top of page

Inside CNA's $40M Bitcoin Ransom: The Hack That Changed Cybersecurity

Updated: Mar 24


00;00;01;11 - 00;00;21;25

Matan Eli Matalon | CISO at OP Innovate

It's very easy to say never pay from a distance. But you know when your systems are down and backups are gone and millions are bleeding out of the business daily. It's survival. No one wants to fund crime, but sometimes you're buying your time to live and your business has to do it. If it wants to survive. It's not about your reputation anymore.


00;00;21;25 - 00;00;24;20

Matan Eli Matalon | CISO at OP Innovate

It's not about your clients anymore. It's about survival.


00;00;24;28 - 00;00;51;16

Jeremy Ladner | The CISO Signal

Welcome to The CISO Signal, the true cyber crime podcast. I'm Jeremy Ladner. On this episode, the company that insurers risk became the risk. In March 2021, CNA insurance, one of the largest commercial insurers in the U.S., fell victim to a ransomware attack that encrypted 15,000 devices and compromised customer data, forcing the shut down of its systems for weeks.


00;00;51;19 - 00;01;21;11

Jeremy Ladner | The CISO Signal

The breach didn't just steal data, it stripped away the illusion of preparedness for an organization built to model probability, quantify exposure and price protection. It was the ultimate irony. They didn't underwrite the threat. They underestimated it. Joining us is our CISO co-host Matan Eli Matalon, an incident response leader and security strategist with experience across the startup world, military intelligence and enterprise defense.


00;01;21;13 - 00;01;23;24

Jeremy Ladner | The CISO Signal

Welcome to the show. Can you tell us a bit about yourself?


00;01;23;25 - 00;01;49;14

Matan Eli Matalon | CISO at OP Innovate

Awesome. So my name is Matan. I am CISO for OP Innovate. We're basically a cybersecurity company that focuses on both preventing attacks and helping organizations respond when things go wrong, you know? Proactive side. We do a lot of deep dive penetration testing to help companies find and fix weaknesses before attackers do. But we also are the team that gets called up when the fires have already started.


00;01;49;14 - 00;01;55;09

Matan Eli Matalon | CISO at OP Innovate

Now and then incident response forensics, helping companies get back on their feet.


00;01;55;11 - 00;02;00;15

Jeremy Ladner | The CISO Signal

Thank you Matan. Now. Let's get started with the investigation.


00;02;00;17 - 00;02;35;24

Jeremy Ladner | The CISO Signal

We are in the midst of a ceaseless war. Not of bombs or bullets, but of breaches. Firewalls and silent incursions. The targets, our borders, our banks, our commerce and the critical infrastructure that underpins a free civilization. The enemy is cloaked in code, fueled by greed, glory, and a desire for chaos. This is the story of the unseen protectors, the nameless generals, the CISOs, Chief Information Security Officers.


00;02;35;26 - 00;02;53;04

Jeremy Ladner | The CISO Signal

They are the guardians at the gate, watchers on the wall. Ever vigilant and always listening for The CISO Signal.


00;02;53;07 - 00;03;34;05

Jeremy Ladner | The CISO Signal

There's a kind of silence no company trains for. Not the silence of idle inboxes or frozen dashboards, but the deep, airless quiet that follows total digital collapse. In March 2021, CNA Financial, one of the largest insurance carriers in the United States, fell dark, a power outage. A ransomware attack. 15,000 machines were encrypted, phones offline, email gone, an entire enterprise unplugged from itself.


00;03;34;08 - 00;04;07;03

Jeremy Ladner | The CISO Signal

The attackers didn't boast. They didn't break things for fun. They came with a purpose and a number: $40 million. At the time, it was the largest known ransom demand in history by multiples. But this wasn't just any company. CNA didn't just insure factories and fleets, they ensured cyber risk. They held the names of businesses already worried about breaches.


00;04;07;05 - 00;04;48;23

Jeremy Ladner | The CISO Signal

Organizations that paid for protection to the right adversary. That's not just a customer database. It's a blueprint for who will pay next. A list of future victims. And if that list got out, it wasn't just case systems at risk, it was everyone they'd sworn to protect. This is the story of CNA Financial, a 100 year old giant brought to its knees by a breach no one saw coming in this episode of The CISO Signal.


00;04;48;26 - 00;05;17;00

Jeremy Ladner | The CISO Signal

So let's talk about CNA, in general at first, and then we'll kind of dive into some details. But because you are a CISO for hire, or outsourced CISO, you're often called in when something's already gone wrong. I think you mentioned that as well in your introduction. What does that moment feel like when you get that call, that emergency panicked call, whether it's a late night, maybe it's on the weekend.


