Attacks on VPNs Help Drive Ransomware Activity to New Highs
Key takeaways
- Increase in ransomware activity: 2,453 victims were posted to leak sites in Q4, making it the highest quarter on record and representing a 48% increase over Q3.
- Qilin dominates the threat landscape: With 551 victims in Q4, Qilin accounted for 22% of all ransomware attacks and more than doubled its Q3 activity following aggressive affiliate recruitment.
- Attacks on VPNs continued: For the second quarter in a row, the major tactical story was attacks on VPN technology, particularly a category known as Secure Sockets Layer (SSL) VPN.
Speaker 1
(DESCRIPTION)
Logo: Travelers. Upper left corner. Text: "Q4 2025" and "Cyber Threat Report." Large title text: "Attacks on VPNs Help Drive Ransomware Activity to New Highs." Date: "February 25, 2026." Background image: silhouette of a person standing in a brightly lit doorway flanked by dark server racks, with user profile icons visible in the background. Lauren Winchester visible in video inset, upper right corner.
(DESCRIPTION)
Lauren Winchester. Head of Cyber Risk Services, Travelers.
(SPEECH)
Hi, everyone. Good morning. Thank you so much for joining us today to discuss our Q4 2025 cyber threat report. I'm Lauren Winchester, head of cyber risk services here at Travelers, and we are a team that's dedicated to helping our policyholders and our broker and agent partners predict, prevent, and hopefully recover from cyber attack should they have them.
I'm gonna start with the headline first. Q4 2025 was the highest quarter on record for ransomware leak site activity. And what made threat actors so effective was really their use of poorly secured virtual private networks or VPNs. So today, we're gonna cover a review of that ransomware leak site data. And for the uninitiated, ransomware threat actors will often steal data when they get into a network, and they will post their victims up on their dark web leak sites. And even those that choose to pay, their names will have been listed on the leak site for a time, and we are able to grab that data and better understand this kind of as a proxy for how much ransomware activity is going on any given quarter, and that's what we report on here in this report. So we'll get a pretty decent view of a majority of the ransomware activity that's going on globally.
We'll then turn to our claims and use our claims data to help inform what the trends are. And finally, we'll talk about what are some best practices for preventing the types of attacks that we're seeing so that you can better protect your company or your clients.
(DESCRIPTION)
Slide: "Panelists." Four circular headshot photos displayed in a row. Left to right: Lauren Winchester, Head of Cyber Risk Services, Travelers. John Lippe, Director, Cyber Forensic Claim, Travelers. Fayon Atkinson, Senior Manager, Cyber Risk Services, Travelers. Joshua Doguet, Senior Manager, Incident Response Intel, Travelers. Travelers logo in lower right corner. Lauren Winchester visible in video inset, upper right corner.
(SPEECH)
Alright. So on to our panelists, the stars of the show here. We have John Lippe back again, our director of cyber forensic claim. John works with our dedicated cyber claim team to better understand the digital forensics and incident response investigations that happen on our claims. John's been working in IT for over thirty years in various roles, and he's been focused on cybersecurity in his time here with Travelers, managing key security controls for the enterprise, developing and maturing the digital forensics and e-discovery practice within our own risk control digital forensics lab, and that enables a really deep technical expertise in support of Travelers Investigative Services and the enterprise claim.
We are also joined by Fayon Atkinson, a senior manager of cyber risk services. Fayon provides cyber expertise across Travelers working closely with underwriting teams to assess cyber risk at scale, and support any broker and agent inquiries that we get. Fayon also works with our policyholders, advising them proactively on security measures from recommending security program improvements based on the evolving threat landscape to providing remediation guidance for known vulnerabilities.
And last but not least is Josh Doguet, senior manager for Incident Response Intel. Josh monitors the cyber landscape for emerging threats that could impact our policyholders' environments, and he assists policyholders with mitigating any of the imminent threats that we've alerted them to. Additionally, Josh analyzes and derives insights from our incident response and claim data that help support the larger team efforts. And prior to joining our team, Josh spent several years as a corporate defense litigator and also on our cyber claim team.
So welcome everybody. Thank you so much for joining. I think the first place that we wanna really start is with you, Josh.
(DESCRIPTION)
Slide: "Disclaimer." Text reads: The views expressed in these materials are those of the author and do not necessarily reflect the views of The Travelers Companies, Inc. or any of its subsidiary insurance companies ("Travelers"). This material is for general informational purposes only and is not legal advice. It is not designed to be comprehensive and it may not apply to your particular facts and circumstances. Consult as needed with your own attorney or other professional adviser. This material does not amend, or otherwise affect, the provisions or coverages of any insurance policy or bond issued by Travelers. It is not a representation that coverage does or does not exist for any particular claim or loss under any such policy or bond. Coverage depends on the facts and circumstances involved in the claim or loss, all applicable policy or bond provisions, and any applicable law. Availability of coverage referenced in this document can depend on underwriting qualifications and state regulations. Claim scenarios are based on actual situations, composites of actual situations, or hypothetical situations. Resolution amounts are approximations of both actual and anticipated losses and costs. Facts may have been changed to protect confidentiality. Travelers logo in lower right corner.
(SPEECH)
Oh, sorry. Requisite disclaimer, you all saw it. But Josh, turning to you first. Your team analyzes our ransomware leak site data. Can you help us understand what trends you're seeing in the data from this past quarter and how that compares to other activity we've seen?
(DESCRIPTION)
Slide: "What's in this edition." Three sections displayed on right panel against a dark teal left panel. Section one in bold: "Record-breaking ransomware activity." Bullet: "2,453 victims were posted to leak sites in Q4, making it the highest quarter on record and representing a 48% increase over Q3." Section
Speaker 2
(DESCRIPTION)
Joshua Doguet. Senior Manager, Incident Response Intel, Travelers.
Speaker 2
(SPEECH)
Speaker 3
Yeah. Of course. So everyone might recall that last quarter, we talked about Q3 leak site activity rebounding after a dip in Q2, and that we expected that upward trend to continue. And, unfortunately, the data from Q4 confirms that outlook in a pretty dramatic way. So in the fourth quarter of 2025, nearly twenty-five hundred victims were posted to ransomware leak sites, and that is the highest quarterly total that we have ever recorded, surpassing even that spike that we saw in the first quarter of this year when a bit over twenty-two hundred victims were posted.
