Facing Today’s Cyber Threat Landscape: Turning Threat Intel into Action
Facing Today’s Cyber Threat Landscape: Turning Threat Intel into Action
May 20, 2026
Wednesday 1:00 p.m.-2:00 p.m. ET
Key takeaways
- In the first quarter of 2026, 84 different criminal groups posted more than 2,400 victim companies on ransomware leak sites on the dark web, according to the Q1 2026 Travelers Cyber Threat Report.
- The number of ransomware victims posted on leak sites increased by 50% in 2025.
- More than 85% of Travelers’ cyber claims from August to December of 2025 involved VPNs as the initial point of entry, the report shows.
- Just as companies are rapidly adopting AI tools, threat actors also are using AI to assist in their attacks.
- Travelers recommends implementing five cyber readiness practices to help protect your organization from new and evolving threats.
Cyber risk experts and claim professionals joined us for a deep dive into the latest quarterly Travelers Cyber Threat Report and the most important trends we’re seeing across the threat landscape, including ransomware activity. They also took us on an in-depth walk-through of a real cyberattack situation. This webinar helps translate threat intelligence gathered by the Travelers team of experts into practical insights to help explain what these trends mean for real-world operations, where organizations are most exposed and which actions can meaningfully reduce risk.

Q1 ’26 Travelers Cyber Threat Report
Nearly half of U.S. workers now report using AI on the job. But rapid implementations often outpace risk management. The issue: Frameworks built to govern conventional software don’t account for the capabilities of current language models. Get the full story in the Q1 ’26 report.
This program is presented as part of the Travelers Institute’s Cyber: Prepare, Prevent, Mitigate, Restore initiative, which promotes dialogue and education to help leaders prepare for and respond to cyber incidents.
Please note: Due to the nature of the replays, survey and chat features mentioned in the webinar recordings below are no longer active.
Watch webinar replay
(SPEECH)
[MUSIC PLAYING]
(DESCRIPTION)
Slide. Wednesdays with Woodward (registered trademark) Webinar Series.
A laptop sits on a desk, in between a small potted plant and a red coffee mug with the Travelers umbrella on it. Text: Travelers Institute. Travelers. Jessica Kearney.
(SPEECH)
JESSICA KEARNEY: Hello, and welcome to Wednesdays with Woodward. I am Jessica Kearney, Vice President for Public Policy here at the Travelers Institute. And I'm standing in for our host today, Joan Woodward. I'm so glad you could join us for this program.
(DESCRIPTION)
Slide. About Travelers Institute (registered trademark) Webinar Series. The Wednesdays with Woodward (registered trademark) educational webinar series is presented by the Travelers Institute, the public policy division of Travelers. This program is offered for informational and educational purposes only. You should consult with your financial, legal, insurance or other advisors about any practices suggested by this program. Please note that this session is being recorded and may be used as Travelers deems appropriate.
(SPEECH)
Before we get started, as always, we'd like to share a quick disclaimer about today.
(DESCRIPTION)
Slide. Wednesdays with Woodward (registered trademark) Webinar Series. Facing Today's Cyber Threat Landscape: Turning Threat Intel into Action. Logos, Travelers Institute (registered trademark). Travelers. Insurance Association of Connecticut (I.A.C.). MetroHartford Alliance. BIG I Independent Insurance Agents & Brokers of America. Connecticut Business and Industry Association (C.B.I.A.). University of South Carolina Darla Moore School of Business. Master's in Financial Technology (FinTech) Program at the University of Connecticut School of Business.
(SPEECH)
And as always, I'd like to thank all of our program partners who've been with us for programs over many months and years-- the Master's in FinTech at the University of Connecticut School of Business, the MetroHartford Alliance, the Connecticut Business & Industry Association, the Risk and Uncertainty Management Center at the Darla Moore School of Business at the University of South Carolina, and the Independent Insurance Agents and Brokers of America, or the BIG I, and also the Insurance Association of Connecticut. Special welcome to all members, students and groups of our partners, and everyone else as well. Thank you for being here.
(DESCRIPTION)
Slide. Cyber. Prepare. Prevent. Mitigate. Restore (registered trademark). Travelers Institute (registered trademark). Travelers. Since 2016, the Travelers Institute has hosted 75 cybersecurity education programs. 14 webinars - 61 in-person events, 44 cities.
(SPEECH)
So through our longstanding educational initiative on cybersecurity, which is Cyber: Prepare, Prevent, Mitigate, Restore, we help small and midsized businesses and public sector organizations learn about ways to improve their cyber readiness. So we launched this series back in 2016. And today marks our 75th program. We've reached tens of thousands of participants across the country, both in person and virtually. And we are so glad that you're here today to partake in the series.
I don't think it's an overstatement to say that we've never seen a more crucial time to become more aware of the cyber threat landscape and to take a proactive approach to cyber readiness.
(DESCRIPTION)
Slide. The cover of a report titled Travelers. Cyber Threat Report, Q1 2026.
(SPEECH)
That's why today, we're going to give a sneak preview of the latest Travelers Quarterly Cyber Threat Report, which is an in-depth analysis of what Travelers experts are seeing in the cyber threat landscape. The report will be officially released one week from today on May 27.
And what the data shows is striking. Q1 2026 was the second most active quarter for ransomware on record, only barely surpassed by the mark set in the prior quarter. The report also includes an uptick in AI-related cyber activity, both external threats to organizations and also the unintentional vulnerabilities created through internal AI usage.
(DESCRIPTION)
Slide. Wednesdays with Woodward (registered trademark) Webinar Series. Three pictures, names and titles. Lauren Winchester, Head of Cyber Risk Services, Travelers. David Kruse, Director, Insurance Alliances, Arctic Wolf. Christine Mapes, Managing Director & Counsel, Bond & Specialty Insurance Claim, Travelers.
(SPEECH)
So to help us unpack what that means and, importantly, what to do about it, I'm joined by three outstanding experts who are going to lead us through an overview of this timely and highly informative report.
Lauren Winchester is Vice President of Cyber Risk Services here at Travelers. Lauren and her team produce the quarterly report and are responsible for translating threat intelligence into practical guidance, which is so critical for both organizations and the professionals who support those organizations.
Christine Mapes, also with Travelers, is Managing Director and Counsel for Bond & Specialty Insurance Claim. Christine works on the claims and incident response side and is a significant contributor to the Report as well. And David Kruse is Director of Insurance Alliances at Arctic Wolf. He joins us from the cybersecurity operations world. Arctic Wolf provides managed detection and response services to thousands of organizations. We'll get his perspective as well.
To kick things off, Lauren's going to give us a brief overview of what the report is, a little history of how it came together, and a bit about the teams that create it. And then we will join all of our panelists on the other side to discuss the report's findings and take your questions. So get those ready, all of your questions. Drop them in the Q&A ribbon on the screen. And Lauren, I will turn it over to you to give us an overview of the report.
(DESCRIPTION)
The three speakers join Jessica on a video call.