00;05;17;02 - 00;05;18;09

Jeremy Ladner | The CISO Signal

What's that feeling?


00;05;18;12 - 00;05;42;00

Matan Eli Matalon | CISO at OP Innovate

Yeah, I mean, it happens way more times than I can count. A CISO, especially a CISO as a service. And then incident response, you know, manager is not only a technical role, but it's also like a psychological one. It's an emotional one. You were like their shrink. It's not only to come and solve the problem, but it's also to make sure they are relaxed enough and confident enough and trusting you in managing this.


00;05;42;00 - 00;06;08;27

Matan Eli Matalon | CISO at OP Innovate

So it's about coming in and building that initial trust between the parties, making sure they understand where you're coming from, what you're trying to achieve, that you're here for them, not for me, for anyone else, for the business. This is your main goal. And when you set that initial trust, it's easier to come in and start working and get to the bottom of the incident.


00;06;09;00 - 00;06;27;23

Jeremy Ladner | The CISO Signal

Do you remember a moment that really shook you, where the weight of the responsibility of being this guardian at the gate, protector watcher on the wall landed with you, and you realized the responsibility and the magnitude of the responsibility in protecting these organizations and these companies.


00;06;27;25 - 00;06;54;04

Matan Eli Matalon | CISO at OP Innovate

Yeah. Not too long ago, I would say, like, two months ago, we had a very big incident response to the major organization in the US where we got approached. They saw malicious activity and wanted one of their development environments, and they didn't really know what was going on. And what made me feel really, really surreal is the fact that their security posture was good, just like the posture was really good.


00;06;54;04 - 00;07;13;01

Matan Eli Matalon | CISO at OP Innovate

it's one that you expect to see at a client. You want to see how the client, they got every single toe in the book, they got their network segmented. They got the right VPN identity, they had everything, but they still got hit with something that you at the first, you didn't know what it was and how they got in.


00;07;13;03 - 00;07;32;05

Matan Eli Matalon | CISO at OP Innovate

So that feeling is kind of… it paralyzes you a little bit. You don't know where to start, why you want to check first. And this is the moment when you really get tested by your emotions, how you communicate with them, how you communicate with yourself. And what do you do first?


00;07;32;07 - 00;07;50;27

Jeremy Ladner | The CISO Signal

We love making this podcast and we really hope that shows in the care and quality that we invest in it, and we would really appreciate it if you could take a moment to like and share it with your fellow security professionals, as well as dropping us a comment, letting us know what stories and guests you'd like to have on the podcast in future episodes.


00;07;50;29 - 00;07;59;10

Jeremy Ladner | The CISO Signal

Now back to the story. 

Act 1: The Risk Experts.


00;07;59;12 - 00;08;43;28

Jeremy Ladner | The CISO Signal

CNA Financial didn't build cars. They didn't make software or manufacture microchips. They sold something harder to define and much harder to replace. Assurance. Founded in 1897, CNA had spent over a century building trust. Trust that losses could be managed, that disasters could be priced, prepared for and, if necessary, paid out. They were a backbone institution. They insured skyscrapers and shipping lines, but more recently they insured cyber and they had become one of the largest cyber insurance providers in the US.


00;08;44;00 - 00;09;20;19

Jeremy Ladner | The CISO Signal

Their policies covered ransomware. Their language warned of credential theft, lateral movement exfiltration. Their job was to anticipate the breach before it happened to study the attackers playbook and write policies that made the unthinkable manageable. But like many large, mature enterprises, CNA carried technical debt behind its sleek branding, legacy systems, patchwork infrastructure, a hybrid of on prem servers and cloud migrations still in progress.


00;09;20;22 - 00;09;56;12

Jeremy Ladner | The CISO Signal

And somewhere inside that hybrid sprawl, a door had been left open. It wasn't negligence, it was complexity. Years of mergers, years of integrations, systems designed for resilience but not necessarily for speed or visibility. And so while CNA managed risk for others, they quietly inherited risk of their own: internally security tools hummed in the background phishing filters, VPNs, endpoint detection.


00;09;56;14 - 00;10;29;15

Jeremy Ladner | The CISO Signal

The modern stack checked, maintained and compliant. But in practice, security wasn't just a product, it was a race. And in March 2021, someone else crossed the finish line first. They weren't a nation state. Not a known apt, at least not yet. But what they had was patience and precision. The malware came quietly, not through a wide open door, but through a subtle gap in the frame.


00;10;29;18 - 00;10;50;04

Jeremy Ladner | The CISO Signal

And once in, you didn't blink, it didn't pause. It just spread by the time CNN realized what was happening, it wasn't just about defending their systems, it was about whether they could still defend anyone's.