(DESCRIPTION)
Chart: "Ransomware victims posted on leak sites - Quarterly comparison." Line chart with a yellow line plotting total ransomware leak site victims by quarter. Y-axis labeled "Total," ranging from 0 to 2,500. X-axis shows eight quarters across two years: Q1 through Q4 2024, and Q1 through Q4 2025. Data points: Q1 2024: 1,066. Q2 2024: 1,244. Q3 2024: 1,251. Q4 2024: 1,654. Q1 2025: 2,241. Q2 2025: 1,485 (dip). Q3 2025: 1,658 (rebound). Q4 2025: 2,453 (new record high). Source: 2025 Q4 Cyber Threat Report. Travelers logo upper left. Joshua Doguet visible in video inset, upper right corner.
(SPEECH)
To put that in perspective, Q4 represents a forty-eight percent increase over Q3 and also a forty-eight percent increase compared to Q4 of last year. We zoom out to look at the full year. 2025 was the most active year on record. We tracked about seventy-eight hundred total victims posted to leak sites across the four quarters, a fifty percent increase over 2024's total of about fifty-two hundred victims. The long term trend line that we have been watching since 2021 continues to point upward, and 2025 didn't just follow that trend. It definitely accelerated it.
(DESCRIPTION)
Chart: "Ransomware victims posted on leak sites - Five year quarterly comparison." Line chart with a red line tracking total ransomware leak site victims by quarter from Q1 2021 through Q4 2025. A gray dashed trend line shows the overall upward trajectory. Y-axis labeled "Total," ranging from 0 to 2,500. X-axis shows quarters grouped by year: 2021, 2022, 2023, 2024, and 2025. Data points from left to right: Q1 2021: 535. Q2 2021: 832. Q3 2021: 696. Q4 2021: 985. Q1 2022: 650. Q2 2022: 667. Q3 2022: 648. Q4 2022: 697. Q1 2023: 882. Q2 2023: 1,215. Q3 2023: 1,329. Q4 2023: 1,185. Q1 2024: 1,066. Q2 2024: 1,244. Q3 2024: 1,251. Q4 2024: 1,654. Q1 2025: 2,241. Q2 2025: 1,485. Q3 2025: 1,658. Q4 2025: 2,453. Source: 2025 Q4 Cyber Threat Report. Travelers logo upper left. Joshua Doguet visible in video inset, upper right corner.
(SPEECH)
So, what's our outlook for 2026? Well, in short, unless we see a major shift in the law enforcement posture of those countries where most of these criminals operate or some kind of meaningful drop in the economic returns from ransomware, we expect activity levels to remain elevated. We may see quarter to quarter volatility like we did earlier this year, but the structural incentives driving this activity just haven't changed. And if anything, the ecosystem has become more efficient.
(DESCRIPTION)
Joshua Doguet. Senior Manager, Incident Response Intel, Travelers.
(DESCRIPTION)
Chart: "Most active ransomware groups: Q4 2025 - By leak site victims posted." Vertical bar chart with ten ransomware groups along the X-axis and leak site victims posted on the Y-axis, ranging from 0 to 600. Bars with diagonal hash marks indicate a quarter-over-quarter increase; solid bars indicate no QoQ increase. Results from highest to lowest: Qilin: 551 (dark navy, QoQ increase). Akira: 234 (light blue, no QoQ increase). Sinobi: 148 (red, QoQ increase). INC Ransom: 119 (yellow, no QoQ increase). CLOP: 119 (blue, QoQ increase). SAFEPAY: 98 (dark green, no QoQ increase). LockBit 5.0: 93 (teal, QoQ increase). DragonForce: 77 (orange, QoQ increase). PLAY: 75 (green, no QoQ increase). Devman: 69 (pink, QoQ increase). Legend shown: diagonal hash marks for QoQ Increase, solid for No QoQ Increase. Source: 2025 Q4 Cyber Threat Report. Travelers logo upper left. Joshua Doguet visible in video inset, upper right corner.
(SPEECH)
Now I wanna talk about, the groups that are behind these numbers because the story of Q4 is really the story of one group, and that is Qilin. Qilin claimed five hundred and fifty-one victims in Q4 alone. That's more than double its Q3 total of two hundred and seventy-one. That five-fifty-one figure represents about twenty-two percent of all ransomware activity globally during the quarter, making Qilin the most dominant single group that we have seen since LockBit was at its peak. Over the full year, Qilin posted about eleven hundred victims. That's a staggering five hundred and forty-two percent increase over its 2024 total.
The primary driver of Qilin's surge was the absorption of experienced affiliates from RansomHub, which dissolved in April of last year following law enforcement action. When RansomHub went dark, it left behind a network of skilled operators who needed a new platform, and Qilin was well positioned to recruit them. Qilin offered competitive revenue sharing arrangements, a technically sophisticated platform, and mature infrastructure. Based on the numbers by Q4, we can see that that fully integrated affiliate network was operating at peak efficiency.
What's notable about the RansomHub to Qilin migration is that it represents a shift in how the ecosystem responds to disruptions. When LockBit was disrupted through Operation Kronos in early 2024, affiliates scattered across dozens of smaller operations. But this time, affiliates seem to have consolidated around a single platform. That suggests that the market has matured to the point where experienced operators prioritize stability and sophistication over decentralization.
(DESCRIPTION)
Joshua Doguet. Senior Manager, Incident Response Intel, Travelers.
(SPEECH)
Beyond Qilin, a few other developments we think are worth highlighting. So Akira remained a strong and consistent presence throughout Q4. They posted two hundred and thirty-four victims. Beginning in Q3 and leading into Q4, Akira continued its campaign of targeting environments using vulnerable SonicWall VPN devices. And over the course of the year, it too likely absorbed some of those ex-RansomHub affiliates.
Meanwhile, Sinobi, a relatively new group, exploded from forty-six victims to a hundred and forty-eight in Q4. That is a two hundred and twenty-two percent increase that we are watching closely. Clop resurfaced with a hundred and nineteen victims after a period of relative dormancy, which is always concerning given their history of exploiting zero-day vulnerabilities in enterprise software. And we also saw the emergence of LockBit 5.0 with ninety-three victims. That's an attempt by remnants of the old LockBit operation to rebuild under new branding.
In all, six of the top ten most active groups in Q4 were either new entrants or groups that experienced significant growth during the quarter. So while we are seeing consolidation at the top with Qilin and Akira, innovation and new entry at the edges of the ecosystem remain constant.
