CNA Financial’s “Sophisticated Cyber-Attack“
Commercial insurance carrier CNA was hit by a “sophisticated cyber-attack” that caused major havoc for certain systems, including email. Out of an abundance of caution, they contained the attack by proactively disconnecting their systems leveraging a methodical and carefully organized process. CNA is one of the biggest insurance companies in the U.S., with over 6,000 employees.
GDI Insurance Agency had a $250k+ premium account that most likely would have gone to them, but due to the system outage/failure they couldn’t get final pricing to us and lost the opportunity. Having happened leading into 4/1 (the start of a new quarter was the WORST timing for an insurance company). It’s murphy’s law, what can go wrong will (and when it does it’ll be at the worst possible time). If this happened with our agency, think of the losses they experience with other agencies as well.
CNA Insurance has been working around the clock for a week on the incident, and have just restored their enterprise email system, which is now safe. Adding additional security measures in place to protect their systems.
“The security of our data and that of our insureds’ and other stakeholders is of the utmost importance to us. Should we determine that this incident impacted our insureds’ or policyholders’ data, we’ll notify those parties directly,” the company said.

How CNA Dealt With A Sophisticated Cyber-Attack
“Out of an abundance of caution, we contained the attack we sustained by proactively disconnecting our systems from our network. We are now in the restoration stage and are bringing back our systems leveraging a methodical and carefully organized process. As highlighted here and as an example of this ongoing process, we have restored email access and you can communicate with CNA employees safely and in the normal course of business.”
Download Your Cyber Risk Exposure Scorecard Today!
10 Cyber Security Resolutions to Reduce Your Data Exposures
Sophisticated cyber-attack, threats and trends can change year over year as technology continues to advance at alarming speeds. As such, it’s critical for organizations to reassess their data protection practices at the start of each new year and make achievable cybersecurity resolutions to help protect themselves from costly breaches. The following are resolutions your company can implement to ensure you don’t become the victim of a sophisticated cyber-attack:
- Provide security training—Employees are your first line of defense when it comes to cyber threats. Even the most robust and expensive data protection solutions can be compromised should an employee click a malicious link or download fraudulent software. As such, it’s critical for organizations to thoroughly train personnel on common cyber threats and how to respond.
Employees should understand the dangers of visiting harmful websites, leaving their devices unattended and oversharing personal information on social media. Your employees should also know your cybersecurity policies and know how to report suspicious activity. - Install strong antivirus software and keep it updated—Outside of training your employees on the dangers of poor cybersecurity practices, strong antivirus software is one of the best ways to protect your data.
Organizations should conduct thorough research to choose software that’s best for their needs. Once installed, antivirus programs should be kept up to date. - Instill safe web browsing practices—Deceptive and malicious websites can easily infect your network, often leading to more serious cyber attacks. To protect your organization, employees should be trained on proper web usage and instructed to only interact with secured websites.
For further protection, companies should consider blocking known threats and potentially malicious webpages outright. - Create strong password policies—Ongoing password management can help prevent unauthorized attackers from compromising your organization’s password-protected information. Effective password management protects the integrity, availability and confidentiality of an organization’s passwords.
Above all, you’ll want to create a password policy that specifies all of the organization’s requirements related to password management. This policy should require employees to change their password on a regular basis, avoid using the same password for multiple accounts and use special characters in their password. - Use multi-factor authentication—While complex passwords can help deter cybercriminals, they can still be cracked. To further prevent cybercriminals from gaining access to employee accounts, multi-factor authentication is key. Multi-factor authentication adds a layer of security that allows companies to protect against compromised credentials.
Through this method, users must confirm their identity by providing extra information (e.g., a phone number, unique security code) when attempting to access corporate applications, networks and servers. - Get vulnerability assessments—The best way to evaluate your company’s data exposures is through a vulnerability assessment. Using a system of simulated attacks and stress tests, vulnerability assessments can help you uncover entry points into your system.
Following these tests, security experts compile their findings and provide recommendations for improving network and data safety. - Patch systems regularly and keep them updated—A common way cybercriminals gain entry into your system is by exploiting software vulnerabilities. To prevent this, it’s critical that you update applications, operating systems, security software and firmware on a regular basis.
- Back up your data—In the event that your system is compromised, it’s important to keep backup files. Failing to do so can result in the loss of critical business or proprietary data.
- Understand phishing threats and how to respond—In broad terms, phishing is a method cybercriminals use to gather personal information. In these scams, phishers send an email or direct users to fraudulent websites, asking victims to provide sensitive information.
These emails and websites are designed to look legitimate and trick individuals into providing credit card numbers, account numbers, passwords, usernames or other sensitive information.
Phishing is becoming more sophisticated by the day, and it’s more important than ever to understand the different types of attacks, how to identify them and preventive measures you can implement to keep your organization safe.
As such, it’s critical to train employees on common phishing scams and other cybersecurity concerns. Provide real-world examples during training to help them better understand what to look for. - Create an incident response plan—Most organizations have some form of data protection in place. While these protections are critical for minimizing the damages caused by a breach, they don’t provide clear action steps following an attack.
That’s where cyber incident response plans can help. While cybersecurity programs help secure an organization’s digital assets, cyber incident response plans provide clear steps for companies to follow when a cyber event occurs. Response plans allow organizations to notify impacted customers and partners quickly and efficiently, limiting financial and reputational damages.
For additional cyber risk management guidance and insurance solutions, contact us today.

California’s Leader in Insurance and Risk Management
As one of the fastest-growing agencies in California, GDI Insurance Agency, Inc. is able to provide its clients with the latest and greatest of what the insurance industry has to offer and much, much more. The GDI team has developed an “insurance cost reduction” quoting plan, that provides you with the best coverage at the best rate!
We are headquartered in Turlock, CA, with locations across the heart of California’s Central Valley, Northern California and beyond to provide a local feel to the solutions and services we provide our clients. We pride ourselves on exceeding our client’s expectations in every interaction to make sure that our client’s know how much we value and appreciate their business.