(SPEECH)
LAUREN WINCHESTER: Great. Thank you so much, Jessica. So if you're involved in cyber underwriting or brokering, you already know that things move really fast. And we found that our audiences of brokers, agents and policyholders were looking for new data and insights all the time, not just once or twice a year. So a few years ago, we decided to start publishing new data on a quarterly basis, first as articles on our website and then as full reports that we release along with the webinar.
And we draw on third-party data, especially from ransomware leak sites where victim companies' data is posted by the threat actors and then also internal data from our own Claims team and our Cyber Risk Scan. The team that puts this together includes members of my team, the Cyber Risk Services team, our Claim team, our Cyber Fusion Center with our internal cybersecurity experts at Travelers and also our Marketing team. So in the report, you'll find coverage of things that happened in the prior quarter. But we also have longer-term trends that our team is tracking and showing you how that develops over time.
So again, especially if you're here as a cyber insurance agent or policyholder, you should be getting invites to those quarterly threat reports and webinars by email. But if not, you can always look for us on social media and register when you see them pop up.
JESSICA KEARNEY: That's great. So let’s-- I would love to-- for all the folks joining us today, we've got quite a group that's dialing in to hear about the latest threat intel. Let's start with one of the headline numbers, which is that, in Q1 2026, the Cyber Threat Report recorded more than 2,400 victims posted to one of those ransomware leak sites that you just mentioned.
(DESCRIPTION)
A line graph titled Ransomware victims posted on leak sites. Quarterly comparison. The y-axis is titled Total, and ranges from 0 to 2,500 in increments of 500. The x-axis shows Q1 through Q4 of 2024 and 2025, and Q1 of 2026. The line on the graph rises from Q1 of 2024 to Q1 of 2025, drops sharply, then rises again to peak at Q4 of 2025.
(SPEECH)
Put that in context for us. What does a number like that actually mean?
LAUREN WINCHESTER: So that number represents the victims publicly posted to ransomware leak sites. The victim companies who are listed on a leak site, even if they don't ultimately pay and their name is taken down after, are going to appear on these threat actors' leak sites. And it's on the dark web, so not something you and I can just go Google. But they're making these leak sites as an effort to extort their victims and post stolen data.
And so for the actual number, the 2,400 that we saw in Q1, this is the second highest single quarter that we've ever recorded. And it only trails the first highest, which was Q4 2025, so the most recent quarter prior, by only 2% is it trailing. So historically, what we've seen, and you can see it on this graph, whenever we have a peak, we expect activity to drop sharply after. And that didn't happen here. Year over year, we see that Q1 2026 was up 7% over Q1 2025. And Q1 2025 was itself a record back in 2025, in the beginning of 2025.
So the pattern we're concerned that we might be seeing now is that each new high is a watermark that sets a floor for what follows, that it's not some spike that's going to recede anymore. And what that means from a practical standpoint is that this is not just a bad year following a good year. It's a new baseline of elevated activity that organizations need to treat as the operating environment going forward. And a little bit later, we'll talk as to why advances in technology will most likely keep this trend elevated, unfortunately.
JESSICA KEARNEY: And do we know why, in the past, you've seen a decrease after a spike?
LAUREN WINCHESTER: Usually, we would see ransomware activity as somewhat cyclical, and there'd be a lot of activity. And then it's almost a touch-the-stove kind of effect where if threat actor groups got really, really good and hit too many victims at once. Law enforcement might come after them. Or they can go enjoy their spoils and resurface later. So that's something that would cause peaks and recessions in the past.
The other thing that we would sometimes see is a threat actor group might have a specific zero day that they're leveraging and hit a whole lot of companies at once and then again kind of disappear and work on that in the background. But here, with Q4 2025 and Q1 2026 remaining elevated, it's not one single thing. It's not one single group or one single zero day that was leveraged. So I think we're just in a new era here. And I hope I'm wrong.
(DESCRIPTION)
A bar graph titled Active ransomware groups posting to leak sites. Quarterly comparison from Q1 2022 to Q1 2026. The y-axis is titled Total and ranges from 0 to 100, in increments of 20. The x-axis shows Q1 through Q4 of 2022 through 2025, and Q1 of 2026. The bars rise steadily from Q1 of 2022 to Q1 of 2026, with slight drops in Q2 of 2022 and Q4 of 2025.
(SPEECH)
JESSICA KEARNEY: One thing that was interesting to me, when you talk about the threat actor groups-- so the report highlights that there were actually 84 distinct groups going out and committing these crimes, these ransomware and even one group that seemed to be dominant among them. So why does it matter which groups are involved in an attack? And how does that actually increase the number or influence of incident response?
LAUREN WINCHESTER: So understanding the group matters because each of these groups have distinct TTPs-- Tactics, Techniques and Procedures-- that shape how the attack unfolds, what the negotiation is going to look like, and how long remediation might take. So historically, knowing the group gives the incident responders, like David, who's on the phone, an opportunity to know who they're working with, what their ransom ranges were, how they're going to negotiate, whether or not they escalate with harassment tactics or if they stick to their word.
So when we talk about the number of active groups growing in a quarter and having 84 active groups, it's very difficult for our responders to manage. In Q1, there was roughly 20 new groups that appeared for the first time. And that could mean we have some of the actors have no established behavioral history for our incident responders to lean on. And even though some of those new groups are probably rebranded versions of old groups that we've dealt with, the responders have to make their best guesses at who they're actually dealing with and what the experience is going to be, which, again, adds a little bit of chaos to the response compared to when you're dealing with the same groups over and over again.
And a good example is going to be The Gentlemen group. They have 207 victims in their second quarter of existence, and they're globally distributed. They're targeting in different countries than we normally see. There's no prior profile to reference, so it's making it harder on the responders. But David, you can probably comment more.
DAVID KRUSE: Yeah, if we think of threat actor groups collectively, think of them like the playbook for an opposing football team, for example. The more threat actor groups you have in that opposing team's playbook, the more plays you have to learn how to anticipate from them. So if you have a smaller number of groups, there's just a smaller number of patterns that we as incident responders have to identify. So as that number grows, the number of patterns that we are forced to recognize grows. And we've got teams that are doing a very good job at that.
But it is a-- if you have a smaller number of groups, it allows us to identify what types of attack patterns are they using? And we use that as leverage to understand where we need to begin investigations and how we can bring that investigation to an optimal conclusion more quickly. Because if we're dealing with Qilin, for example, we'll know exactly where they tend to start their attacks. And we can start the root point of compromise investigation at that point because we've worked 30 other cases where they've begun their attacks at that point. So that just becomes a-- it becomes a larger challenge with more threat actor groups. But they're certainly capable professionals-- capable of supporting there.
LAUREN WINCHESTER: Yeah. And the only other thing I'd add here too is, when you have so many different groups, it really dulls the impact of law enforcement activity too. So law enforcement's been great about targeting specific groups and doing takedowns of their infrastructure, but when you have 84 distinct groups, that makes it harder for law enforcement to go after multiple at one time. And so we don't get to see that relief from a group being taken down and that pause on their action in the same kind of way.