(DESCRIPTION)
Chart: "Ransomware Claims & Proactive Alert Impact." Dual-axis chart tracking Akira ransomware claims at Travelers alongside global Akira leak site victims from January 2025 through December 2025. Blue bars represent Akira ransomware claims at Travelers; red line represents global Akira leak site victims. Two vertical dashed lines mark key alerting events: "AUG 14 VPN Alert 1" and "SEP 22 VPN Alert 2." Blue bars are highest in August 2025, with a notable decline following the alerts through Q4. Annotation text: "Partnership with the Claim team enabled enhanced SonicWall alerting in September, which enabled Travelers policyholders to address vulnerabilities that could have lead to Akira-related attacks." Travelers logo in lower right corner. John Lippe visible in video inset, upper right corner.
(SPEECH
Finally, I wanna touch on what we're seeing from the initial access side of the equation, specifically the role that poorly secured VPNs continue to play in enabling ransomware attacks. VPN credentials, particularly those for Fortinet, SonicWall, and Cisco products, remain the dominant access type being sold by initial access brokers throughout Q4.
One trend that does stand out is the relationship between SonicWall vulnerabilities and Akira. So intel gathered by a vendor partner during Q4 indicates that Akira compromises many of its victims through CVE exploitation of SonicWall devices, with roughly a quarter of intrusions coming through brute forcing or configuration weaknesses that persist even on patched systems. These weaknesses include things like default SSL VPN groups left enabled, exposed SonicWall virtual office portals that allow MFA enrollment with valid credentials, and legacy local accounts that were never reset after firmware upgrades.
The last point is important, and I emphasized it during last quarter's webinar, which is that patching alone is not enough. Persistent configuration issues like password carryover from older firmware, like default user groups, like old admin accounts, these issues create an attack surface that survives patching.
One thing I would also wanna flag is our intel partner observed a notable shift in access broker activity during December, where Fortinet VPN access surged to sixty-five percent of all offerings. That's up from about thirty-one percent in October and sixteen percent in November. So that's a pretty significant jump and is something that we are going to be watching closely in the quarter ahead. All in all, looking ahead, we expect VPN based initial access to remain the primary entry point for ransomware operations.
(DESCRIPTION)
Lauren
Speaker 2
(SPEECH)
Speaker 4
Awesome. Thank you so much, Josh. So understanding what was driving ransomware and ransomware group activity, you know, we talked about VPNs a little bit. Fayon, with VPNs continuing to play such a major role in enabling ransomware attacks, we wanted to spend some time diving into the what's and the why's. What is VPN technology really? And why are VPNs such a common initial access factor? So if you could please walk us through some of that, that'd be great.
(DESCRIPTION)
Slide: "What is VPN technology, really?" Dark teal left panel with slide title. Right panel shows a globe illustration with location pin icons and user/device icons connected by dotted
Speaker 2
(DESCRIPTION)
Fayon Atkinson. Senior Manager, Cyber Risk Services, Travelers.
Speaker 2
(SPEECH)
Speaker 5
Absolutely, Lauren. So before we get into why with VPNs, let's get a baseline of, you know, exactly what VPNs are. Right? It's a term that's often, you know, thrown out there without a full explanation of what it is. So VPN at its core, by definition, virtual private network, it's really about, you know, doing these three things.
First, it's creating an encrypted or private connection. What that means is essentially that the data that is passing through is protected. Secondly, it's about network connection. So it's allowing your device to communicate with a company system or resources without being in the office physically. And the last thing here is the virtual part. So that virtual private network, right, it makes it very, very powerful for modern work. So it doesn't matter where you are physically. You can be at home, at the airport, at the coffee shop. You know, VPN bridges that gap and connects you securely with the organization's environment. That combination is why VPN is, you know, very, very popular today, especially as remote work exploded. Think, you know, back during the COVID pandemic time. Everyone was on VPN. And that solves a really, really major problem at that time.
But there's issues here. Right? And that's where I wanna dive into sort of that threat side of this conversation. That same level of accessibility that, you know, VPN allowed became very attractive to attackers. Right? VPN is Internet facing. So what that means is you need the public Internet to do your job. And that also means if you have Internet, attackers have Internet. And so they have these Internet scanning tools that can find a VPN with little to no effort. There's no hiding it. So they're often out there finding these VPNs because, again, the Internet and the technology behind it makes it super easy for them.
So with that level of accessibility and Internet facing nature, the reality is organizations lack, you know, what Josh mentioned here, they lack their patching for VPN infrastructure. And with patching comes a lot. So with patching, there is some consideration around downtime, coordination. There's potentially a change management cycle. And in a lot of environments, that process can be really, really slow. Attackers, they know this. Right? And so they're often looking at vulnerabilities, and they move really, really fast when they find them. Sometimes faster than an organization's security or IT team can actually get in and respond to these vulnerabilities. And that's what makes this even more concerning.
From what we've seen, attackers are often using the same playbook. And by playbook, I mean, like, a set of well understood techniques that they can optimize and operate at scale. Back in the day, they were waiting around for the brand new zero day vulnerability to drop. They're not doing that anymore. They're essentially taking the known vulnerabilities, known misconfigurations, and known weaknesses, and systematically just running exploits across a number of targets. So when we talk about VPNs in that context of what we're talking about here today, we're talking about what that perfect storm looks like. So critical, like, it's always on. It's Internet facing, so it's visible to the Internet. It's usually oftentimes under-maintained and targeted by attackers with efficient and scalable methods. So it's super easy for them.
(DESCRIPTION)
Slide: "VPN Vulnerabilities: The Perfect Storm." Three labeled boxes stacked vertically against a stormy background image. Box one in bold red: "Always-on and internet-facing." Description: "VPNs are publicly reachable by design‚ instantly findable by basic scanning tools." Box two in bold
Speaker 2
(DESCRIPTION)
Lauren Winchester. Head of Cyber Risk Services, Travelers.
Speaker 2
(SPEECH)
Speaker 4
Yeah. So I I mean, I think you raised really good points there. Right? Like, if we we do alerting on this. Right? If we can see it, so can threat actors. Right? That's part of the problem‚ that always on and Internet facing. You know, and we we talk a lot about how AI is gonna be used by good and bad actors to make their lives more efficient, to make them faster. Right? So, as threat actors start to leverage AI in identifying vulnerable VPNs or, you know, a new vulnerability gets put out there and they're able to start to turn around real quick and find which organizations are going to be vulnerable to that, we can expect this frequency to continue, I would imagine, because they're pretty easy to find.
And so, you know, we will get back to Fayon in a little bit to talk a bit more about what securing a VPN looks like and how you can, whether you're a leader at your company or if you're an agent or broker with your clients, talk about all of this. But, hopefully, this gives you a better sense of just why this is happening and why these perimeter devices are so popular among threat actors to exploit. So thank you, Fayon.
