Cyber Insurer CNA Financial is the Victim of a Cyber Attack. Who's Next?
ONE of the biggest cyber insurance companies in the world has become the victim of a sophisticated hack.
CNA Financial was hit on March 21 2021 in an attack so serious the company shut down operations for three days to contain the threat, investigate, and safely restore the business. It is feared hackers may have accessed information making it easier to target CNA Financial’s customers.
Hackers are understood to have installed malware and ransomware on CNA’s systems, gaining access to its emails. About 15,000 devices were encrypted by the hackers, according to tech forum Bleeping Computer.
The company, which last year recorded $10 billion in revenue, is still investigating whether any customer data was stolen.
In a CNA Financial cyber attack, CNA Financial, which is based in Chicago, US, said:
"On March 21 2021, CNA determined that it sustained a sophisticated cybersecurity attack. The attack caused a network disruption and impacted certain CNA systems.
Upon learning of the incident, we immediately engaged a team of third-party forensic experts to investigate and determine the full scope of this incident, which is ongoing. We have notified law enforcement and are cooperating with them as they conduct their own investigation.
Out of an abundance of caution, we took immediate action by proactively disconnecting our systems from our network. We’ve notified employees and provided workarounds where possible to ensure they can continue operating and serving the needs of our insureds and policyholders to the best of their ability.”
Normal operations had still not fully resumed almost two weeks later, with investigations continuing into April, CNA said.
CNA stressed it was now safe to conduct business with the company and communicate with staff via email.
Erin Yurday, CEO of insurance advisors NimbleFins, said:
"This is a worrying attack. If hackers have managed to access customer information they could use this to spot vulnerabilities in their cover and use that for cyber extortion.
The cost of a cyber incident has the potential to be huge for any business, and an incident like this shows just how vital cyber insurance is becoming. There is no law recommending it, but anyone who uses a computer to do business is at risk of an attack. If a cyber insurance company can become victim to hackers, anyone can."
As for CNA, this cyber attack has put a business with 5,800 employees out of action for days, with the potential for a multi-million pound financial hit. Without its own cyber insurance in place, CNA would have had to pay for external investigators, installing contingency systems, communication to customers, and potentially even having to pay a ransom. With the added loss of earnings from being unable to operate for three days, a company of this size would easily be losing millions of pounds if it didn’t have insurance to cover it.
Cyber insurance does not only cover criminal activity, but any type of computer incident which causes the business to lose money. If data is lost, or a security breach has occurred, cyber insurance can also connect policyholders to experts to try and restore information and systems, and can also fund reputation management and compensation settlements with affected parties. The most common cyber insurance claims in the UK are for legal expenses, followed by business interruption and loss of data.
For more information on cyber insurance and whether your business needs it, click here.