JESSICA KEARNEY: It's interesting. I like the playbook scenario and using that to try to understand all the unique personalities that you might be dealing with here. And with that, Christine, I want to pull you in because, with all these increasing threat actors and activity, the number of ransomware victims has been increasing over time as well. And I know, according to the latest Threat Report, 2025 saw a 50% increase in ransomware victims over 2024. And I know there's more stats underneath that. So Christine, I'd love, if you're in the position of advising clients on cyber risk, how do you help them understand the magnitude of those numbers?
CHRISTINE MAPES: Yeah, absolutely. Thanks, Jessica. From our perspective, from Claim’s perspective, the businesses calling our hotline are not making the news. They're the manufacturing companies with a few hundred employees or the accounting firm or the contractor that never thought it would happen to them. And we hear it all too often. We're too small. We have great IT. We're not interesting or shiny enough for the threat actors.
But the reality is ransomware groups are not taking that into consideration. They don't discriminate. They're running automated scans to find unlocked doors, and your size or your industry sector is just not going to provide you or afford you protection. And couple that with the fact that your barrier to entry is far lower than it's ever been. Ransomware frequency has increased over 80% since 2022, mainly because of these Ransomware-as-a-Service groups that we've been talking about here today.
And so with that, no industry is exempt. We see claims across multiple industries-- construction, professional services, education, healthcare, wholesale-- you name it, we've seen it. And then when it comes to size, people often say, like I said, we're too small. But again, the reality is sometimes small to midsized businesses are a target because they have weaker controls or fewer dedicated staff, slower patching cadence. And so the landscape has changed greatly. Volume is up. The attacks are landing, and they're costing more.
The other thing that I like to talk about with brokers and clients that I think really makes an impact is to walk them through a claim scenario and the potential complexity and magnitude associated with the event. Oftentimes, people think, well, I'll just, if I get impacted, I'll pay the ransom, and I'll get in, and I'll get out. And that's unfortunately not the case. These matters are complex. And oftentimes, they'll run for weeks or months after the encryption event itself.
So I like to mention or touch upon the various cost categories associated with ransomware claims. And that sometimes brings it into perspective. For example, breach response services, for example, forensics, legal notification, credit monitoring-- 95% of the claims, the ransomware claims that we see are going to engage some type of breach response service. And then you're going to have potentially an extortion payment. Extortion payments, more than half of the payments that we're seeing these days are $200,000 plus. And that's after the negotiation has taken place.
Then you're going to potentially have business interruption associated with your downtime, which is an additional cost, data restoration. If your backups are connected to your network at the time of the breach, there's a strong possibility that you're going to have to rebuild and restore as opposed to just plugging those backups back in. And then, of course, third-party claims, which we'll talk about a little bit later, those are on the rise as well arising out of ransomware and regulatory investigations.
So I think, when you put that all together for clients, they can really get an understanding of the weight and gravity of a ransomware event, and the conversation starts to shift a little bit.
JESSICA KEARNEY: That's great. So I think we've made the case here, amongst the three of you, of the volume problem and the growing number of threat actors. So let's get into some of the actual tactics and look at that a little bit more. I know, as most of us on this webinar are probably very familiar with, virtual private networks or VPNs that we use to remote in to our organization and their computer networks, the report found that, from August to December of last year, 85% of claims studied actually involved VPN as the exploitation initial point.
And so, David, I'd love to go back to you. How does a technology that millions of organizations rely on every day become the leading entry point for ransomware attacks? What does that look like? What do we need to know?
DAVID KRUSE: Yeah, that's a great question. And to a degree, the question almost answers itself. It becomes the entry point because tens of millions of people are using it. I think there's often a misconception that threat actors are these alpha wolf-type intense people. They’re oftentimes pretty lazy, if we're being perfectly honest. But really, the VPNs have become such a prolific attack vector because there are just so many of them.
Like so many aspects of modern living, we trace this back to COVID. Pre-COVID, some of us had remote access. Most of us did our work in the office. And then COVID hit. And all of a sudden, we had a business necessity to expand access to company resources away from the office. So en masse, companies stood up Windows Remote Desktop Protocol and VPNs and got remote access into the hands of their employees wherever their employees were, which was the right decision at the time for all the health and safety reasons that we now know.
But at the end of the day, that greatly expanded what we call the attack surface, which are just the number-- the assets that threat actors can actually target to launch their attacks. So VPNs, like any security product, they're not-- it's sort of ironic to think of it this way. Security products are not often secure by default. When you buy that new product, they are meant to get plugged in and used easily and limit the amount of friction needed for that IT buyer to actually implement that tool within their network.
To actually use that VPN securely, you need to enforce things like multi-factor authentication. You need to make sure that you've got people that are responsible for monitoring for critical patches and updates to that VPN so that, as software bugs are found, they can be patched and remediated on that particular product. So what you have is a complex product that is in the hands of tens of millions of people, that allows a threat actor to more or less walk right in if there's a vulnerability that's not patched or a VPN that's not secured with multi-factor authentication.
So there are certainly responsible ways for using VPNs. That can certainly be done. But it's not a secure-by-default product. Most products aren't secure by default. They are meant for ease of incorporation and ease of operation. And then you actually have to take extra steps to make it a secure product within your environment. That's where leaning on security operations partners can help with that. But that’s-- you think about it with that framing, threat actors like to wash, rinse and repeat their activities. And VPNs present almost a bottomless well of opportunities for them to wash, rinse and repeat their attack tactics. Say that five times fast, attack tactics.
JESSICA KEARNEY: Yeah, so slightly scary, but I like that kind of warning. These are not secure by default, and there's extra steps you have to take. You mentioned patching and MFA. And we're going to get into a little bit more of what we can all do in a moment. Before we go there, Christine, I know you had kindly offered to walk us through an actual case study of one of these VPN cases to really, I think, make it more real for us. So I'd love to hear you share that specific story.
CHRISTINE MAPES: Yeah, that would be great. Thank you. So in this case, again, pick any type of firm, professional services, manufacturing. In this case, it was a manufacturing firm. Real operation, production schedules, vendor relationships-- you name it-- payroll that they have to make, the exact profile that we see in a majority of our claims. In this instance, the threat actor did access-- the initial access was through a deployed VPN.
Here, they were upgrading their VPN. So they were actually doing what they were supposed to do, which is what we asked them to do. However, when they were done doing it, they failed to update their user credentials and enforce MFA on some local legacy accounts. And that left them vulnerable. So sure enough, threat actor, using fancy terminology like credential stuffing and brute force, they basically found that local admin account with the weak password and no MFA. And they walked right in.
So they literally found the door that couldn't verify who's knocking. And they walked right in. And within 48 hours, they had escalated privileges. They had access to servers and backups. And they deployed the ransomware. At that point, that's where we get the call, either the encryption or the extortion event. First call is obviously the most important. And hopefully, organizations realize that-- call your carrier as soon as you find out or that you're experiencing an event.
We immediately deployed resources. Even an hour delay in those types of scenarios can cause additional harm. So we deployed breach counsel. We deployed forensics to assess the scope and the magnitude and to support the containment and the remediation of the event. Immediately after that, the forensic-- and David can speak to this-- the forensic vendor is going to deploy EDR tools or monitoring tools so that they can gain full visibility into the environment so that they can actively threat hunt and eradicate the threat actor from the environment.
