Insurance firm CNA Financial, a prominent provider of cyber insurance, confirmed a cyberattack against its systems, which has some concerned that cybercriminals may target policyholders.
Cybercriminals generally know that companies represented by a cyber insurance company are more likely to pay a large ransomware demand than an uninsured business that doesn’t have the financial backing.
It is currently unclear as to what client information may have been compromised in the attack against the Chicago-based firm, with roughly $10 billion in annual revenue. But gaining illegal access to a cyber insurance firm’s records could give the perpetrators insights into the negotiating tactics of the insurance company, and what current clients might be willing and able to shell out if a future attack occurs.
“The theft of customer policies is the Sword of Damocles that has been hanging over the cyber insurance industry since its inception,” said Aaron Portnoy, principal scientist at Randori. “The profit that ransomware groups can extort from a target has historically started as an educated guess, modified as the hostile negotiations proceed. Possessing the cyber insurance policy details at the outset allows ransomware groups to maximize their success by setting a price that falls within the bounds of the coverage.”
Of course, the attackers aren’t necessarily limited to a ransomware strategy. They could also phish certain policyholders. Brett Callow, malware analyst at Emsisoft, noted how certain threat actors – including the operators of the Clop ransomware who allegedly struck the file-sharing service Accellion – “use exfiltrated data to spear phish the third parties to which it relates. And, of course, the fact that actors possess specific information enables them to craft spear phishing emails that are very convincing.”
Indeed, Rick Betterley, president of Betterley Risk Consultants, said that if malicious actors were to obtain insurance applications or policies containing certain underwriting, it “might help the attackers fine-tune their threat. For example, messaging might now include 'We know that you use xyz firewall, and we know how to break it,'” he said.
“I think it's a serious concern,” said John Reed Stark, president of John Reed Stark Consulting LLC. Too often, he said, organizations think only of the threat of losing personally identifying information to a breach, while overlooking the potential damage of attackers gaining access to proprietary emails and critical information about companies and relationships.
"When that information is stolen and released to the public, it can be much more devastating, and far more difficult to recover from,” Stark said.
“For an insurance company, proprietary information concerning policies is certainly something that a sophisticated criminal enterprise could use toward its advantage,” Stark continued. "There may be all sorts of internal pricing information, proprietary models, very sensitive emails. The content of all those kinds of files, whether they be email files or PowerPoint decks or Excel spreadsheets or Word documents, can contain critical information to a company."
For this reason, it’s imperative that insurance companies that find themselves in this situation execute a robust incident response, replete with timely client notification.
“Insurance firms should obviously activate the breach coach and incident response resources they work closely with when helping their own clients during an incident, so that these clients are immediately informed and supported with monitoring services,” said Isabelle Dumont, vice president of market engagement at cyber insurance company Cowbell Cyber.
Moreover, understanding the “scope of the incident, with the type and volume of data impacted, is paramount when a cyber incident occurs. This insight informs who has a negotiating advantage,” Dumont continued.
SC Media reached out to CNA for comment on the incident. Meanwhile, the company issued a statement on its website that reads, in part: "On March 21, 2021, CNA determined that it sustained a sophisticated cybersecurity attack. The attack caused a network disruption and impacted certain CNA systems, including corporate email… The security of our data and that of our insureds’ and other stakeholders is of the utmost importance to us. Should we determine that this incident impacted our insureds’ or policyholders’ data, we’ll notify those parties directly.”
The firm also noted that third-party forensic investigators and law enforcement have been brought on to the case, and that for now “we have disconnected our systems from our network, which continue to function.”
Over the long term, additional disclosures will likely be necessary, experts said.
“As with most compromises, unearthing and sharing the techniques of the attackers will be crucial to bolstering proactive defensive mechanisms to detect future attempts,” said Portnoy. “In this particular case, the details as to the information absconded will help the insured organizations understand the negotiating position they may find themselves in the case of their own compromise.”