A ransomware attack shut down systems at the Chicago-based insurance giant, CNA, and exposed the personal information of thousands of employees, contractors and even policyholders.  The cyberattack was extensive enough to cause network disruption throughout CNA, including its corporate email and its external website.  CNA ended up having to pay $40 million to the hackers, or threat actors, in order to regain control of its network systems.

CNA's data breach and ransomware attack underscore just how expensive (and extensive) these types of breaches can be and how policyholders may be blindsided by having to pay out of pocket for costs beyond their policy limits.  

In its SEC filings, CNA stated that, in addition to investigations and fines, it may face legal claims related to the data breach, as well.  In an ironic twist, CNA noted that its own insurance policies may not cover all of the potential damages.  "Although we maintain cybersecurity insurance coverage against costs resulting from cyberattacks (including the March 2021 attack), we do not expect the amount available under our coverage and/or our coverage policy to cover all losses," said CNA.  "Costs and expenses incurred and likely to be incurred by the company in connection with the March 2021 attack include both direct and indirect costs and not all may be covered by our insurance coverage."

The CNA attack raises a few lessons: (1) every policyholder should assess their cyber-policy to ensure that it has sufficient limits; and (2) if you are a policyholder and CNA is your insurer, you may want to confirm whether your personal information has been compromised.