had the instruction of legal experts, like I mentioned. They obviously dealt with the communications for the insured, but also assisted with those legal and regulatory requirements as well arising out of the incident, as well as acting as a project manager for the breach response.

We also instructed IT forensics. They were primarily there to help with the containment and the investigation, as well as the recovery of the incident itself. So they certainly worked very closely with the MSP there, really to make that recovery as efficient as possible really. But certainly, as the investigation started, it became very evident that the backups available weren't really viable.

So it was actually necessary to engage with a threat actor negotiator. So again, the policy responded there and picked up the costs of that. So the threat actor negotiator is as it sounds-- it's a specialist firm who are there to pick up the communications with the threat actor, and ultimately negotiate a settlement.

(DESCRIPTION)
Ransom payments are small compared to business interruption and added costs. Ransomware incidents typically take 2 to 8 weeks to resolve after an attack. The recovery, A breach coach and specialist IT vendor assess the damage and confirm backups are unusable. A ransom negotiator secures system access for a 200,000 pound ransom payment, while partners are informed to limit further disruption.

(SPEECH)
In terms of the ransom demand itself-- so obviously, that was subject to very rigorous sanction checks, both from our end and from all of the vendors instructed. But again, the policy responded to cover the ransom payment itself. And then obviously, later on down the line, dust had settled, and the policy also responded to provide business interruption cover for the insured, as well as engaging with a forensic accountant to assist in the calculation of those losses.

So I mean here, the insured did experience a downtime of around 7 weeks. So we really worked with them all the way throughout arranging interim payments just to really keep the cash flow going whilst we worked with the forensic accountants to calculate those overall losses.

In terms of the notification route-- again, very, very similar to the business email compromise incident that we talked about a little bit earlier on. So the insured contacted Travelers through the breach response hotline. So again, that that's open on a 24/7 basis. They were on a breach response call with the experts within 30 minutes of notification.

As I mentioned a little bit earlier there, it became evident pretty clear from an early stage that the viableness of the backups were not able to be used. So the threat actor negotiator picked up communications with the threat actor, obviously bringing in a bit of intelligence from prior incidents that they'd worked with that particular threat actor group before. And we were able to negotiate a settlement from the initial demand of 500,000 down to 200,000.

Obviously, the IT forensics team were also looped in there, really just to test the decryption key, just to ensure that did ultimately work before the demand itself was paid. And then were able to engage with the forensic accountants to get that business interruption loss covered off and put the insured back into it a wholesome position.

In terms of, I suppose, how the incident itself played out, so there were very, very regular touch points. So there were daily calls on this incident, just really to update the insured and make sure that they were able to understand exactly where the investigation was going and where they were looking at from a business continuity perspective. And that way, they're able to really manage that message with the internal and external stakeholders, make sure that they're the impact on their reputation was really as minimal as possible.

With that, I think I was going to pass back to you, Chris.

(DESCRIPTION)
Chris McMurray.

(SPEECH)
MCMURRAY CHRIS: Yeah, thanks for that, Chris. Again, good, detailed overview.

(DESCRIPTION)
Cyber Expert Security Consultations, Vendor recommendations. The aftermath, the investigation reveals a mix of patching delays and weak credential management. New controls are introduced, including continuous monitoring, VPN checks and enforced password rotation.

(SPEECH)
So then looking at the aftermath-- so the investigation revealed a mix of patching delays and weak credential management had helped lead to that breach. New controls were introduced, including that continuous monitoring VPN checks, and enforced password rotation.

Sagar, again, coming back to you from the services perspective, what else can we add here as a layer to help our clients?

(DESCRIPTION)
Sagar Shah.

(SPEECH)
SHAH SAGAR: No, this is perfect. And I think one thing to mention is that it's common, with not just smaller organisations, but a lot of organisations around keeping up with patching-- because there's always vulnerabilities out there, and it takes time to determine whether there's an impact and how bad it is to your organisation. And so with that in mind, our team provides external perimeter and alerting.

What this is Travelers ongoing scanning, which continuously monitors the external perimeter environment, similar to how threat actors might do to identify potential threats similar to what James mentioned. And when a new cyber threat or vulnerability is identified, such as an open port or an outdated software being exploited, our team analyses it and determines which insureds are potentially exposed. Those insureds and their brokers receive an alert within hours, often days before public exploitation occurs.