00;10;50;06 - 00;10;56;26

Jeremy Ladner | The CISO Signal

What do you wish people understood about being a CISO that never shows up in the job description?


00;10;57;03 - 00;11;28;08

Matan Eli Matalon | CISO at OP Innovate

You're not only there to solve the technical problems, you are there to solve more complex business people related problems. It's not a checklist. It's about trust. You carry the weight of potential failure every day and sometimes even blame. So you need to be a very mentally strong person to handle stress from not only the specific problem side, but also from many parties in that specific business.


00;11;28;10 - 00;11;41;28

Jeremy Ladner | The CISO Signal

Okay, so if you had to name one issue, one concern that keeps you up at night in regards to your ability to provide security and respond to an incident, what would that one issue be?


00;11;41;29 - 00;12;11;14

Matan Eli Matalon | CISO at OP Innovate

It's really talked about both during an incident and big incidents. It's what really keeps me up at night. It's the resources getting the right resources. Because when you have the team of incident responders and analysts, it's all about getting the right people onto the job and managing the time well and the assignments. Because if you don't manage your research bank and the things that you want to achieve in that, it responds well, the incident response is not going to go well.


00;12;11;16 - 00;12;20;07

Matan Eli Matalon | CISO at OP Innovate

So for me, I when I manage an incident response, I really get nervous about the resourcing because it's everything. In an incident.


00;12;20;10 - 00;12;28;09

Jeremy Ladner | The CISO Signal

When you see an organization like CNA go dark, what would your first step have been if they were your client?


00;12;28;11 - 00;12;50;06

Matan Eli Matalon | CISO at OP Innovate

A smart man once told me that when a big incident happens, the first thing you do is to grab a cold glass of water and just breathe. You have to be relaxed. You have to be very focused. And the first thing that you want to do is assess the impact, because that's ethical, because that sets your tone and what you're going to do first and next.


00;12;50;09 - 00;13;13;06

Matan Eli Matalon | CISO at OP Innovate

You have to understand what happened. What is the potential impact to the business as it's going to be? How much money is this, you know, environment being down, going to cost you? How much money is the data being leaked going to cost you? Is it personal information? Is it PII? Is it all information? What is the regulatory impact of this?


00;13;13;06 - 00;13;26;02

Matan Eli Matalon | CISO at OP Innovate

And so you want to set the tone for the entire incident. So before you even do any technical stuff on the client's environment, you have to answer some very core questions.


00;13;26;04 - 00;14;01;28

Jeremy Ladner | The CISO Signal

Act 2: Contact Loss. 

There is a moment just before impact when the world goes quiet. No alarms, no flashing lights, just stillness. That's how it began at CNA, not with chaos, but with subtle disconnection, a delay in response, a paused cursor, a call that didn't go through the systems were still on, but something beneath them wasn't.


00;14;02;01 - 00;14;37;04

Jeremy Ladner | The CISO Signal

The malware was already inside, moving, watching, preparing. And then it began to spread. Not wildly, not with noise, but with intent. One end point, then another. Desktops across departments locking into silence, servers blinking off one by one like lights going out in a distant city. By the time it was recognized as ransomware, it had already become everything.


00;14;37;06 - 00;14;40;14

Jeremy Ladner | The CISO Signal

Phoenix Locker, though the name came later.


00;14;40;17 - 00;15;17;22

Jeremy Ladner | The CISO Signal

Had claimed more than just devices. It had severed the company's spine, encrypted over 15,000 machines not just tools, but lifelines. Email guard phones dead. The network detached from itself like a body without a nervous system. What remained was analog footsteps and quiet hallways, flashlights sweeping across darkened desks, whiteboards, handwritten notes, radios. If you were lucky, the irony wasn't lost on anyone who understood the stakes.


00;15;17;25 - 00;15;48;07

Jeremy Ladner | The CISO Signal

CNA didn't just insure companies against cyber risk, they insured against this. They were supposed to be the ones who understood how to prevent it, contain it, price it. Now they were living it in real time, in silence and worse files had been taken. Policyholder data, personal records, risk profiles, names and numbers and blueprints for future attacks. The ransom note came quietly.


00;15;48;07 - 00;16;20;28

Jeremy Ladner | The CISO Signal

No theatrics, no countdown, just a demand. $40 million at the time, the largest known ransom ever paid and perhaps the most consequential because CNA didn't just hold sensitive data, they held the identities of other companies, companies already afraid of breaches to the wrong adversary. That wasn't just a list, it was a target map outside the building. The world hadn't noticed yet.


