According to a recent Bloomberg article, Chicago-based insurer CNA paid approximately $40 million dollars in ransom to recover its website which suffered a ransomware attack on March 21st. The ransom, paid in late March, allowed the 120 year old insurer to gain access to their website in order to resume its online operations. Bloomberg states the information was divulged by employees close to the matter, but who were not authorized to divulge details publicly.
While CNA has issued no formal statement on the matter, various publications that contacted the insurer, including Bloomberg, it stated that it would not comment on the matter, it did not break any laws, and that it had shared information both with the FBI as well as the Treasury Department’s Office of Foreign Assets Control.
CNA says now in a “fully restored state”
While refusing to confirm the payment of the $40 million dollar ransom, CNA did issue a Security Incident Update on May 12th. In the two-page report, the insurer noted that while it continues to investigate the matter, with the help of third-party forensic experts, the company’s is now operating in a “fully restored state.” Fortunately, the insurer asserts that they are confident, that “…the Threat Actor has not accessed the CNA environment since the ransomware event. We have no evidence to indicate that external customers were potentially at risk of infection due to the incident.”
Additionally, after conducting an ongoing data review both on its website and on the dark web, the company does not believe that “…the Systems of Record, claims systems, or underwriting systems, where the majority of policyholder data – including policy terms and coverage limits – is stored, were impacted.”
A growing threat for the insurance industry?
The rise of ransomware attacks both inside and outside the insurance industry looks to be an unfortunate trend for the future. Since the CNA ransomware attack, there have been two other similar high profile attacks. First, the Colonial Gas Pipeline ransomware attack which disrupted the flow of gas for approximately 45% of the East Coast and ended with the CEO’s decision to pay a $4.4. million dollar ransom in order to restored services quickly. A week after the Colonial shutdown global insurer AXA was hit with a ransomware attack in four countries after announcing its plans to stop writing cyber insurance policies in France that reimburse customers for extortion payments. Also in May, Ireland’s health system suffered an attack wreaking havoc for the country.
While traditionally the the insurance industry’s insular operations and decentralized approach to business would be a buffer to these type of attacks, as the industry grows more centralized there is more opportunity for these types of attacks – and it appears the threat is only growing. The World Economic Forum has discussed the idea of the next pandemic being a cyber-one, while the U.S. Secretary of Commerce noted in a recent Op-Ed that businesses need to realize the risk is real and here to stay.
“Over the past few months, ransomware attacks have not only hit businesses of all sizes, but also hospitals in New York, Nebraska, Oregon, and Michigan, among multiple other states. Police and sheriffs’ offices, schools, and local governments, from Atlanta to Baltimore to Fisher County, Texas, have suffered a similar fate.
A recent report from the Ransomware Task Force, a group of 60 cybersecurity experts from industry and government, sheds light on both the alarming increase in the frequency of these attacks and the ransom size they demanded.
In 2020, it estimates $350 million in ransom was paid to attackers – a more than 300 percent increase over the previous year – with an average payment of over $300,000.
According to a 2021 report, the greatest number of victims in 2020 by industry were in manufacturing, professional and legal services, and construction. Healthcare, manufacturing, and education businesses experienced significant increases. Attacks against industry sectors, including aerospace, also appear to be on the rise.”
The time is now to begin preparing for a potential attack
The Computer Security Resource Center has put together information on Ransomware Protection and Response. In addition, it has issued the following infographic outlining precautions that every entity, large or small, can take to prevent a Ransomware attack.