Let's go over to John, and talk a little bit about our claim activity. So, John, now that we have a better understanding of VPNs and why they're a target, what are you seeing in our claims data?
(DESCRIPTION)
Chart: "Ransomware Claims & Proactive Alert Impact." Dual-axis chart tracking Akira ransomware claims at Travelers alongside global Akira leak site victims from January 2025 through December 2025. Blue bars represent Akira ransomware claims at Travelers; red line represents global Akira leak site victims. Two vertical dashed lines mark
Speaker 2
(DESCRIPTION)
John Lippe. Director, Cyber Forensic Claim, Travelers.
Speaker 2
(SPEECH)
Speaker 6
Yeah. So a close review of the last five months of 2025, in our ransomware casework where we identified the threat actor group and we engaged an incident response expert vendor, seventy percent were SonicWall SSL VPN edge devices. When we layer in additional VPN exploitation for Fortinet and Cisco, that percentage went up to eighty-five percent of our claims were attributed to SSL VPN exploitation as that initial access.
In addition, many organizations are leveraging VPN technology for point-to-point networking. So they're connecting branch offices or different business operations. In several of our claims, we saw these SonicWall VPN devices also being compromised, and that would expose the broader network to these ransomware groups. And that can dramatically expand the blast radius when we're talking about these types of attacks, causing larger organizations and their operations to come to a screeching halt.
This threat is very real. We're seeing it in our claim data. If you're a CEO, CFO, or a risk manager out there in the audience, I urge you to pay close attention to the team. You know, these threat actors have developed automated scanning capabilities that Fayon discussed, and they can quickly locate the SSL VPN appliances just sitting there out on the Internet. This opportunistic approach has really led to a high frequency of these attacks in our claim data.
The majority of our ransomware claims involved Akira exploiting SonicWall VPN devices in Q3, and that trend kind of continued into Q4. While Akira still represented, and was present in our ransomware casework, we're seeing Qilin, we're seeing Sinobi, Lynx, INC, Dragonforce, and a few other threat groups trending in our claim data. As I reflect on the investigative work that our IR expert vendors are doing, and Josh touched on this, that initial access vector where they gain that initial foothold into the environment continues to be public facing, Internet facing remote services. This is that primary beachhead for the initial access brokers, and that quickly leads to these ransomware and system intrusion claims, Lauren.
(DESCRIPTION)
Speaker 2
Lauren Winchester. Head of Cyber Risk Services, Travelers.
Speaker 2
(SPEECH)
Speaker 4
Yeah. That makes perfect sense, John. And seeing that in our claims, obviously, you know, you can kind of see why the leak site data is presenting as it is. But on that, do we see a correlation or a trend between leak site activity and our claims? You'd think they would go hand in hand. Right?
(DESCRIPTION)
Speaker 2
John Lippe. Director, Cyber Forensic Claim, Travelers.
Speaker 2
(SPEECH)
Speaker 6
Yeah. What's really interesting is we're actually experiencing the opposite. So as I looked at Q4, our ransomware casework and our claims dropped off to more average levels of caseloads in November, December, and that's continued into January.
I think, you know, as we continue to elevate our proactive alerting and our outreach on these specific threats for our customers, our ransomware claims with Akira, you know, who dominated the claim activity in August, September, October, we've seen their claim numbers significantly decline in Q4. Along with Akira, World Leaks, and other ransomware groups have adopted similar playbooks, and they're targeting the same edge VPN infrastructure. You know, as we get that credible threat intel from the dark web and we alert our customers about these compromises, it seems like we're having a very positive effect reducing the frequency of these claims.
(DESCRIPTION)
Speaker 2
Lauren Winchester. Head of Cyber Risk Services, Travelers.
Speaker 2
(SPEECH)
Speaker 4
That's great to hear. And I know Qilin also obviously relied on SonicWall as well. But like you said, what we were experiencing in our claims was a big tie between Akira as a group and leveraging SonicWall VPNs and vulnerable VPNs or those that didn't take the extra step of refreshing passwords after they might have patched an old vulnerability. Right? So it is really great to see this kind of inverse correlation happening here where, you know, maybe our alerts had some impact, being able to see that early in claim and turn around and tell our policyholders about that. Because if we look back to the August and September alerts, we didn't even have a specific vulnerability to call out on SonicWall. There were old ones. There was this theory on, you know, if you patched but didn't fix your passwords, then you were still vulnerable. Right? So we were trying to figure out as we went what was really driving this. And I think, never drove to perfect clarity on that either, by the way. But, it is great to see that the Akira instances of that dropped off following our alert.
Alright. So I think claim stories are also really instructive and folks on this call can always appreciate some really good case studies. So John, can you also walk us through some case studies that can illustrate the impact of alerting?
(DESCRIPTION)
Slide: "Automotive Equipment Distributor - Northeast." Four-step process diagram on a dark navy blue background. Step one, padlock icon: "Travelers issued an Imminent Threat Alert after detecting compromised VPN credentials." Step two, email and shield icon: "Policyholder immediately secured access by terminating sessions and disabling compromised accounts." Step three, search and server
Speaker 2
(DESCRIPTION)
John Lippe. Director, Cyber Forensic Claim, Travelers.
Speaker 2
(SPEECH)
Speaker 6
Sure. So here's an example of a midsize customer, an automotive equipment distributor out of the Northeast. In mid October of last year, Travelers sent out an imminent threat alert to this policyholder after uncovering credible threat intel that threat actors were attempting to sell credentials of three user accounts for the company's SSL VPN technology, including one with admin level permissions. And we know elevated permissions are very attractive to the ransomware affiliates that are operating in these groups.
Acting quickly upon receipt of that alert, the policyholder terminated all the active VPN sessions. They disabled those impacted user accounts and began following our guidance on preserving the logs, the digital evidence around the logging of that infrastructure. They immediately began working with our claim team and our industry leading incident response firms.
And very quickly we were engaged working with them. The incident response firm reviewed the extent of that unauthorized access, and they assessed the extent of the activity that was going on. They were able to get containment and eliminate any further threat very quickly, before any lateral movement occurred, before there was any exposure of sensitive data or any further impacts to the business computing infrastructure. As a result of that rapid alert and decisive action by the policyholder working with our claim professional and our experts for the investigation, we were able to contain the threat, and this matter did not escalate into an event involving encryption or sensitive data exfiltration by the ransomware group. So within a few days, the executives at the company were breathing a sigh of relief, and the incident did not turn into their nightmare scenario. We consider this a light touch engagement‚ very limited costs and expenses on this one, approximately $23,000.