00;16;21;00 - 00;16;38;06

Jeremy Ladner | The CISO Signal

The headlines were all still quiet, but inside, CNA faced the most impossible question: What is the cost of silence?


00;16;38;08 - 00;16;50;12

Jeremy Ladner | The CISO Signal

During a major ransomware event like seniors, what's the right way to handle communication between vendors, insurers, legal and execs?


00;16;50;15 - 00;17;15;18

Matan Eli Matalon | CISO at OP Innovate

One word that I would describe is orchestration. It's about every single person needs to know their place and they have their place to say their opinion. But at the end, it's going to be my recommendation of what the next move is, and it's going to be the CEO's final word. So it's all about orchestration, giving the person the place to stay their piece, but it has to be in a respected way.


00;17;15;18 - 00;17;26;27

Matan Eli Matalon | CISO at OP Innovate

It has to be in a well organized way, and it has to give that my way of giving, my recommendation. It's going to be the CEO's final word and then accepting it.


00;17;26;27 - 00;17;45;27

Jeremy Ladner | The CISO Signal

Have you run into any situations where you've given advice to the C-suite, to the CEO or someone else? And they said, you know, no, we can't do that because of a business situation that we can't share with you. But there are things that are going on. Maybe for whatever reason, they just didn't take your advice. Did you ever run into that?


00;17;45;29 - 00;18;09;10

Matan Eli Matalon | CISO at OP Innovate

Of course. I mean, a lot of times when we come from the outside, we always don't have the perspective of an employee or a C-level manager in that organization. We don't know every piece of information in that business. So when I come in, I give my unbiased opinion or recommendation. And sometimes, you know, it conflicts with other stuff, which I don't know about.


00;18;09;10 - 00;18;38;21

Matan Eli Matalon | CISO at OP Innovate

When a CEO comes in and tells you, you know, we can do this, we can do that. Usually I would say, okay, look, you know your business and I'm here to serve your business. And if you think this is wrong for your business, then I'm going with you. But for the record, and I always say for the record, we always make sure we document those things in a well-designed report that it was being recommended by us, and the CEO chose not to go with that direction for whatever reason.


00;18;38;21 - 00;19;03;09

Matan Eli Matalon | CISO at OP Innovate

You know, when you come in as a security person from the outside, you are the expert on that and you're entitled to say your opinion and your recommendation, and they're entitled to say no. But it always needs to be on record that you gave that information, because sometimes, in rare cases, they’re going to try to twist it against you sometimes because they're in a very stressful position.


00;19;03;15 - 00;19;09;02

Matan Eli Matalon | CISO at OP Innovate

And if things go wrong, even after the incident, everyone wants to point a finger.


00;19;09;05 - 00;19;17;26

Jeremy Ladner | The CISO Signal

CNA was somewhat unique in the fact that it's one of the largest insurance companies in the US, and what they ensure.


00;19;18;01 - 00;19;47;17

Jeremy Ladner | The CISO Signal

Are other companies against cyber attacks. So if if the attacker gets inside, has access to all kinds of data, let's say a list of other companies that are paying for cyber insurance, that's their target list for who they're going to hit up next. Does that change how you would advise them, whether it's pay, don't pay, or is that even something that you would advise on, or are you just there to basically get their systems back online, retrieve their data, etc.?


00;19;47;19 - 00;20;12;15

Matan Eli Matalon | CISO at OP Innovate

You know, it's about crisis management. And first of all, when you reach to a company like CNA, which they sell cyber insurance, you know, it's about reputation and and if you, you know, ruin that reputation by getting hit by yourself in such a way and getting that ransom asked, then it's a problem first for your brand and second for the clients that are paying for you.


00;20;12;17 - 00;20;40;21

Matan Eli Matalon | CISO at OP Innovate

And like I said before, you know, supply chain attacks are big these days because attackers not only target the end of businesses, they target their suppliers so they can reach more. So that definitely changes the picture in regards to paying a ransom generally, you know, my position is usually not to advise if to pay or not to pay, because usually those companies have their own, you know, legal or financial advisors to guide them in that direction.


00;20;40;21 - 00;21;05;23

Matan Eli Matalon | CISO at OP Innovate

But if they would ask you for my opinion and all adds up to the impact, you know, what would be the financial and business impact of not paying all of, let's say, the data being actually in depth of that environment, not being restored if you don't have the right backups, if that business and financial impact exceeds that ransom payment, then I would probably suggest them to pay it.


