CNA Cyber-Attack Cautions Businesses to Examine Their Insurance Policies

In March of 2021, one of the largest Chicago-based insurance agencies, CNA, suffered a ransomware attack that shut down all of their systems, created a wide-spread and significant risk exposure to all of those within, and caused a network disruption which prevented access to system-member emails and the external website.

In order to end the attack, CNA paid the threat actors $40 million. CNA officials were required to disclose the ransomware payment to the U.S. Securities and Exchange Commission (SEC). In their SEC filing, CNA reported that they will face investigations and fines relating to their issuance of payment, as well as legal claims relating to the data breach. Additionally, CNA has stated that they will be forced to incur higher costs to ensure that their “future cybersecurity insurance coverage is beyond the current term.”  

CNA noted that they are doubtful that their insurance coverage would cover all of the potential damages and incurred losses that may flow from this breach and their choice to pay the threat actors.

With this “insurance giant” resorting to paying “out of pocket” when faced with a cyber-attack, businesses should be vigilant in ensuring that their policies have sufficient limits.

For additional information or assistance, please contact Kennedy Sutherland LLP.