There's a lot that goes on in those first few days. And if you've never been through it before, it can be really overwhelming. And that's why we always stress the importance of bringing in the right resources as quickly as possible and involving your carrier. In terms of recovery and impact assessment, the forensic team is going to determine the viability of backups. They're going to determine the client's ability to restore and what that's going to look like and whether or not we need to communicate with the threat actor. And if so, why are we communicating with the threat actor. What do we need, or what do we want to learn?
And of course, our team is going to support the insured through all of that necessary change and information and help and guide them through that process. In terms of critical decision points-- and this is, I think, another point that people may not necessarily realize unless they've gone through it before. There's a lot to consider. First, am I going to isolate my environment, totally take things offline? Or am I going to only isolate a portion?
Second, am I going to really make this ransom payment? And if so, why, and what are the potential implications of that? We also have to work with our-- the insured's going to work with breach counsel to determine any notice obligations. What data was exposed? How was it exposed? All of that. And then, on the back end, this business had to deal with, again, business interruption and a downstream impact arising out of a third-party litigation, so quite a bit that they had to work through. But that's the gist of it in a nutshell.
JESSICA KEARNEY: All of which sounds like, obviously, time is of the essence when something like this is discovered. So you need to have your teams in place and your vendors in place and your partners in place before it happens and know who to call. I know we've had-- as I mentioned, this is our 75th cybersecurity education program. And one thing we always hear time and time again is, have the contact information of the people you need to reach somewhere that's not going to be stuck in your system, somewhere that you can-- that you have it accessible, so just even little things like that.
So yeah, thank you for sharing that. I think it helps make it really real. And then, David, I love your color and perspective, when it comes to this VPN threat and this access point, what are organizations getting right or wrong in terms of what they're doing about it?
DAVID KRUSE: Yeah, great question. So I'll answer that in two ways, one from the perspective of a managed security operations provider and then the other from the perspective of an incident response provider because Arctic Wolf plays in both of those lanes. From the managed security services aspect, I think, when we talk with prospects, when we talk with new buyers that work with Arctic Wolf, oftentimes they get fixated around the risk that exists within the endpoint environment of their organization-- so their laptops, their servers, their workstations, the places where the data lives.
And they focus on that. And it makes sense that they focus on that because that's where the operations happen of the company. Arctic Wolf operates the world's largest security operations center. And what we see on a regular basis is that the first point of attack for-- when a client is being attacked by a threat actor, the first alert that's likely to be-- likely to be generated is going to come from remote access tooling-- for the firewall, the VPN, etc., etc. About 35% of all alerts that we work come from that piece of tooling.
So if an organization isn't thinking about that, thinking about that attack surface when they're building their security operations program, they're really missing an opportunity to stop that threat actor at the moat of the castle before they get to the inner keep of the castle, which is the endpoint environment. So if you monitor your endpoints, that's fantastic. Keep doing that. But we should be monitoring further out than that so that we're not stopping the threat actor when they're at our front door. We're stopping them when they're at the outer moat. And it's just a less dangerous proposition for everybody.
From an incident responder's perspective, one thing we've seen in the thousands and thousands of cases we've worked is that clients, when they go through a cyber claim, when they go through a cyberattack, one of the things they desperately want is certainty. They want certainty that the threat actor is out of their environment. They want certainty that they're safe to operate again. They want certainty that there's going to be a thorough investigation of what happened.
And in order to achieve that last outcome, specifically, the thorough investigation of what happened, an investigator needs evidence. We can't investigate evidence that doesn't exist. So the amount of evidence that we will have access to as investigators is really determined by the decisions the company has made prior to the attack. Do they have logs turned on for their VPNs and for their other systems that threat actors can actually investigate? Or excuse me-- that forensic analysts can investigate to determine what data was stolen, how long the threat actor was in the network, how much data was stolen, when was it stolen-- all of that sort of information that, certainly, as Christine and Lauren can attest to, will impact downstream liability discussions that, if we have certainty around what happened, we at least have a clearer focus of what that liability might look like.
If we end up in a gray area where maybe the insured only had five days' worth of logs or 12 hours' worth of logs, oftentimes, that's not going to be enough to really produce the certain investigation that the client is really wanting in that case. So we recommend clients having at least six to 12 months of logs retained so that, if an event actually happens, the investigators will have enough evidence to provide the certainty that the client is going to want in that particular attack.
JESSICA KEARNEY: The six to 12 months of logs on your VPN system-- and I know from all types of conversations that we've had over the years is that threat actors can actually be in your system for a while before you realize it. So hence the six to 12 months. So we're getting a few questions, including from one of our viewers, Brock, asking about Anthropic and their new AI model Mythos, which has been all over the news, grabbing headlines here and there.
So recently-- and I will let you explain this. But recently, they actually scaled back the release of their newest AI model and only released it to a small set of security and tech companies. For those of us who may not be tracking it as closely, can you share with our audience what Mythos is and how this is different from what we've seen before? Why is this such a game-changer?
DAVID KRUSE: Yeah, that's a great question. So Mythos is a frontier AI model produced by a company called Anthropic. They're one of many AI companies producing similar sorts of models. And what researchers found that Mythos was incredibly capable of was mimicking the behavior of vulnerability and exploit researchers, people that look at entire blocks of computer code and identify, where is there likely to be a vulnerability in this block of code? Where is there likely to be a breakpoint or a bug somewhere within this block of code?
Historically, we'll use one example, Mozilla Firefox. They have been very vocal about their journey using Mythos. They put out a lot of great blog posts about it. So anybody that's curious about it, hop on their blog, and read some about what their journey was like actually deploying this tool. In prior versions of AI tools that they've been using to identify potential bugs in their software, they were finding maybe 20, 22 bugs every time they would run one of these scans. They turned around and ran the Mythos on that same block of code and found 270 bugs, so nearly 10x the number of bugs that could be turned into vulnerabilities within that same block of code.
So it's increasing the amount of vulnerabilities that are likely to be discovered and then pushed out as patches to organizations. So I'm resisting the urge to talk for another 30 minutes about this. But yeah, that's essentially what we need to know is that it's a capable security tool that is finding bugs and vulnerabilities at scale, which will then roll downhill to IT teams that, instead of having to patch maybe five patches a month, maybe they're going to have to patch 30 a month. And that's going to greatly increase the workload of IT professionals at our insureds.
JESSICA KEARNEY: Really changing the landscape and the speed of the landscape as well. Yeah. So again, so thank you for laying the groundwork on that because I know we've all been reading articles about it and monitoring it. How are you seeing these AI-enabled attacks rolling out in the real world? Is AI meaningfully changing the threat picture now, today? Or is it still more potential and coming soon than it is reality?
DAVID KRUSE: That's a really good question, Jessica. And I think it poses an interesting question for investigators because, when we investigate an incident, what we don't see on a malware sample or on a phishing email is a watermark that says, "This malware produced with AI," or "This phishing email produced with AI." That's not quite how this sort of thing works.