00;21;05;25 - 00;21;27;06

Matan Eli Matalon | CISO at OP Innovate

Although morally this is probably wrong. But you know, a moral doesn't take you to the bank. And if you're looking at a business and the business goal is to maximize, you know, their, financial capabilities, then probably ping is the right way to go. But again, it varies and it depends on a lot of variables.


00;21;27;08 - 00;21;59;26

Jeremy Ladner | The CISO Signal

Act three the cost of control. There are breaches you respond to and then there are breaches you negotiate with. This was the second kind the attackers had said little. No manifesto, no countdown, just a lock on the systems and a number 999 Bitcoin, roughly $55 million at the time, called, calculated and delivered in code. But CNA didn't pay.


00;22;00;05 - 00;22;43;25

Jeremy Ladner | The CISO Signal

Not immediately. They engaged negotiators. Third party and unbranded began the slow, tense ritual back channel messages, delayed replies, subtle signals, stalling, probing, testing the adversary's patience. But it didn't work. The demand increased. 1099 Bitcoin, now nearly $60 million. The price of recovery was going up by the day for two weeks. The back and forth continued not in war rooms but in encrypted chats, not with raised voices, but with slow typing ellipses.


00;22;43;27 - 00;23;12;26

Jeremy Ladner | The CISO Signal

The attackers weren't amateurs. They didn't posture. They didn't panic. They knew who they had and what CNA stood to lose. Because this wasn't just a company brought to a halt, it was an insurer of cyber risk. It held the names, exposures and histories of companies who were already worried about ransomware policyholders, executives, industries marked vulnerable and now exposed.


00;23;12;29 - 00;23;46;21

Jeremy Ladner | The CISO Signal

If that data was sold, it wouldn't just hurt CNA, it would prime the next victims. A roadmap of the insurer would pre-qualify the likely to pay. That was the real leverage inside CNA. The debate wasn't philosophical. It was operational. Every hour meant delayed claims, eroding trust, rising reputational cost systems remained encrypted. The business was functional, but barely publicly, CNA said little.


00;23;46;25 - 00;24;17;29

Jeremy Ladner | The CISO Signal

Privately, they ran every scenario legal, compliance, regulatory exposure. Could they pay? Should they? They consulted the US Department of Treasury, specifically the Office of Foreign Assets Control, OFAC. The attackers were believed to be part of the Phoenix Group using a ransomware variant linked to Evil Corp. But unlike Evil Corp, Phoenix was not sanctioned. That cleared a legal path, but not a moral one.


00;24;18;02 - 00;24;51;01

Jeremy Ladner | The CISO Signal

Still, with the backing of law enforcement and after vetting the threat actor through multiple channels, CNA authorized the transfer of 1000 Bitcoin, roughly $40 million a negotiated reduction but still one of the largest known ransomware payments in history. The payment was made anonymously. As always. No receipts, no paper trail, just a cold transaction on a blockchain ledger. Value moved in with it.


00;24;51;03 - 00;25;20;25

Jeremy Ladner | The CISO Signal

The promise of a decryption key. The key arrived, files began to unlock, servers blinked back to life in case these systems stirred. But they did not celebrate because the recovery was not instant and it was not clean. Some files were corrupted, some had been copied, and no one yet knew what had been left behind. The business resumed, but not where it had left off.


00;25;20;27 - 00;25;52;14

Jeremy Ladner | The CISO Signal

Something had changed. The breach wasn't just a technical failure, it was a reputational rupture. Word leaked of the payment. Reporters circled, forums buzzed. CNA wouldn't confirm the number. They didn't need to. Everyone already knew. And in cyber security circles, the questions began to echo. Had they done the right thing? Or had they set a price for recovery that others would be forced to match for the attackers?


00;25;52;14 - 00;26;18;04

Jeremy Ladner | The CISO Signal

The payout was validation for the industry. It was a line drawn in dark water and for clay. It was the beginning of the next phase. The breach was no longer about what had been lost, it was about what was still out there and who might be coming next.


00;26;18;07 - 00;27;00;17

Jeremy Ladner | The CISO Signal

Yeah, it's a really interesting question because you're right, paying ransom is certainly not the moral thing to do. And it invites more attacks. But at the same time, if you have this corporate responsibility where you, let's say, have a thousand customers who've paid you for cyber attack insurance, and the attacker is threatening to make that list public so that other attackers start lining up to attack those your customers, because now they know they're insured and they're more likely to pay up, even if it hurts you morally to pay up the 40 million in this case, then you do it because in some ways, it's the right thing to do because you're protecting your you think you're protecting. You believe you're protecting your customers.


00;27;03;06 - 00;27;08;25

Matan Eli Matalon | CISO at OP Innovate

If not, you have responsibility. You have a responsibility not only to yourself, but to other companies as well.


