Cybercriminals, looking for a fresh vein of victims for their ransomware attacks (as if they needed any beyond the hospitals, banks, pipelines and other critical infrastructure they've been attacking), have turned to hacking the cyber-insurance providers. A few weeks ago, CNA Financial Corp, one of the largest providers of cyber-insurance (which insures against the cost of a successful cyberattack) was hacked by ransomware themselves. They ended up having to pay over 40 Million dollars to free up there systems and return to normal operations. So not only did the hackers go after a target they knew had the abilty to pay, after all they are paying the claims for their other victims, but more importantly, now they have a list of all those clients with fully paid up cyber-insurance. They even know their policy limits so they know exactly how much to demand to release the victims from their cyber hell. So they got a list of covered companies along with their ill gotten ransomware gains.
But the best hacking groups have long known where their bread is buttered. The most sophisticated ones often bypass the hacked customer and negotiate directly with the insurer. They know who is cutting the check after all and in some cases, the actual victim company is banned from paying the ransom directly in cryptocurrency, the "gold standard" of cyber-crime, due to regulations. Better to cut out the middleman and cut straight to the chase.
Three conclusions come to mind from this event. If I was one of their customer's, I would be considering action against CNA for putting them in jeopardy by losing their data. At the same time, I would be battening down the hatches as quickly and completely as I can, because the cyber-gang or whoever is behind this heist is sure to come calling. And finally, you can expect cyber insurance companies to begin tightening their underwriting standards and expecting more than just "self attestation", before they accept any large policy holders. I wouldn't be surprised if they start requiring a SOC-2 audit or some other third party validation of a company's cybersecurity before they provide coverage and take the risk.