These alerts include the specific steps for remediation and really helps our insureds act fast and hopefully prevent potential incidents. And our data shows and supports this, that the insureds get an average 15 days advance notice before the alerted threats are exploited in the wild, and they're able to patch their systems three times faster, which is a huge benefit that many of our insureds give us feedback on.

(DESCRIPTION)
Travelers Leading Risk Services, Business continuity planning, BCP, incident response planning, IRP, and continuous dark web monitoring. Summary, The claim highlights the importance of timely patching, proactive monitoring, and strong credential controls. Total recovery costs and lost revenue, 430,000 pounds. Logo: Travelers.

(SPEECH)
Secondly, as you can see in the scenario-- with the recommendations that come after a breach, not everything can be managed in-house just based on the team capacity, budget, priorities, or even knowledge. And many organisations will look at external vendors to help support them.

What our insureds we've seen do is they can shoot us an email or schedule a time with our team if they want recommendations based on what we see other organisations in similar size or scale using. They can also talk to our experts on best practises, answer questions around the recommended security controls, or anything else that they just want to bounce off an expert. We really like to highlight that we're here to help support our insureds throughout their security journey. With that, I'll get back to you, Chris.

(DESCRIPTION)
Chris McMurray.

(SPEECH)
MCMURRAY CHRIS: Thanks for that, Sagar. So in summary, this is a claim that is a typical ransomware scenario, and it highlights the importance of cybersecurity not being a one and done approach, it's an ongoing process that takes work-- it takes time, it takes investment. And you can also see here that there's many different functions when a breach occurs from a breach response perspective. And the various vendors that are needed to resolve that incident.

Without a cyber insurance policy providing that key support, an SME would have to run around and try and pull that together on their own at a time when they're likely probably in full-blown panic mode, don't know where to turn, and ultimately, they need to focus on keeping the business as functional as they possibly can at that point.

The other point I would make is there's also often a lot of focus on the ransom payment itself. But as you can see here, the amount that is actually made up on the breach response course, as opposed to the actual ransom itself-- if we even have to pay a ransom. That's why we now offer, as an optional extension, breach response course outside of the limit. This adds an extra layer of protection for our clients to insulate those breach response costs, whilst keeping the main policy limit intact.

Sagar, coming back to you-- and I know you've already touched upon some of these risks services in both examples already-- but is there anything else that you want to mention here that would be of assistance?

(DESCRIPTION)
Sagar Shah.

(SPEECH)
SHAH SAGAR: Yeah. And I think we've mentioned a lot of our services. But I think one thing to highlight is a common theme across both these stories-- is that threat actors don't discriminate by size. What really makes a difference is preparedness. And so the risk services aren't about preventing every attack, but they are about giving you and your clients a head start when one happens. And they are free, they're simple to request. And hopefully, will show your clients that you are continuing to be ahead of the curve in supporting them on their security journey.

(DESCRIPTION)
Logo: Travelers. Slide title: Threat Alerting in Action. Four points appear along a timeline. The first point has a label that reads, "Insured VPN is compromised." The second point has a label that reads, "Within minutes Travelers sent an email alert and a Travelers Risk Advisor called the Insured and broker." The third point has a label that reads, "VPN is taken offline to investigate the incident." The fourth point has a label that reads, "Risk Advisor works with the Insured to get MFA set up on VPN accounts." At the end of the timeline is a red shield with the text 250,000 pounds next to it. A label reads, "Major ransomware claim averted at an estimated cost of circa 250,000 pounds." Sagar Shah speaks.

(SPEECH)
SAGAR SHAH: One of the most impactful parts of the cyber risk services is our threat monitoring and alerting programme. And so I thought it'd be beneficial to run through an example of our threat alerting in action. So recently, our cyber risk services team received an urgent notification that a threat actor had compromised one of our insured virtual private networks and was selling access to other criminals on the dark web.

So the team raced against the clock to notify the insured and take steps to avoid a full blown incident. And so what that means is within minutes, we sent them an alert and our in-house expert was on the phone trying to reach the insured as well as the broker.

