Back in March, insurance firm CNA Hardy had much of its IT system knocked out by a ransomware attack, and sensitive data stolen.
That’s not a good look for a firm that sells cyber insurance.
And what’s also pretty ugly is that Bloomberg reports that CNA chose to pay an eye-watering $40 million to the cybercrime gang that launched the ransomware attack.
As security researcher Kevin Beaumont adroitly points out on Twitter, it’s makes one raise an eyebrow at some of the things CNA Hardy has said in the past on the topic of ransomware.
“A ransomware attack can have a devastating impact on business. Developing a breach plan and knowing what steps to take in the event of an attack could help save a business.” – Brian Robb, CNA.
He’s not wrong.
(According to his LinkedIn profile, Robb left CNA Hardy last month to start a job as head of cyber at a different insurance firm. One imagines it might have looked better on his resume if he had moved on before the ransomware attack occurred, but never mind. Timing is everything.)
Meanwhile, CNA Hardy says that all of its cyber policy holders automatically get something called CNA CyberPrep. What’s that you ask?
CNA CyberPrep, built on nearly two decades of cyber insurance expertise, is a proactive program of cyber risk services developed by CNA Risk Control and CNA Cyber insurance underwriters in partnership with leading cybersecurity specialists. It is designed to aid CNA cyber policyholders in cyber threat identification, mitigation and response.
A cynic might suggest that if CNA cannot protect itself, then it’s unlikely it will be able to do the job for its clients.
Of course, it’s very easy to have a good laugh about a cyber insurance company getting caught with its pants down, hit by ransomware, and paying an EYEWATERING $40 MILLION RANSOM (sorry, but I do think the figure deserves emphasising), but it could have happened to just about anyone…
…well, maybe not the paying $40 million bit.