On the flip side though, let's look at another ransomware claim where the customer wasn't quite as engaged with our alerting.
(DESCRIPTION)
Slide: "Commercial Mechanical Construction Firm - Southeast." Four-step process diagram on a dark navy blue background. Step one, padlock icon: "Threat actors gained access via an SSL VPN after exploiting an account without MFA." Step two, email and shield icon: "The attackers encrypted systems and exfiltrated business-critical data." Step three, search and server icon: "The policyholder engaged legal, forensic, restoration and negotiation support through Travelers." Step four, key and device icon: "With backups unavailable, the policyholder paid a ransom to obtain decryption tools." Result shown at right: "$725K*" with a red shield icon. Text below asterisk: "Current third-party services costs (expected/budgeted to date): $165,000. Estimated ransom cost: $560,000. Total projected cost: $725,000." Additional text: "Approximately 800 individuals were notified and offered credit monitoring." Travelers logo in lower right corner. John Lippe visible in video inset, upper right corner.
(DESCRIPTION)
John Lippe. Director, Cyber Forensic Claim, Travelers.
(SPEECH)
So this is an example of a claim involving a commercial mechanical construction firm in the Southeast. In the end of October last year, it was over a weekend. We had a threat actor group that gained initial access into the policyholder's environment through their SSL VPN appliance. Later analysis by the IR experts revealed the threat actor had used a brute force attack to get through the first layer of authentication. And since multifactor authentication was not being enforced on that service account, the threat actors had very little friction to stop them in their initial attack.
Once they compromised the VPN appliance, it took less than ten to fifteen minutes for the threat actor to harvest additional credentials and start to move laterally into the active directory domain controller environment and the VMware virtual environment.
The threat actors were using sophisticated scripts that really blend in. We call this living off the land where they're executing PowerShell and remote management tool scripting, and identifying sensitive data shares so they can stage the sensitive data for exfiltration out of the network. Threat actors also used those recon techniques to identify the organization's backup data repository, which they quickly compromised and destroyed, rendering recovery from backup virtually impossible.
They executed the final stage of the attack when they detonated the ransomware payload, and that encrypted the servers, their domain controllers, and the VMware hosts, leaving ransom notes on screens across the environment. As the employees arrived to start the business day on Monday, they realized their worst nightmare had become a reality.
Upon contacting Travelers, the policyholder engaged our expert vendors for legal, forensics and incident response, restoration, and threat actor negotiation services. The Travelers team was supporting the policyholder throughout this whole process, a process we perform hundreds of times per quarter with our IR and breach coach experts.
The knowledge that the company's data backups were inaccessible due to the extent of the wiping led the policyholder to elect to pay a ransom to obtain a decryption tool to recover business operations as quickly as possible. Along with forensic investigation and recovery operations, e-discovery and some data mining work was required, so that the customer and our legal experts could fully understand the data that was taken and stolen, its sensitivity, and the potential for regulatory exposure to the company. The policyholder ended up issuing notifications and offering credit monitoring to approximately eight hundred individuals on this claim.
I think the initial budget was somewhere around a hundred and sixty-five thousand, but that quickly expanded, and I continue to see a long tail on these claims. Adding the data mining, it's grown from there. You know, I think this claim now, the expenses are upwards of a million, but it's not uncommon for these scenarios to see one to two million dollars in expenses incurred. So it's, it can be shocking, Lauren.
Speaker 4
A tale of two claims, truly.
(DESCRIPTION)
Lauren Winchester. Head of
Speaker 2
(SPEECH)
Speaker 3
Yep.
Speaker 4
You know, I I I'm so glad to see the impact that we can have with some of these alerts. And, obviously, we're not gonna be able to catch it all. Right? But we are investing a ton in alternative sources of data and the ability to hopefully be able to alert policyholders to imminent threats. And on that, you know, I think a little bit more of a dive on what our alerts are because we have gotten some questions as well in the chat. So, Josh, can you help us understand what types of alerts we send here, so that the folks that receive them on this call know how to action them? Or if you're an agent or broker on this call, understanding the types of alerts that your clients might receive?
(DESCRIPTION)
Speaker 2
Joshua Doguet. Senior Manager, Incident Response Intel, Travelers.
Speaker 2
(SPEECH)
Speaker 3
Yeah. Absolutely. So like you said, us, the cyber services team, operates a pretty active alerting program here at Travelers. We send periodic alerts about known threats that we detect in our policyholders' environments, things like exposed RDP or Telnet services. We also send alerts when we receive information indicating that credential stealing malware is present in a policyholder's environment or when we observe that the policyholder has been posted on a ransomware leak site.
But what I wanna touch on today, you know, considering the conversation that we've had so far, is those alerts that are specifically related to VPNs. And when we're talking about VPN related alerts, we're really talking about two categories. So that's vulnerability alerts‚ what we call emerging threat alerts here‚ and access broker alerts, which fall into the imminent threat alert bucket. And I wanna walk through each of those, vulnerability and access broker.
So, first, vulnerability alerts. These nearly always involve common vulnerabilities and exposures, that is, CVEs. Newly discovered security vulnerabilities, they can impact many types of publicly released software, and that includes the firmware and the management software that runs on edge devices, like VPN appliances, firewalls, and remote access gateways. With these devices, our primary concerns are vulnerabilities that allow an attacker to bypass authentication entirely, meaning the threat actor can gain access without valid credentials, or vulnerabilities that enable remote code execution, which allows an attacker to run arbitrary commands on the device from the Internet. Either of these can give a threat actor a foothold in your network without ever needing a username and password. And as we discussed earlier, that foothold is often the first step in a ransomware attack.
Whenever a new vulnerability of this type impacts edge devices that are commonly used by our policyholders, you can expect to receive an email alert from us that explains the threat posed by the vulnerability, that identifies what versions of the software are affected, and it's also gonna provide guidance on how to patch or mitigate that vulnerability. In 2025, we sent more than fifty-three hundred individual alerts regarding vulnerabilities that impacted VPN devices that were used by our policyholders.
The second type of VPN alert that we send out is our access broker alert, and this one is worth spending a moment on. If you were really paying attention earlier in the presentation, you'll recall that I mentioned access broker activity surrounding various VPN products. Access brokers are a specialized class of cybercriminal who operate within the ransomware supply chain. Their role is to obtain unauthorized access to corporate networks, whether through brute forcing VPN credentials, exploiting unpatched vulnerabilities, or harvesting credentials from credential stealing malware. And then they sell that access on dark web forums, often directly to ransomware affiliates. So these access brokers are, in effect, the upstream suppliers that feed the ransomware ecosystem.
