This browser is not actively supported anymore. For the best passle experience, we strongly recommend you upgrade your browser.
Welcome to Reed Smith's viewpoints — timely commentary from our lawyers on topics relevant to your business and wider industry. Browse to see the latest news and subscribe to receive updates on topics that matter to you, directly to your mailbox.
| 1 minute read

When the hackers hack the cyberinsurer: lessons learned.

A ransomware attack shut down systems at the Chicago-based insurance giant, CNA, and exposed the personal information of thousands of employees, contractors and even policyholders.  The cyberattack was extensive enough to cause network disruption throughout CNA, including its corporate email and its external website.  CNA ended up having to pay $40 million to the hackers, or threat actors, in order to regain control of its network systems.

CNA's data breach and ransomware attack underscore just how expensive (and extensive) these types of breaches can be and how policyholders may be blindsided by having to pay out of pocket for costs beyond their policy limits.  

In its SEC filings, CNA stated that, in addition to investigations and fines, it may face legal claims related to the data breach, as well.  In an ironic twist, CNA noted that its own insurance policies may not cover all of the potential damages.  "Although we maintain cybersecurity insurance coverage against costs resulting from cyberattacks (including the March 2021 attack), we do not expect the amount available under our coverage and/or our coverage policy to cover all losses," said CNA.  "Costs and expenses incurred and likely to be incurred by the company in connection with the March 2021 attack include both direct and indirect costs and not all may be covered by our insurance coverage."

The CNA attack raises a few lessons: (1) every policyholder should assess their cyber-policy to ensure that it has sufficient limits; and (2) if you are a policyholder and CNA is your insurer, you may want to confirm whether your personal information has been compromised.

When an insurer “does not expect the amount available under [its] coverage and/or coverage policy to cover all losses” of a cyber-attack, it should give policyholders pause about their own coverage.


cyber attack, cyber insurance, insurance, data privacy