So we have to infer based on outcomes that we would expect to happen if the threat actor was actually leveraging AI in their attacks. An analogy that I like to use is, imagine the pizza place down the road buys a new pizza oven. They're not going to slap a sticker on the box that says, this pizza produced with your new pizza oven. But what you'll notice, as you buy pizzas from this pizzeria, is that maybe the pizza gets delivered faster. Maybe it's cooked more evenly. Maybe the product they're delivering is a higher quality, and you don't quite know that there's new pizza, but you know that something has changed.
And that's the type of thing that we've seen over the past few years as AI tools have become more prolific is a gradual increase in things like accuracy and things like capability and things like quality of phishing emails, better grammar, better spelling, things of that nature. So as investigators, we have to infer and say, even though there's not a watermark that says, "This malware produced by AI," if malware is gradually getting better, if phishing emails are gradually getting better, it would then logically make sense that threat actors have found some capability that has allowed themselves to improve their offerings, so to speak.
And maybe they went to school and took English classes and are getting to be better malware writers. Or maybe they're leveraging the same tools that loads of us are using to be better, swifter, faster, stronger at what we do. So that's the type of inference that we make as investigators. Ultimately, it doesn't necessarily change how we investigate or how we defend. But what it does help us all become aware of is the increasing velocity and the increasing effectiveness of these attacks. That rising tide isn't likely to go down. And that's just something that's the new environment that we have to be aware of.
JESSICA KEARNEY: So I can't tell for sure, but there will definitely be subtle signs. I get that. And then, Christine, I know you're seeing this on the front end in claims. So can you weigh in on what Travelers is or is not seeing on the claim side?
CHRISTINE MAPES: Absolutely. To echo David's comments, I mean, AI-powered social engineering is absolutely here. It's not theoretical anymore. Obviously, we can't touch it and feel it just yet, but we certainly know that it is being used. And again, to David's point, the quality and the volume of the business email compromise attacks and the social engineering attacks have increased in ways that absolutely call out AI into the equation.
So your phishing email that's grammatically perfect, that's specifically tailored to the business, that's actually psychologically pleasing to the reader, that's all AI-generated. The other thing that we're seeing here and there is voice impersonation. Normally or traditionally, you would see a clone of a CEO or a CFO's voice contacting an employee saying, hey, I need you to complete this wire transfer now. Now, in addition to that, we're also seeing banks, bank fraud departments.
There is some suspicion that bots are being used in that regard as well. And so, what those-- in that attack, what's happening is you have a fraudster impersonating a bank's fraud department, contacting an employee at an organization, advising that there is some urgent fraud on the business account. And they're here to help and save the day. And they just need to listen to the directions of this individual on the other end of the phone. And they're going to make it all OK, and they're going to resolve the issue. So there is some-- there's some AI-powered voice impersonation in that regard as well.
And then, of course, deepfake video impersonation we know is out there. And we've seen with various executives and executive scenarios. If I had one piece of advice to give here, it would be a secondary verification channel. So anything to do with money, if you could just pick up the phone and call a known number-- don't reply to the email. Don't call the number in the email. Don't respond to the call at all, actually. Just find another independent way to verify that what you're being asked to do is, in fact, authentic.
So that's social engineering. On another front is shadow AI. And there is an associated risk with data exfiltration when it comes to shadow AI. So think of an employee who's pasting sensitive customer data or proprietary data or trade secrets belonging to their company directly into a third-party platform.
They're trying to integrate AI into their daily workflow. That information may be stored or accessible to others as a result of that, which can create a privacy breach or a potential third-party liability for that organization. And that has nothing to do with an actual attacker being involved. It just happens just by your employees adopting these tools without the proper oversight and governance policies.
And then the third one, and I think is the most interesting that we recently encountered was artificial intelligence at the ransomware negotiation table. So here we have some of our ransomware negotiation vendors started noticing recently that threat actor groups may be using AI bots during the ransomware negotiation process. So if you're a skilled negotiator, you can tell pretty quickly whether you're talking to a person on the other end of that keyboard or not. Writing style is definitely a cue.
But more importantly, the giveaway is usually speed. So when you send a message to a threat actor, and they respond in 30 seconds, you're not dealing with a human. Or when you ask a threat actor to take down data from a leak site and it instantaneously disappears, that's most likely not a human. So this definitely changes the negotiation dynamics in a number of ways and certainly why experienced negotiators like all the vendors that we work with, including David's team, are very important in the process.
JESSICA KEARNEY: That's fascinating. And increased speed of change and all of these things, as they're evolving and unfolding so quickly-- and I think, as you were talking about the deepfake scenario, we had somebody in the chat just say-- raise their hand and say, hey, it happened to me. So these are things that people are definitely experiencing and feeling. Lauren, that's actually where I was going to go next was that second realm of AI in terms of the risks that are created within your own organization, potentially, unknowingly, by your own employees using AI.
Can you expand on that a little bit. Christine, I think, set the table nicely, and I'd love to hear a little bit more on that.
LAUREN WINCHESTER: Yeah, absolutely. I think a lot of the scary AI use by threat actors can grab headlines. But what we're seeing is, at the same time, a fundamental, rapid adoption of different AI tools by companies across the country, across the world, really. We have in our report that 43% of U.S. workers now use AI on the job as early as 2026, which is up from 37% just months earlier.
And when you put that in context, if you think about the PC adoption cycle, when we were all getting computers, only 25% of workers were using PCs. That exposure isn't just, what are employees doing with it if it's sanctioned? We're really seeing a couple of patterns of how organizations are adopting it and where that risk comes from. So you have conservative organizations who are just straight-up banning or restricting generative AI officially.
And when that happens, you risk employees using it anyway, whether it's on their personal devices, off network, sending data separately to be able to leverage it. So taking a very restrictive approach often ends up with your data going outside your network.
Permissive organizations are another category in and of themselves where you're letting employees use whatever AI tools they want. And the result can be that you've got overlapping tools. You've got unpredictable interactions and data flows. And you're accepting a risk of data going into all these different tools that you've technically sanctioned, but have you really vetted them?
And then we also see early adopters who sanctioned specific tools but with very few guardrails. And so employees might start building AI agents and apps. And then the organization is losing track of what's running and what data it can access. So unlike when conventional software was rolling out, AI tools are fundamentally probabilistic, and open-ended as opposed to really definitive and running the same code every time. So they're not going to behave the same way for every user every time.
And governance frameworks that we built in the past to assess software that's deterministic won't necessarily translate to the moment now. Christine mentioned shadow AI. There was an unfortunate example recently of a bank that actually filed an 8-K to say that they had a security incident where an employee took sensitive company data and put it into an unauthorized AI tool. So that's the example of, if you prohibit it, they might do it anyway.
And then, I think we're going to see more of that, ultimately, coming through in our claims or outside our claims. So yeah, we can't understate the moment that we're in right now with companies rapidly adopting this. And there's a lot of steps they can and should be taking. But it's all new territory.
JESSICA KEARNEY: So I want to hold that for a minute because I know we've got a few slides coming up for the audience exactly on that. So what should organizations be doing? I'm not going to hide the punch line here.
I want to open it up to you and David just to kick us off on some of these practical, tangible things that organizations and any leaders and managers on the phone can start utilizing, especially with these new AI models that are rolled out, Anthropic's new models. What should they actually be doing? Why don't you kick us off, you and David, on those practical steps?