A single access broker listing might include a company's VPN host name, a valid username and password, and the details about the type of access. And from there, it is just a short path to ransomware deployment.
So whenever we receive intel that a policyholder's compromised credentials are being put up for sale on these dark web forums, we immediately send out an access broker alert to the affected policyholder, and we're gonna notify them what the impacted account is, the type of access that's being offered. We're gonna urge them to, among other things, lock down that account, reset credentials, and review their logs to understand the extent of any unauthorized access.
What I wanna emphasize really is that while it's very important to patch a VPN related CVE as soon as possible, access broker alerts demand an even greater level of urgency. A CVE alert means that a vulnerability exists out there that could be exploited. But an access broker alert, that means that someone is claiming to already have access to your network and is actively trying to sell it on the dark web. And the window between that listing on the dark web going live and a ransomware affiliate acting on it can be very, very short.
(DESCRIPTION)
Lauren Winchester. Head of
Speaker 2
(SPEECH)
Speaker 4
Yeah. And, Josh, you know, I think one of the things that we do here is we certainly follow up, especially on those access broker more imminent threat alerts. Right? We're not just sending that and forgetting it. We are very much still trying to get in touch with you, or we're trying to get in touch with your agent to get in touch with you. Right? We don't wanna let those lie too long. Versus the vulnerability alerts, the more emerging threat alerts where, yes, it could be used, but we don't know for sure that it's gonna be exploited in a certain amount of time. We're going to send you an alert. And if we start to see claims come in, we may send a follow-up alert to everybody just to make sure that, you know, you saw the first alert and you're aware that this is actually being exploited now, and we're starting to see that come in in claims.
Hopefully, though, if you're using a certain VPN technology, you should be getting this type of alert from your provider as well. Maybe you're getting it from whoever manages your security as well. But we wanna be able to provide you with that additional comfort that we're seeing something, we're gonna say something, obviously. And then, of course, if we start to see it in claims, that's a data point you don't have that we have, if we start to see that come in in claims.
We also got a ton of questions on the alerting process or how do I get signed up for these. So just to clarify, for the policyholders that are on this call, if we have your contact information at the time of underwriting, and if you received an invite to our dashboard, then we have your contact information to send you these alerts. And the good news is they're not happening all the time for everybody. Right? We try to be very bespoke in seeing an actual technology and sending it to you. We also do monthly newsletters so that if we missed you, because we don't purport to have perfect visibility here. Right? We're just doing external scans kind of like threat actors. We will list out in our monthly newsletter some of the alerts that we sent to other policyholders during that month so you can, just in case we missed you or you actually do have that software technology, you can see it.
If you're not sure whether or not you're signed up for the dashboard, you can email us. We'll include the email in the chat here and in the follow-up materials. You can just email and ask. Let us know who you'd like to receive access to our dashboard, receive access to email alerts.
And then if you're a broker or agent on here, we wanna hear from you about what sort of visibility you'd like to see. We do have a separate email that goes out to our agents and brokers that are on record for the account, that says we just sent some of your clients this type of alert. So we do really try to make sure that we have that visibility for our agent and broker partners as well. But hopefully, that clears up some of the questions there. And sorry, Josh, back to you. I cut you off.
(DESCRIPTION)
Speaker 2
Joshua Doguet. Senior Manager, Incident Response Intel, Travelers.
Speaker 2
(SPEECH)
Speaker 3
Oh, no. No worries. I was just about to wrap up. I was just gonna note that in 2025, we sent seventy-five individual access broker alerts to our policyholders, so that's a bit more than one per week. And, of course, we would love to send zero this year, but given the trends that we discussed, that's unfortunately not gonna be the case. So, all in all, just want you to know that we're working hard to have your back even when those best preventative efforts of securing your VPN fall short.
(DESCRIPTION)
Lauren Winchester. Head of Cyber Risk Services, Travelers.
(SPEECH)
Speaker 4
Great. Thank you. Fayon, we've gotten this question, and I knew it was gonna be coming too, about what good VPN practices look like. Right? I think it can be hard as a leader of an organization who doesn't have a technical background to answer the question, are we at risk? Or are we, you know, properly managing our VPNs and doing what we can from a control standpoint? So, can you talk a little bit about what good looks like, what questions companies, you know, leaders can be asking of those that manage their VPNs?
(DESCRIPTION)
Fayon Atkinson. Senior Manager, Cyber Risk Services, Travelers.
Speaker 2
(SPEECH)
Speaker 5
Yeah. Certainly, Lauren. So we've covered quite a bit. Right? We've talked about the data that we see as it relates to threat actors targeting VPNs. We've talked about what VPNs are. So now let's get to the practical side, the question on everyone's mind. So before we get started, I just wanna say, someone could be on the call that manages the organization's VPN, or you could be relying on a third party or your internal IT team. And, you know, that's okay. The questions or the framework that I'll be sharing, it's not meant to be technical. It's more for conversation. And so what we've done is group these into three areas for you to better digest. One is around authentication and access control. The second one is around hardening and patching, and then the last one is around monitoring and your security road map. And just a caveat, don't fret. You will get this in a handout. We've taken the extra step to build in the handout for everyone on this call. So you will have these questions along with, you know, favorable answers that you should look for or what that should look like. So, hopefully, at the end of this, you can talk to your internal IT team or your third party IT or MSP provider, just to understand what you're doing, making sure that what you're doing is correct. And if in the event that you need assistance or additional support, just know that the cyber risk advisory team is here for you, and you can always reach out to us directly via email. And we're just happy to hop on a call to help you navigate or interpret some of these responses.
So let's get into it.
(DESCRIPTION)
Slide: "AUTHENTICATION & ACCESS CONTROL: Key Questions & Recommended Actions." White background with three questions and answers. Question one: "What type of MFA is enforced for all users that access corporate resources via VPN?" Answer in bold red: "Start with phishing-resistant MFA‚ hardware security keys or passkey-based authentication. Go beyond just verifying who is logging in: implement device trust verification so the VPN checks that the device meets your security standards. Layer on conditional access policies that factor in location, time of day and device health to add meaningful friction even if credentials are compromised. Authentication is your first line of defense‚ it needs to be treated as such." Question two: "Are users granted 'broad network access' once authenticated via VPN?" Answer in bold red: "The all-or-nothing VPN model is a liability. Implement Role-Based Access Control (RBAC) so users only reach what they need for their job‚ nothing more. A call center employee doesn't need access to finance systems. Pair this with network segmentation, dividing your environment into zones so a single compromised account can't move freely across your entire network. Think of it like compartments on a ship: one breach doesn't sink the whole vessel." Question three: "Have we disabled default accounts on our firewall / network appliances?" Answer in bold red: "Default accounts are a well-known attack vector that threat actors actively scan for. Audit all firewall and network appliances to confirm default credentials have been changed or disabled entirely. This is a quick win‚ low effort, high impact‚ and should be part of any baseline hardening checklist for new device deployments." Travelers logo in lower right corner. Fayon Atkinson visible in video inset, upper right corner.