We eventually got the insured on a call and with our in-house expert, they made sure that immediately they revoked access for the compromised VPN account, and they took the VPN offline to really investigate and find if there's any evidence that a threat actor had been trying to get in. And what they did find that a threat actor had been trying different password combinations before successfully connecting to the VPN via an account that had a weak password.

So what next steps was is that the Travelers' expert worked with them to get MFA set up on their VPN accounts, and ensure that there was no evidence of further access by the threat actor in their network. And so what to highlight here is that in these scenarios, things move fast. And so once a threat actor sells access, it's often a ransom group will be knocking at the door within a day or two.

So the quick action by our Traveler cyber risk services team really resulted in what we like to call a major win. And that is that the insured avoiding a far more impactful claim and likely avoiding a 250,000 pound ransomware claim.

(DESCRIPTION)
A video conference. A slide with text: 2-page Cyber Risk Services Overview in quotes and issued policies. Two sheets of paper appear. The first has text: Travelers. Travelers Cyber Risk Services. Monitoring, tools and services that help to predict and prevent cyber threats so that you can focus on growing your business, not responding to cyber attacks. Travelers Cyber Policies Include: Always-on threat monitoring and alerts. Take action with same-day threat alerts that help to stop attacks before they escalate. Review step-by-step actions tailored to your organisation. Policy Onboarding. Meet your Travelers Cyber Risk service team and get familiar with your service offerings. Review your current security report and receive actionable recommendations. Expert Guidance from Our In-House Cyber Risk Services Team. Get personalised guidance to strengthen security and reduce risk. Maximise the effectiveness of your security investments. Latest Enhancements in Risk Services.

Recover quickly with tailored post-incident consultations. Streamline your service experience with claims onboarding. Enhance security with comprehensive employee awareness training and incident response planning templates. Policy holders who act on these alerts have been able to patch up to three times faster, with an average of 15 days advance notice provided before threats are exploited in the wild. Customer Story. Policyholder virtual private network (VPN) credentials are seen for sale on a dark web marketplace. Within minutes, Travelers has reached the policyholder and broker. VPN is taken offline to prevent the spread of attack. Travelers helps set up multifactor authentication (MFA) on VPN accounts. Major ransomware averted, avoiding potential interruption to operations, reputational harm and an estimated 250,000 pound plus claim. 

How it works. 1. Get started. Once your policy is in effect, please email [email protected] to notify our team that you're ready to register. 2. Onboarding. Our team will send you a scheduling link for your Onboarding Call. 3. Year-Round Support. Schedule an eligible service from the menu below any time by sending us an email. A chart with columns Online Tools and Always-On Services and All Travelers Cyber Policyholders. Checkmarks appear under All Travelers Cyber Policyholders for Travelers eRiskHub, External perimeter scanning, Personalised alerts for emerging cyber threats, Continuous dark web monitoring, Cyber expert security consultations, Multifactor authentication implementation support, Self-service risk assessment, Employee security awareness training, Vendor recommendations, Claim onboarding video. Another chart with columns Expert Support, Up to 100 million pounds Revenue, and 100 million pounds plus Revenue. Checkmarks appear under up to 100 million pounds revenue for Policy onboarding call with text: 30 minute call, Claim onboarding call, Meet the data breach coach, and Post-incident consultation with text: 1 hour call. In rows Incident Response Planning (IRP) and Business Continuity Plannnig (BCP), under up to 100 million pounds revenue, it states text: Template and guide. Checkmarks appear for all rows under 100 million pounds plus revenue for Policy onboarding call with text: 30 minute call, Claim onboarding call with text: 30 minute call, Meet the data breach coach, Post-incident consultation with text: 1 hour call, Expert risk assessment with text: 1 hour call, Incident Response Tabletop Exercise with text: 2 hour virtual prep call, Incident Response Planning with text: 1 hour call, and Business Continuity Planning with text: 1 hour call. You and your insurance representative can reach us at [email protected]. Sagar Shah.

(SPEECH)
SAGAR SHAH: I hinted at this earlier, but I thought it'd be good to show it. This is the two-pager that will hopefully make it easy for you and your clients to really understand the cyber services.

And these are-- this two-pager, sorry, will automatically be included in both quotes and issued policy documents. And really, the goal is to make sure everyone understands the added value Travelers provides without any doing extra paperwork or separate enrolment.