(DESCRIPTION)
Slide. Defending in the Age of AI Cyber Threats. Timely Vulnerability Management. Rapid detection and response - MDR. I.A.M. and least privilege. Tested and immutable backups strategy.
(SPEECH)
LAUREN WINCHESTER: Yeah. So I think, first, when we talk about how we defend against AI cyber threats as opposed to what I was just talking about where organizations are rapidly adopting-- but when we're defending against AI cyber threats and the use by threat actors of AI, the good news, from my perspective, is it's really still about the basics right now. And I don't mean that to be a dodge. But it's actually quite reassuring that the current evidence doesn't suggest that Mythos meaningfully changes your near-term goals with your perimeter and how you defend it.
It will fundamentally change the number of vulnerabilities and how quickly companies need to be working. But what you need to be doing is patching faster. So one of the problems is, companies already patch pretty slowly and might not have robust vulnerability management programs, which is why we see ransomware claims, which is why we see VPNs getting hit. Because a new vulnerability will come out. If companies don't react quickly enough, threat actors are right on that and using it already.
So expect that to-- threat actors to use AI, to find vulnerable companies faster once they find the vulnerabilities and exploit them faster. So you all need to patch faster and focus on the vulnerabilities that matter most. There's going to be an onslaught of vulnerabilities to address in the coming months and year, from security companies, software developers. You need to know which ones are most likely to be used by a threat actor to affect a cyberattack and make sure those are what you prioritize.
And we help our policyholders do that. We're constantly reviewing what new vulnerabilities come out and making a judgment call on whether or not a ransomware threat actor is likely to use it. So I think we can help there, of course. But that's how you should be thinking in terms of your vulnerability management is, how do we do this faster? And which ones are the threat actors going off of?
And then, I think, understanding that AI isn't going to be some magic key that bypasses really secure, good hygiene companies. It's an accelerant of the attacks that were already possible or the methods that we're already constantly seeing. So the things that we preach about-- multi-factor authentication and phishing-resistant multi-factor authentication, having really strong identity controls. So if a threat actor gets credentials and comes into your network, those credentials don't give them the keys to the kingdom and let them do things at an administrative level.
And then, segmenting your network, having really good backups-- it's all the basics we preach, but do them, and do them well. And that's going to be your best bet in this kind of new era. But curious if David thinks I'm wrong there because I know it is a scary threat.
DAVID KRUSE: No, no. What piece that I want to zero in on is, you bringing up the vulnerability management aspect and then specifically the vulnerabilities that threat actors are most likely to use. I think we could even take that a step further and say, we want to focus on the vulnerabilities that threat actors are most likely to use on business-critical systems.
So there's a train of thought that exists within the security world that says, we need to wrap business context around any technical vulnerability. So if it's a 10-out-of-10 vulnerability that we know threat actors are going to be going for, we should prioritize a patch on that if that vulnerability exists on a business-critical system. If that vulnerability exists on a system that kind of is off doing its own thing, is segmented from the network, isn't really a critical thing, well, that business context is important because we know that IT teams have limited time and limited staff.
So the more we can direct them towards the activities that are actually going to make a meaningful difference, the better position we're all going to be in. There's another train of thought that exists within the security world where we assume a breach. We assume that a compromise is going to happen at some point. Because the reality is, for most organizations, in any five-year cycle, there's going to be some event that happens. So having a robust managed detection and response capability is important because threat actors are very good at taking advantage of our vulnerable moments.
When we look at the alerts that we respond to on a weekly basis, we respond to something like 9 trillion security data point events over the course of any given week. The two-thirds of those alerts come through during evenings and weekends, for U.S. working hours, and things like holidays and Thanksgiving and Christmas and Super Bowl Sunday. Those tend to be the busiest days of the year for incident responders like us.
So if you don't have necessarily the internal team or the internal tooling to be able to respond during those vulnerable moments, during those off hours, that's going to be the time where threat actors are most likely to try and compromise the company. So making sure you have an MDR solution that can protect in those moments when you are at a wedding, you're at your kid's soccer game, having somebody watching that network when you're not. That's important to monitor those off moments when you're out living your life.
LAUREN WINCHESTER: Yeah, and I think we had gotten a question earlier on before the webinar that said, should we be fighting AI threats with AI? And I think, for the most part, like I said, basics, folks. But this is one area where AI can fight AI really well. The managed detection and response tools that David's talking about, it's-- antivirus software isn't cutting it anymore. You need to have a tool sitting on your endpoints with AI embedded that's looking for anomalous behavior and saying, that's weird. Shut it down.
And that's your best way of detecting an intrusion once it's in your system. So if we know threat actors are going to get faster at these types of attacks and might beat you to the punch on patching, what's the next layer? The next layer is something in your network that's flagging it fast and then configured properly. So for any of you who are nontechnical, of which I'm sure there's many, go back and ask your security teams or your IT teams.
Are we using MDR? Are we using EDR? Who's monitoring it? Is it 24/7? Do we have it configured to automatically react, or is it configured to only flag? A flag is only as good as the humans watching it versus configured to actually react and respond as the tool-- much better. You'd much rather have a computer shut down and deal with it than have the threat actor in there.
JESSICA KEARNEY: Well, I think the best thing I've heard all webinar is that the basics are still very important and foundational to what we should all be doing when we're thinking generally about cyber hygiene. We will drop in the chat-- We've got lots of resources on some of those low-hanging fruit best practices that everyone should be doing. So we're not going to dive into them here. But if you want to dig into those any further, that'll be in the chat.
And I wanted to, again, as we're thinking about those proactive steps-- we had a question coming in from Gary who wants to know, what is Travelers cyber insurance doing in terms of actively protecting insureds computer systems from ever being successfully attacked in the first place? So I know we're talking about cyber hygiene, and we're talking about AI specifically. But could you, maybe, Lauren, take that one? And what is Travelers doing on the front end before something happens?
LAUREN WINCHESTER: I swear Gary was not a plant. But thank you so much for this question. So I love talking about this. Our team, the Cyber Risk Services team exists to help our policyholders predict, prevent and recover from cyberattacks. And we take the predict and prevent very seriously because it's a great day for you and a great day for us if you don't have a claim.
So one of the things that we're really big on is we do external-only scanning of your environment. We get your website, and we're going to scan and look for common attack vectors that threat actors are going to look for. So we say, if we're a threat actor, what do we see? We're not going to go exploit them. But we are trying to see if you have any obvious flaws from the outside that a threat actor is going to find.
We're also going to alert you to those. So it's a living risk. You might look good at the point of underwriting. And then, a month later, a new vulnerability comes out, and we see you're running that product. We're going to want to let you know about it. So we're alerting our policyholders. We're giving them step-by-step instructions of what to do to remediate that particular issue. We've got a team of cybersecurity experts who are available to talk to any policyholders that might need help in fixing those issues or just have general related questions to cybersecurity, AI security and governance, what have you.
And we make that also available in our Cyber Risk Dashboard. So at any point, policyholders can log in, get a look at what their attack surface looks like, answer security questions that we have on there to get a better sense of what they should prioritize and, again, seek help from our team if they need it.