(DESCRIPTION)
Fayon Atkinson. Senior Manager, Cyber Risk Services, Travelers.
(SPEECH)
So here we have the first area around authentication and access control. So what is that exactly? The first question that you do wanna ask is what type of MFA is enforced for all users that are accessing the corporate resources via VPN? So MFA, hot topic. Right? It's it's not new, but it still is one of the most exploited gaps that we've seen in incidents. I know we've heard some of those claim examples, and you know, there's always some gaps there.
Having some level of MFA is just the baseline, and it's just not sufficient on its own anymore. I like to say not all MFA is created equal, and the reason for that is because attackers have developed new techniques to essentially bypass MFA. So some of these could be, like, a push notification fatigue where they just keep pushing and bombarding users until they just okay it and essentially bypass that MFA technique.
So what can you do instead? Phishing resistant MFA. That's also‚ you'll probably see a lot of transition within organizations to phishing resistant. So what those are are the hardware security keys and passkey based authentication. These are the golden standard. So if you're not doing that, I recommend you consider doing that.
The other thing here is you could layer on device trust verification. So what that is saying is essentially your VPN is checking that whoever is logging in meets that security standard. So you wanna make sure that device is trusted so they're allowed access into your network. The other piece of this you want to consider is conditional access policies. Conditional access policies take into account location, time of day, device health. You know, so even if they somehow steal the credential, an attacker has to bypass that step of making sure that location and time of day are things to consider, beyond those standard credentials if they're compromised. So, again, authentication, first line of defense, and so you should treat
Speaker 3
it as
Speaker 5
such.
The second question here is around, are users granted broad network access once they authenticate the VPN? So, again, it's VPN. So it's usually that all or nothing model. So once they are connected, it's oftentimes overlooked. So making sure that, you know, everyone once they've connected to the network, they have access, and that could potentially be a serious exposure.
So with that, you want to consider role based access control, or RBAC. This essentially says if a user does not need access to a specific resource, they shouldn't get access to that. So let's think maybe a call center employee. They may not need access to a finance system, so they shouldn't be granted that access. Or let's say a contractor. They shouldn't get access to HR data. So that segmented, based on the role, limits that attack surface.
And then when you top that with network segmentation, which is dividing your environment into zones, you've added a layer of containment again. So you're really isolating the data and the resource based on that user's need.
And then as it relates to authentication and access control, the last and final question is, have you disabled default accounts on firewall and network appliances? I cannot tell you how many times we've seen cases where default accounts were still enabled. And it's something that's missed often. So default accounts on firewalls and network devices are a thing, and you wanna make sure that it's well documented. It's always published. Attackers know this. They're aware of this. And so you wanna make sure you're auditing those devices to confirm that default credentials are changed or disabled, and you wanna make this a part of a routine checklist once you have a new device deployed. So, again, that's pretty low effort, but high impact.
(DESCRIPTION)
Slide: "HARDENING, AUDITING & PATCHING: Key Questions & Recommended Actions." White background with two questions and answers. Question one: "Do we periodically review / audit VPN configurations?" Answer in bold red: "VPN configurations drift over time, especially in environments that have grown organically. Conduct annual audits of your VPN configuration to ensure it still aligns with a reasonable security baseline. Complement this with regular penetration testing to identify gaps before attackers do. What looked secure three years ago may no longer reflect your current threat exposure." Question two: "Are we using the latest VPN software and firewall firmware versions?" Answer in bold red: "Organizations often lag on VPN patching‚ and attackers count on it. Establish a defined service level agreement (SLA) for critical patch application to VPN infrastructure that is faster than your standard cycle: think hours to days, not weeks. Unpatched VPN vulnerabilities have been among the most exploited initial access vectors in ransomware incidents over the past two years." Travelers logo in lower right corner. Fayon Atkinson visible in video inset, upper right corner.
(DESCRIPTION)
Fayon Atkinson. Senior Manager, Cyber Risk Services, Travelers.
(SPEECH)
Alright. So let's jump into the second area, which is around hardening, auditing, and patching. Right? So first question, do we review and audit VPN configurations? I think there was an example about VPN configuration. I know Josh mentioned it. So, again, what are we doing here? Configurations that we set up correctly at the time gradually change. So as your organization grows, you add new systems, exceptions get made. Sometimes you allow stuff for a third party to get access. Sometimes those aren't revisited. So we wanna make sure we secure those things because something you've done five or three years ago may no longer reflect the threat exposure today. So it's easy for configuration to drift over time. And so the recommendations here are pretty straightforward. So one, do audit. You wanna do that annually if you can of your VPN configuration against a reasonable and defined security baseline. You want to complement that with some pentesting. I like to see pentesting done annually as well, and that helps find gaps before an attacker does. And so that's where that configuration piece is taken into consideration.
The second question that I would ask here is, are we using the latest VPN software and firewall firmware version? We help you make this easy. Right? We send vulnerability alerts. Josh went into details about that. And so, VPN patching. Attackers, again, they exploit these vulnerabilities. If there's a lag, of course, it's a tangible and measurable risk. You need to define your SLA for critical patch application for these VPNs. And it should really be really fast, faster than standard patching cycles that you may have. So we're talking hours or days. We don't need you to go weeks without patching a VPN vulnerability. Because, again, it's Internet facing, and we've seen the data. It's the most exploited initial access vector for ransomware.
(DESCRIPTION)
Lauren Winchester. Head of Cyber Risk Services, Travelers.
(SPEECH)
Yeah. And then
Speaker 4
Fayon, like, also easier said than done. We do appreciate you have to do the patch essentially in the evening when folks are offline, and patching can be easier said than done depending on how your network's configured. So, you know, we know this‚ we say you should be patching right away. Right? But the reality is it can be quite difficult. So patching also needs to be informed by how severe that vulnerability might be. You know, if you're getting an alert from us and we're saying we're starting to see it exploited, you really should be trying to put in that patch that evening if you can and getting the folks responsible for your VPN to take that very seriously. But, again, we don't mean to dump on the folks responsible for your organization's VPN and suggest that they're not doing all they can. It is a matter of resources and availability and the ability for the company to keep working. So there are plenty of considerations that go into how quickly you can patch.
