One of the largest insurance firms in the U.S. CNA Financial was reportedly hit by a “sophisticated cybersecurity attack” on March 21, 2021. The cyber attack disrupted the company’s employee and customer services for three days as the company shut down “out of an abundance of caution” to prevent further compromise.
Founded in 1967, the Loews Corp subsidiary is among the top 10 cyber insurance firms and the leading 15 casualty and property insurers in the U.S. It employs about 5,800 workers and reported annual revenue of over $10 billion in 2020. e
CNA Financial acknowledged a sophisticated cyber attack involving ransomware
The insurance company posted a statement on its website notifying the public that it “sustained a sophisticated cybersecurity attack. The cyber attack caused a network disruption and impacted certain CNA systems, including corporate email.”
The cyber insurance firm added that it engaged forensic experts and law enforcement in its investigations.
“Upon learning of the incident, we immediately engaged a team of third-party forensic experts to investigate and determine the full scope of this incident, which is ongoing. We have alerted law enforcement and will be cooperating with them as they conduct their own investigation.”
Cyber insurance firm worried about policyholders’ data leak after the cyber attack
CNA financial did not notify potential victims because it could not determine if the attackers stole any data.
“Should we determine that this incident impacted our insureds’ or policyholders’ data, we’ll notify those parties directly,” the company stated.
Further, the firm initiated mitigation efforts to alleviate the disruption caused by the cyber attack.
“We’ve notified employees and provided workarounds where possible to ensure they can continue operating and serving the needs of our insureds and policyholders to the best of their ability.”
Coalition CEO Joshua Motta said a nightmare scenario would be if the attackers stole policyholders’ data. He noted that accessing the data could help hackers determine which companies had applied for or acquired cyber insurance, the scope of coverage, and the limits of deductibles.
Ransomware operators could use that information during negotiations after compromising the cyber insurance policyholders. They could use the information to set optimal ransom demands matching the policyholders’ cyber insurance coverage.
Thus, informing any compromised parties would help them understand their negotiating position if a ransomware cyber attack compromised their network.
If the hackers stole any data they could use that information to target the policyholders for their ability to pay because of the cyber insurance backing. Additionally, accessing their information could help the attackers craft convincing phishing messages, thus increasing the probability of success.
Similarly, various cyber insurance policy disclosures could enable hackers to fine-tune their attacks to fit specific clients’ cyber defenses and weaknesses.
On April 1, CNA said it had restored mail functionality protected by two-factor authentication and a threat-blocking “security platform.”
It also published its forensic investigation report findings. CNA disclosed that the ransomware used during the cyber attack could not automatically propagate through internal and external systems.
Responding to the cyber attack on CNA Financial, Ilia Kolochenko CEO, Founder, and Chief Architect at ImmuniWeb, downplays the risk posed by leaked policyholders’ data.
“I think, today it’s premature to talk about a major spike in attacks targeting insurance firms with a purpose to steal lists of customers who have cybersecurity insurance,” Kolochenko says. “It may appear intuitive to attack victims who have cyber insurance. However, this does not necessarily require hacking into insurance firms.”
He noted that many companies readily disclose having cyber insurance to boost customer and investor confidence.
“Moreover, cybercriminals will unlikely go through lengthy cyber insurance contracts to ferret out which specific incidents are covered and what are the numerous exclusions. This is a laborious process and even the victims cannot be certain of eventual coverage as demonstrated by a surge of litigation for refusal of coverage under different pretexts”
He believes that cybercriminals prefer to spend the least time and effort by targeting low-hanging fruits for a quick payout.
“More sophisticated cyber gangs do carefully select their victims in ransomware campaigns but it’s unlikely whether cyber insurance cover for a victim will play a major role in the process.”
“I expect to see service providers increasingly targeted by cybercriminals. After all, why spend time trying to compromise a hundred different companies individually when you can compromise them all at once by targeting their provider?” Clements wondered.
Similarly, Saryu Nayyar, CEO of Gurucul, believes that insurance agencies are attractive targets for cybercriminals.
“If an attacker can extract a list of clients who have cyber-attack insurance, those clients, in turn, become inviting targets themselves. Since they have insurance they are seen as more likely to pay off a ransom. It’s a win-win [situation] for the attackers and a lose-lose [situation] for everyone else.”
Nayyar says that cybersecurity should extend beyond taking a cyber insurance cover.
“They need to implement best practices and take cybersecurity seriously. It needs to be ingrained in process, policy, and company culture. And that needs to be backed up with best in breed security solutions, such as security analytics, that can blunt an attack when malicious actors get past the perimeter.”
Clements added that companies cannot solely rely on cybersecurity products. Noting that no organization is safe from cybercriminals, he advises them to adopt a culture of security from the top leadership down to operations.
He also points out that almost all organizations recently breached had various security products.
“This is not to say that anti-malware products aren’t necessary. Good solutions regularly do stop many attacks. The point is they aren’t 100%. A defense-in-depth strategy including security hardening controls, continuous monitoring, and regular security testing is absolutely critical for an organization to ensure that they are able to catch and stop an attack before widespread damage is caused due to ransomware or data theft.”