00;27;08;27 - 00;27;21;20

Jeremy Ladner | The CISO Signal

So I know we touched on this briefly, but is there anything you want to add in regards to the concept and wisdom of paying ransom demands, like the $40 million that CNA was forced to fork over?


00;27;21;22 - 00;27;44;24

Matan Eli Matalon | CISO at OP Innovate

Yeah. So, you know, like I said, it's very easy to say never pay for the distance. But, you know, when your systems are down and backups are gone and millions are bleeding out of the business daily, I mean, it's survival. Basically, no one wants to fund crime. But sometimes you're buying your time to live and your business has to do it if it wants to survive.


00;27;44;24 - 00;27;57;16

Matan Eli Matalon | CISO at OP Innovate

It's not about your reputation anymore. It's not about your clients even anymore. It's about survival. So, it varies and it depends on a lot of variables. But, you know, sometimes you've got to do it. You have no choice.


00;27;57;18 - 00;28;03;22

Jeremy Ladner | The CISO Signal

Do you think most of your clients could survive ten days completely offline, like CNA?


00;28;03;24 - 00;28;27;08

Matan Eli Matalon | CISO at OP Innovate

That's a very good question because it differs between one client and another. I had an incident a few months back that an attacker leaked a lot of the data out of that organization, and we had to shut down the environment for like two days. And after a few hours, clients already threatened to leave. And it was not even about the cyber attack anymore.


00;28;27;08 - 00;28;52;09

Matan Eli Matalon | CISO at OP Innovate

It's about restoring that trust and reputation. On the contrary, I had another incident where the client told me, look, the incident already only happened in the development environment and the attackers seems to not be able to get out of it. And it only contained this environment. And I don't mind shutting down the dev environment for how long as it needs to find a root cause for this incident so I can shut it down, and it has no business impact on me.


00;28;52;12 - 00;29;02;21

Matan Eli Matalon | CISO at OP Innovate

So it really varies. But, you know, as I saw in a lot of businesses, you know, ten hours but even baked them. So, you know, ten days should be very, very crucial.


00;29;02;21 - 00;29;21;23

Jeremy Ladner | The CISO Signal

Yeah. That makes perfect sense. Different companies are going to react differently. If all your business is online, it's going to make a big difference versus whether you have a website up in a couple of things and you have okay, it's an inconvenience for okay, great. So what tools or tactics are underrated in defending against attack?


00;29;23;03 - 00;29;45;27

Matan Eli Matalon | CISO at OP Innovate

Visibility? I think for me visibility is everything because you cannot protect what you can't see. You cannot respond to what you can’t see. If I can't see you I end up being unable to set the alerts on, you know, a suspicious activity or malicious activity, then I cannot defend against it. And the second thing, which I really think is important, is about the segmentation.


00;29;46;00 - 00;30;11;21

Matan Eli Matalon | CISO at OP Innovate

If you have the right segmentation between environments and be able to say that your most crown jewels are being protected by that segmentation, then I am well. Rest assured that if you do get hit and one of your external facing environments, the attacker won't be able to move laterally into those more important production like environments. So segmentation is very important.


00;30;11;24 - 00;30;37;00

Matan Eli Matalon | CISO at OP Innovate

But again, cybersecurity is all about defense and layers. You're building those layers to slow down the attackers. There's never that 100% protection. You always try to make it harder for the attackers. So you don't only need that segmentation of visibility. It has to be combined with, you know, that EDR, that identity controls those DNS layer protection. The basics still win those battles.


00;30;37;00 - 00;30;44;20

Matan Eli Matalon | CISO at OP Innovate

It's not about the zero or these anymore. They only focus usually on those simple, simple weaknesses.


00;30;44;23 - 00;31;18;16

Jeremy Ladner | The CISO Signal

Act for surface tension. The lights came back on slowly, system by system, file by file and function by function. After weeks of darkness, CNA's infrastructure began to hum again. Work resumed, claims were processed and phones rang, but something fundamental had shifted. Internally, there was relief. Externally, there were questions. The breach, once invisible to the outside world, was now impossible to ignore.


00;31;18;18 - 00;31;55;03

Jeremy Ladner | The CISO Signal

Headlines began to surface not just about the attack, but about the price. $40 million. 1000 Bitcoin paid in full. Reported but not confirmed. Echoed but not denied the amount set a new watermark, one that towered above the others. Colonial Pipeline weeks later would pay 4.4 million, JBS Foods: $11 million. CNA's payment was several times that, and the target wasn't infrastructure or food, it was trust.