(DESCRIPTION)
Fayon Atkinson. Senior Manager,
Speaker 2
(SPEECH)
Speaker 5
Yeah. And I would say definitely follow the best practices around patching. I like to tell organizations to take the risk based vulnerability approach. You know, think through your organization what's critical. And when you're patching, patch a test environment first so you don't break anything. You know, I would hate for that to happen.
(DESCRIPTION)
Slide: "MONITORING & SECURITY ROADMAP: Key Questions & Recommended Actions." White background with two questions and answers. Question one: "Do we monitor for suspicious / abnormal activity?" Answer in bold red: "Active monitoring of VPN logs is essential. Watch for multiple failed login attempts, logins from unexpected geographies, a single account authenticating from multiple locations in a short window and new account creations you didn't initiate. These are early signals of an account takeover in progress. Alerts on these patterns can give you the response window needed to contain an incident before encryption begins." Question two: "What does our security roadmap look like for evolving our remote access solution?" Answer in bold red: "The industry is moving toward Zero Trust Network Access (ZTNA) as the long-term evolution beyond traditional VPN. Rather than opening a broad network tunnel, ZTNA grants access to individual applications‚ continuously verifying identity, device health, location and behavior before every session. For most organizations, this is a multi-year journey, and your existing VPN can coexist with ZTNA during a phased transition. The key is to start now and make deliberate progress, rather than waiting for a breach to force the conversation." Travelers logo in lower right corner. Fayon Atkinson visible in video inset, upper right corner.
(DESCRIPTION)
Fayon Atkinson. Senior Manager, Cyber Risk Services, Travelers.
(SPEECH)
Alright. And to jump back in on the last grouping, like I mentioned, is around monitoring and a security road map. So key questions and recommended actions. So the first question is, do we monitor for abnormal or suspicious activities?
You know, you can have the strong authentication, the solid access controls. You could have really awesome patch management, and sometimes you can still get caught off guard if you're not watching what's going on in the environment within real time. So we do recommend that you do active monitoring of your VPN logs. This includes looking at things such as multiple failed login attempts within a short window, logins from unusual or unexpected geographical locations, a single account authenticating from two different places simultaneously. That is a little strange. So definitely wanna keep an eye out for that. And then if you see new account creations that weren't initiated through normal business processes. So these are the indicators that you'd probably want to take a look at for unauthorized access being in progress. So you wanna definitely catch these early.
And then the last question around this would be, what does our security road map look like for evolving our remote access solution? So like I said, VPN, it's all or nothing. And so if you want to look forward, looking ahead, looking in the future, it's good to have that conversation proactively right now, not after a breach. Right? The direction most industries are moving towards is zero trust network access. So that's ZTNA. Rather than opening that broad tunnel, like we said VPN, it's all or nothing, trusting everything inside, ZTNA sort of hones in on that, and it verifies every access request based on identity, device health, location, and behavior. So similar to what conditional access would do, ZTNA says, it's trust no one. I don't care who you are. We're not trusting you. So that's the future state of what this could look like.
(DESCRIPTION)
Lauren Winchester.
Speaker 2
(SPEECH)
Speaker 4
Now. And, Fayon, on ZTNA, we definitely got some questions in the chat about what do you recommend? Like, where do you go if not VPN? Right? And, again, there's many reasons why a company is still using a VPN. It's gonna entirely depend on what your network looks like, what other devices are within that, what are you trying to protect. But to the extent that your company is ready and willing to look into ZTNA solutions, that's certainly where we recommend you moving. But we understand that's not always going to be practical or available to companies. And so it's just something that, you know, as leaders, you should be asking about the security road map and what it looks like. And are we looking into that evolution and why or why not?
(DESCRIPTION)
Fayon Atkinson. Senior
Speaker 2
(SPEECH)
Speaker 5
Yeah. Yeah. Absolutely. Yeah. It's not going to happen overnight. So definitely, to piggyback from Lauren's point, that's building out your security road map. And, you know, until then, I would say just continue to follow those best practices around securing your VPN. So, again, like I've mentioned, these questions will be provided as a handout for everyone. And so if, again, if you should need any sort of additional assistance or guidance, our team is here. Please reach out to us at [email protected]. That should also be a part of the handout, but please don't hesitate.
(DESCRIPTION)
Slide: "Thank you and Q&A." Travelers logo
Speaker 2
(DESCRIPTION)
Lauren Winchester. Head of Cyber Risk Services, Travelers.
Speaker 2
(SPEECH)
Speaker 4
Right. Thank you so much, Fayon. And just on a personal note, no one else would know this, but Fayon was a last minute add this morning, an hour before our webinar. So massive virtual round of applause for you, Fayon. You did such a great job jumping in on this. So thank you for that. Thank you to everyone who tuned in. So many questions in the chat that I will try and address, you know, as a follow-up, especially if we have your name and email. But thank you for the participation. We do these every quarter. Please join us again, and also look forward to receiving that email with not only our quarterly report that you'll have in hand with our charts, but also the link to the recording of this webinar. And feel free to send any follow-up questions to [email protected]. Our team's monitoring that and can get back to you. But thank you all for tuning in, and we appreciate your time.
(DESCRIPTION)
Travelers logo. Centered. Text: Built for cyber. Website: www.travelers.com/cyber-insurnace Dark blue gradient background. Text: "Travelers Casualty and Surety Company of America and its property casualty affiliates. One Tower Square, Hartford, CT 06183. This material does not amend, or otherwise affect, the provisions or coverages of any insurance policy or bond issued by Travelers. It is not a representation that coverage does or does not exist for any particular claim or loss under any such policy or bond. Coverage depends on the facts and circumstances involved in the claim or loss, all applicable policy or bond provisions, and any applicable law. Availability of coverages referenced in this document may depend on underwriting qualifications and state regulations. Case studies are based on actual situations, composites of actual situations, or hypothetical situations. Resolution amounts are approximations of both actual and anticipated losses and costs. Facts may have been changed to protect confidentiality. Copyright: 2026 The Travelers Indemnity Company. All rights reserved. Travelers and the Travelers Umbrella logo are registered trademarks of The Travelers Indemnity Company in the U.S. and other countries."