JESSICA KEARNEY: All right. So thank you for that. And then let's go back to that point we were talking about earlier about that internal risk of using AI. I know we talked about, generally, cyber hygiene and what organizations should be doing. But I think we have a slide on what organizations should be doing to address those new AI risks internally.
(DESCRIPTION)
Slide. AI Risk Reduction. AI Governance. Human Oversight. Input/Output Validation. Employee Training. Least Privilege for Agents. Third Party Monitoring and Risk Assessment.
(SPEECH)
LAUREN WINCHESTER: Yeah, absolutely. So like I said, this is different. It can fit sort of within your existing governance frameworks. But you really do need to call it out. You need to start with ownership. If no one's accountable for AI governance, nothing's going to be managed. So you need to designate an individual or a committee so that there's folks within the organization responsible for reviewing what the potential use cases are for AI and how you're going to roll it out.
You need to then document what that policy is going to look like. It needs to be specific enough that guides behavior but not restrictive so it drives usage underground and very clear on what's permitted, what's prohibited and how to handle that data. Then training-- training is key. You can have all the policies in the world. If no one reads them, you've got a problem.
So you have to find a way to meet your employees where they are and make sure the training is meaningful and repeated so that they can really get used to the tools that you're deploying, what they're allowed to put into them, what they're not allowed to put into them, how to take ownership of the output from those tools. There's a reason that you're here as a human in that organization. So you can't just heavily rely on what the output is. You need to review it and own it and then how to take any problems and escalate them to the AI committee that you've established.
I think the other thing we see is, for the companies that are a little more tech forward, that might be actually building AI tools or building agentic AI. You need to keep a human in the loop for high-stakes decisions. Obviously, there's a lot of benefits to automating things and able to have AI agents moving quickly in the background. But for anything that's high stakes and important to your organization, how is a human involved? How are they reviewing decisions that are being made?
You need to vet tools before deploying them. Where's our data going if we turn on this AI feature in a software we already have? Question you should be asking before you turn it on. You need to understand what exactly the software vendor is doing with your data.
And then, that's an important point. It's not always going to just be, OK, I'm using a net new tool. You'll have already seen a lot of existing tools that you have are creating and turning on AI features. And you need to have a pattern of catching those, reviewing them and deciding whether or not it makes sense for your organization to have them turned on.
So lots more that you could be doing. And we do consult with our policyholders on this type of risk. But it is kind of something net new that the whole organization needs to be aware of.
JESSICA KEARNEY: Another question coming in from an audience member, Leah, getting to the vendor, third-party piece of it, what would you recommend for businesses that have all their data in the cloud through a vendor?
LAUREN WINCHESTER: That's a lot of-- especially newer companies are cloud-native. There's nothing fundamentally wrong with being a cloud-native company. You just need to understand where that data is stored. Ideally, it's with vendors that have been around for a while and can explain to you how your network is segmented-- your data is segmented from other customer data or at least anonymized.
And different companies and sizes are going to have different levels of risk tolerance for, to what extent they need their own separate part of that cloud. So understanding what it means to be virtualized and cloud based is important. And then securing that environment is just as important as securing your on-prem. So that means, who has access to different data? Who can read, write, delete, what have you? How do we limit that? And how do we make sure the data is backed up and immutable, so it can't be changed if some bad actor gets access to credentials? And protecting those credentials with MFA.
So whole lot you could be doing. But don't think of cloud storage and cloud vendors as inherently more risky. It's just a different thing you need to secure.
DAVID KRUSE: And I'll just jump in there with one point, Lauren, too that MDR providers like at Arctic Wolf, like our peers, we can layer our MDR service onto cloud programs, so we can integrate with the likes of a Google like a G Suite or a Microsoft 365 or if you're in healthcare with Epic Systems. Or whatever cloud service you use, we can layer an MDR service on top of that to monitor for those malicious login attempts that shouldn't be coming from parts of the world where you don't have employees, for example.
So again, this goes back to the idea of the basics that you were mentioning, Lauren, that, even though the exterior world seems to be crazy every now and then, the fundamentals of just monitoring for suspicious activity and putting fundamental systems in place that block that suspicious activity from occurring, that's the basic blocking and tackling that the security community has been doing for decades. Just doing it on a cloud attack surface versus an on-premises attack surface doesn't really change the fundamentals. It changes how you connect the wires on the back end. But the activity is the same.
JESSICA KEARNEY: That's really helpful and I think really practical. We've been getting a number of questions about the cloud and how to think about that, so that's great.
All right. So as we close out, we've reached almost the top of the hour. I want to go around and thank all three of you for all of your expertise today and sharing these really actionable insights. We're going to have the audience-- we're going to send the audience a link to the report when it comes out next week, so they can dig in even deeper.
Before we close out, though, I just want to go around one final question-- given everything in the new report for Q1 and everything we've discussed today, what is the one single thing you want audience members to walk away from and maybe do differently moving forward. Lauren, you want to start with you?
LAUREN WINCHESTER: Two words-- patch faster.
JESSICA KEARNEY: Faster. Christine?
CHRISTINE MAPES: Yeah, I mean, I see all the questions coming through. I think they're all great questions. They all deserve answers. There's so much to know. The good news is you don't have to figure it out all by yourself. So if I had one thing to say, I would say, call your broker. Call your carrier. Talk to them before something happens. They're a wealth of resources at these carriers that are at your disposal-- threat intelligence teams, to Lauren's points, risk advisory teams, they're there to support you. They're the ones on the front lines, so they're really the ones who are most knowledgeable. I may be biased, but I am going to say that.
Reach out to those people. And ask them, here's my current posture, what should I be doing differently? They're there to support you. It's supposed to be a positive experience before an event even happens. So that would be my advice.
JESSICA KEARNEY: And David?
DAVID KRUSE: Yeah. Understand that any security control you have contains two parts. They contain product, and they contain process. So you've bought an EDR tool. Congratulations. You made a great decision. What processes are you wrapping around that product to make sure you're actually extracting the security value that you paid for?
So if you're thinking about security controls as just product, you're only singing half the song. So make sure you're wrapping process around product and then you're actually going to operationalize and get value from the purchase that you made.
CHRISTINE MAPES: That's phenomenal advice.
DAVID KRUSE: Oh, thank you, Christine.
CHRISTINE MAPES: You're welcome, David.
JESSICA KEARNEY: Love it. All right, well, thank you again, Lauren, David, Christine, for being with us. We've got a ton of questions coming in, a ton of audience engagement, which is great to see. Again, for our audience, look out for the Cyber Threat Report, which is out next week.
(DESCRIPTION)
Slide. Wednesdays with Woodward (registered trademark) Webinar Series. Take Our Survey. Link in chat.
(SPEECH)
And we will be sending that to you along with a replay of today's video.
So again, a huge thanks to our speakers, and thank you so much for being with us. We are going to drop a link in the chat that has a survey about today's program. So as always, would love you to fill that out and share any thoughts, feedback on today's program, as well as other topics that you'd be interested in seeing in the weeks and months ahead.