00;31;55;05 - 00;32;25;22

Jeremy Ladner | The CISO Signal

The industry took notice and so did regulators. There were no sanctions violations and had verified that they worked in tandem with federal law enforcement, followed OFAC guidance, made sure the attackers were not on the Treasury's blacklist. Legally, the path was clear, but ethically the terrain was unstable. Security professionals debated it openly. Had CNA prevented wider damage or funded a playbook for future attackers?


00;32;25;24 - 00;33;03;00

Jeremy Ladner | The CISO Signal

Was this containment or encouragement inside the company? CNA began the hard work of rebuilding not just systems, but credibility. A full forensic investigation was launched, and they confirmed that the attackers had gained access to sensitive personal information. 75,349 individuals were affected, mostly employees, past and present, and their dependents. The company offered credit monitoring, issued notifications and published statements, but they chose their words carefully.


00;33;03;03 - 00;33;39;25

Jeremy Ladner | The CISO Signal

The message was always framed around restoration, control and compliance and not fear. What CNA didn't say publicly couldn't say was what else might have been taken. The value wasn't in the files themselves, it was in the patterns. Insurers know more than they say about risk, exposure liability. That's what makes them valuable and what makes them vulnerable. In the months that followed, CNA initiated sweeping changes in security, modernization, cloud migration, new controls and new vendors.


00;33;39;28 - 00;34;11;23

Jeremy Ladner | The CISO Signal

Externally, they began advocating for ransomware awareness, speaking on resilience, positioning themselves as a cautionary tale but not a cautionary brand. It was a careful return to visibility controlled, measured and very corporate. But beneath the surface, other conversations had started. Insurance firms reconsidered their underwriting models, premiums rose, policies narrowed in. Some insurers quietly began refusing to cover ransomware payments altogether.


00;34;11;29 - 00;34;37;09

Jeremy Ladner | The CISO Signal

The market was changing, and CNA's breach was part of the reason why. Because this wasn't just another attack. It was a glimpse into a high value, low resilience target class. The insurers of risk themselves. No one in the industry missed the irony, and no one was ready to say it couldn't happen again. Because the truth is, CNA did many things right.


00;34;37;12 - 00;35;03;08

Jeremy Ladner | The CISO Signal

They followed guidance. They contained the spread. They worked with law enforcement, they communicated with regulators and they took care of their people. But even doing everything right wasn't enough to stop the breach, or to avoid the payment, or to fully explain what had been lost, because not all damage is visible. Not all compromises leave logs and not all truths survive.


00;35;03;08 - 00;35;25;18

Jeremy Ladner | The CISO Signal

CNA returned to business, but the industry had changed around them to be more cautious, more expensive and in some cases, more afraid. The ransomware economy had evolved, and this breach helped prove just how valuable the right kind of victim could be.


00;35;25;20 - 00;35;37;11

Jeremy Ladner | The CISO Signal

When something does blow up and maybe you've already been there for a while, or maybe you're called in because it's blown up, what would you say would be the first conversation you have with the CEO?


00;35;37;17 - 00;35;55;29

Matan Eli Matalon | CISO at OP Innovate

That's a very good question. And as I mentioned before, it's all about building that trust. The CEO needs to trust me. A lot of times you come from the outside. The CEO doesn't know you. Maybe he knows the company you work for, but he doesn't know you personally. And you come in and you see him, usually at his most vulnerable state, as broken.


00;35;55;29 - 00;36;14;04

Matan Eli Matalon | CISO at OP Innovate

They try to keep this business alive and it's all about keeping them calm and trusting you that you are here for them. It's saying, you know, we were going to lead you through this. We are not reacting. We're going to find out what happened, or at least try to. But it has to be together. No blame, just clarity.


00;36;14;11 - 00;36;18;07

Matan Eli Matalon | CISO at OP Innovate

Because, you know, if he panics, then everything falls.


00;36;18;09 - 00;36;34;26

Jeremy Ladner | The CISO Signal

Interesting. You said try to. Would you say it from a sort of a forensic analyst point of view? What percentage of the time are you just able to not solve the mystery of how they breached, how they got in when they got in? Is that most of the time, or is that a tiny percentage of the time that most CISOs just can't figure it out? You just can't. You can't find that hole that they crawled in through?


00;36;38;15 - 00;37;09;16

Matan Eli Matalon | CISO at OP Innovate

I would say it's much more than you would think. I mean, if everything was, you know, being documented and being configured to have the right visibility and the sufficient visibility, then every incident would have been solved very quickly. But usually it's not the case. Nothing is perfect. And sometimes you just crawl your way in and and you investigate for days and weeks and, you know, eventually the, the company says, look, it's not that important to us at this point.