And it's a little small at the bottom, but you'll see it when you receive it. But you can reach out to our team by sending an email to [email protected] or you can reach out to your underwriter, and they can talk to you about the services or connect you to our team.

(DESCRIPTION)
Slide. Text: The Travelers Cyber Risk Services Difference. Graphics of a headset, a magnifying glass, a lock in a shield, and a bell. Text: Targeted Alerting, Industry Leading Intelligence, No Additional Cost, Impactful Results.

(SPEECH)
And if you go to the next slide, I did want to highlight what truly differentiates Travelers, isn't just that we offer services, it's how we deliver them. And there are four main things that I believe make us stand out. First, it's targeted.

Last year, there were 40,000 known vulnerabilities, and we cut through that noise and alerted only when something truly mattered, and it truly impacted our policyholder. And the intent behind this is really to avoid email fatigue or alert fatigue.

Second, it's faster. Our proprietary threat intelligence pipeline allows us to alert insureds the same day a vulnerability is identified, versus our competitors, who often take up to two weeks because they sometimes rely on a third party.

And third, and I can't emphasise this enough, it's free. Unlike some of our competitors who charge additional fees, all of our cyber risk services are included at no extra cost. And really, our goal is that every insured benefits from these capabilities.

And finally, it's proven. I mentioned the stat before, but insureds who act on our alerts patch up to three times faster, with an average 15 days advance notice before these threats are exploited in the wild.

So really, if I had to summarise, in short, Travelers Cyber risk services combines precision, speed, accessibility, and proven results to give you and your clients the confidence that Travelers is more than just an insurer. We're a partner in resilience.

(DESCRIPTION)
Slide. Text: Why Travelers? Global cyber market. £5 million capacity. Increased 10 million pound limit option for risks 250 million pounds + revenue. SME, Mid-Market, and Corporate appetite. Primary and Excess appetite. E-trade for risks up to 100 million pound revenue slash 3 million pound quote and bind. Pre-loss services and post-breach response expertise. Wide industry appetite - we underwrite the risk! Four awards appear. Two have text: Insurance Business UK 2025 5-Star Cyber. 2025 5-star claims. Insurance Business. Intelligent Insurer. Cyber insurance awards Europe. 2025. Awareness initiative. highly recommended. Intelligent insurer. Cyber insurance awards Europe 2026. Finalist.

(SPEECH)
So with that, let me pass it back to you, Chris.

(DESCRIPTION)
Chris McMurray.

(SPEECH)
CHRIS MCMURRAY: Yeah, thank you for that really good overview there, Sagar. So to finish up today, you've heard a lot from us on the exposures and how those have played out in real life, and how our product and risk services can add value to your clients. So to bring all that together, why should you place your client's cyber with Travelers?

Well, first of all, we're an established global market for cyber. Travelers began writing cyber in its initial form, it looks very different now, of course, in the late '90s in the US. We can provide 5 million limit capacity to your SME clients, rising to 10 million for those slightly larger at 250 mil revenue and above to make sure your clients have adequate protection.

You also have our online MyTravelers portal that you can access and quote and bind risks up to 100 mil revenue and 3 mil limit. And in the coming month or so as well, we will be adding in the Travelers' scan capability to that platform, which is our outside to scan, which gives a score to your clients, alerts them on vulnerabilities.

So again, adding that extra level of protection and then leading into some of the services which Sagar had mentioned as part of that.

We have spoken a lot about SMEs today, that's been the main focus, but we do write business internationally for SME, mid-market, and large corporate clients, both on a primary and excess basis. And as the panel have covered those risk services and that key post breach response, we offer to all our cyber insureds.

The other thing to mention is we do write these risks across a wide range of industries that, in fact, very few trades that we don't write based solely on what they do. At Travelers, we like to underwrite the risk. And if we can get comfortable with their controls and their exposure, then we will look to write that business.

Final takeaway for me is clients shouldn't think of investment in cybersecurity versus purchasing cyber insurance as a choice and a decision that they have to make. They both should go very much hand-in-hand to provide that maximum protection for those businesses who sadly, if they haven't been breached already, they likely won't have very long to wait until they are.