(DESCRIPTION)
Slide. Wednesdays with Woodward (registered trademark) Webinar Series. Upcoming Programs. May 27. Geopolitics and the Global Risk Landscape: A Conversation with Lieutenant General (Retired) William D. Beydler. June 10. Inside the National Hurricane Center: Advanced Forecasting, Better Preparedness. June 17. Take the Stage: Leadership Confidence That Builds Trust and Connection. Register: travelersinstitute.org. Travelers Institute. Travelers.
(SPEECH)
We also have some great webinars coming up to start your summer, so I hope you'll join us for those. Next week, on May 27th, we're going to be hosting a conversation with retired Lieutenant General William Beydler, who's going to share his perspective on geopolitics. So we're going to have a geopolitical update to understand what's happening in the world and what it means.
And then, on June 10th, we'll welcome a senior leader from the National Hurricane Center, Deputy Director Jaime Rhome, for a look at the upcoming Atlantic hurricane season, which starts very shortly on June 1st. We're going to be looking at the latest science, as well as the latest insights coming from the National Hurricane Center down in Miami. That should be a great one, especially when we're thinking about community resilience and personal preparedness, business preparedness.
And then, on June 17th, we we'll shift gears a bit and talk about leadership, especially about developing your own leadership presence and building trust with others as a leader within your organization. We're going to host attorney, author and leadership consultant Pam Sherman, and she's going to join us for that program.
(DESCRIPTION)
Slide. Wednesdays with Woodward (registered trademark) Webinar Series. Watch. travelersinstitute.org. Connect. Joan Kois Woodward. Listen. Wherever you get your pods.
(SPEECH)
So as always, check out all of our webinar replays and more on our website, travelersinstitute.org. You can also bring our sessions on the go through our Travelers Institute Risk & Resilience podcast. Thank you again for tuning in. I hope you learned a few useful things today. And I hope you have a great rest of the afternoon. Thanks so much.
[MUSIC PLAYING]
(DESCRIPTION)
Travelers Institute (registered trademark). Travelers. travelersinstitute.org.
Summary
What did we learn? Here are the top takeaways from Facing Today’s Cyber Threat Landscape: Turning Threat Intel into Action:
Ransomware threats are on the rise in concerning new patterns, the Travelers Cyber Threat Report shows.
In the first quarter of 2026, 84 different criminal groups posted more than 2,400 victim companies on ransomware leak sites on the dark web. This is the second-highest number recorded in the history of the report, following the highest number ever in the last quarter of 2025. This is unusual because ransomware activity has historically been cyclical, with each peak followed by a sharp drop, said Lauren Winchester, Head of Cyber Risk Services at Travelers. What does this mean for organizations? “This is a new baseline of elevated activity that organizations need to treat as the operating environment going forward,” she said. Watch at 05:04
Organizations of all sizes across industries are being targeted by ransomware groups, the report shows.
The number of ransomware victims increased by 50% in 2025. Many of these companies mistakenly thought they were too small or inconspicuous to become ransomware targets, said Christine Mapes, Managing Director & Counsel, Bond & Specialty Insurance Claim at Travelers. She noted that Travelers handles claims from businesses of all sizes and industries, ranging from construction to education, healthcare, professional services and wholesale. “The reality is sometimes small to midsized businesses are a target because they may have weaker controls, fewer dedicated staff or slower patching cadence,” she explained, adding that the landscape is changing rapidly. “Volume is up, the attacks are landing and they’re costing more.” Watch at 12:21
Ransomware groups are exploiting weaknesses in virtual private networks (VPNs) to extort organizations.
More than 85% of Travelers’ cyber claims from August to December of 2025 involved VPNs as the initial point of entry, the report shows. The increase in the use of the VPNs for remote work since the pandemic has contributed to this rise, said David Kruse, Director of Insurance Alliances at Arctic Wolf. To use a VPN securely, companies need to enforce practices such as multifactor authentication (MFA), apply critical software updates to patch and remediate vulnerabilities quickly, and monitor logs for suspicious activity, he said. To illustrate this, Mapes shared the case of a manufacturing company that became a ransomware victim when it didn’t update user credentials and enforce MFA on local legacy accounts after a VPN update. “VPNs present almost a bottomless well of opportunities for threat actors to wash, rinse and repeat their attack tactics,” Kruse said. Watch at 16:35
Just as companies are rapidly adopting AI tools, threat actors also are using AI to assist in their attacks.
“The quality and the volume of the business email compromise attacks and social engineering attacks have increased in ways that absolutely call AI into the equation,” Mapes said. Examples range from a grammatically perfect phishing email specifically tailored to a business to a message that uses a clone of a CEO’s voice to request that an employee make a wire transfer immediately. To combat these tactics, Mapes recommends always using a secondary verification channel for any request involving money. “Just pick up the phone and call a known number to verify that what you’re being asked to do is authentic,” she said. Watch at 30:52
Leaders can take practical steps to defend their organizations against cyber threats.
The good news is that even as threat actors exploit AI and other new technology, organizations can rely on tried-and-true best practices. “It’s really still about the basics right now,” Winchester said. For example, it’s crucial to implement these five cyber readiness practices to help protect your organization from new and evolving threats. In addition to enforcing MFA and performing regular software updates, it’s important to leverage endpoint detection and response, have an incident response plan and back up your data. Watch at 41:53
Webinar resources
- Check out the Q1 ’26 Travelers Cyber Threat Report.
- Explore Five Cybersecurity Readiness Practices to Help Prevent Evolving Cyber Threats, including:
- Implementing multi-factor authentication
- Keeping your systems up to date
- Leveraging endpoint detection and response
- Having an incident response plan
- Backing up your data
- Read the 2026 Arctic Wolf Threat Report.
- For more on AI governance, check out Cybersecurity in a Post-Mythos World, an Aspen Institute digital resource written by Wednesdays with Woodward® panelist Jeff Greene and other government experts.
- Watch the replay of Global Cyber Resilience: Lessons from Former White House and CISA Leader Jeff Greene.
- Learn more about our Cyber: Prepare, Prevent, Mitigate, Restore® initiative.
Speakers
Lauren Winchester
Head of Cyber Risk Services, Travelers
David Kruse
Director, Insurance Alliances, Arctic Wolf
Christine Mapes
Managing Director & Counsel, Bond & Specialty Insurance Claim, Travelers
Host
Jessica Kearney
Vice President, Public Policy, Travelers Institute
Presented by
Related content
How Travelers Advances Cyber Offerings with Corvus Acquisition
Pete Herron and Madhu Tadikonda of Travelers spoke about the company’s acquisition of Corvus, an industry-leading cyber insurance managing general underwriter, and what this partnership means for Travelers agents, brokers and insureds.
Global Cyber Resilience: Lessons from Former White House and CISA Leader Jeff Greene
Jeff Greene, former Assistant Executive Director for Cybersecurity at CISA and former Chief of Cyber Response and Policy on the National Security Council, joined us to share an insider’s view of today’s evolving cyber threat landscape. Gain actionable insights from a seasoned expert who has helped shape national cybersecurity policy and learn how to better protect your organization in an increasingly complex digital environment.