00;37;09;20 - 00;37;31;28

Matan Eli Matalon | CISO at OP Innovate

We restored the services. We kept the business going. The impact was minimum. We contained the incident. We don't really care to know exactly how we got in. But, you know, sometimes companies tell us, look, take as much time as you need to find that, find that root cause. And unfortunately, sometimes you just can't because you don't have sufficient information.


00;37;31;28 - 00;37;52;22

Matan Eli Matalon | CISO at OP Innovate

And, you know, that's why I say make sure everything is visible. Make sure you log everything, everything you can log log. Because if some things blow up and you need to find out why it happened, if you don't have the sufficient logs, you are just blind and you wouldn't be able to find it, ever.


00;37;52;24 - 00;38;01;15

Jeremy Ladner | The CISO Signal

If CNA had been your client pre-incident, what would you have pushed them to fix or prepare for?


00;38;01;17 - 00;38;25;08

Matan Eli Matalon | CISO at OP Innovate

I think one of the first items that are on the front lines are identity and access. I mean you don't need ransomware if you have a domain admin you need to have MFA everywhere because MFA is your one wildcard. An attacker could get your password, they can get a username, but it's much, much harder getting your MFA. And basically you have to have that anomaly detection.


00;38;25;15 - 00;38;46;06

Matan Eli Matalon | CISO at OP Innovate

You have to have the capable people to even if they did get a hold of MFA, you have to have the person that is able to tell you that something's weird. And afterward, as we saw in the CNA incident, they probably weren't segmented right enough because they got exposed and everything got encrypted eventually. And you have to be able to segment so your attacker wouldn't be able to move laterally.


00;38;46;08 - 00;38;52;01

Jeremy Ladner | The CISO Signal

Is there a multi-factor authentication tool that you live by that you would say you're not going to pry that from my cold, dead hands? I trust this tool. It's awesome. It's the best. It's never failed me. Or are they pretty much all the same?


00;38;58;05 - 00;39;19;01

Matan Eli Matalon | CISO at OP Innovate

Pretty much. I'd say all the same. There's not a specific favorite. The big ones like Microsoft and Google and Okta, they usually do the job. But you know, you usually need to be able to say even if you don't use those authenticators and you're able to only send emails or estimate messages, everything is something you need to start somewhere and you need to be able to add that layer.


00;39;19;01 - 00;39;24;05

Matan Eli Matalon | CISO at OP Innovate

As I said, it's all about the layers. It's all about making the attacker work hard for them.


00;39;24;08 - 00;39;44;29

Jeremy Ladner | The CISO Signal

I guess it's similar to that sort of old story where you don't have to be fast enough to outrun the bear, you just have to be faster than the guy next to you so that the bear eats him. So if you're making it, if you're making it so hard that the attackers like you know it's not worth it will just go somewhere where it's easier to breach.


00;39;45;02 - 00;40;07;29

Matan Eli Matalon | CISO at OP Innovate

Yeah, that's something that we tell clients a lot that you don't need to be 100% protected. You just have to make it hard enough for the attacker saying, yeah, it's not worth my time. And that's something that we do see sometimes when clients say we saw that something was trying to attack us, but it didn't really go further because we had the right protection mechanisms.


00;40;08;01 - 00;40;16;20

Matan Eli Matalon | CISO at OP Innovate

So if you do it in a way where you make it hard enough for the attacker, then then it should be good enough. Nothing is 100%.


00;40;16;22 - 00;40;49;03

Jeremy Ladner | The CISO Signal

Act five the insured cyber insurance used to be the safety net, the final layer, the thing you hoped you'd never need but were glad to have. It was built on logic models, probability curves, loss projections, premiums priced like seatbelts in a luxury car. But CNA's breach cracked that illusion because when the company writing the policies becomes the victim of the policy, you're forced to ask where does the risk really live?


00;40;49;05 - 00;41;28;13

Jeremy Ladner | The CISO Signal

For years, ransomware attacks followed a script attack, lock demand and then vanish. But this one changed the conversation that because of how it started, but because of what it cost, CNA didn't just pay a ransom, they reset expectations. $40 million confirmed or not, the number took on a weight of its own. It was repeated in boardrooms and underwriting meetings and whispered conversations between CISOs and CFOs, and it signaled something dangerous to both sides of the equation to attackers, it said: 


00;41;28;20 - 00;41;58;19

Jeremy Ladner | The CISO Signal

Insurance companies are lucrative, they're central, and when breached, they have a motive to pay fast. To insurers, it said: We may have underestimated our own exposure. It wasn't just a CNA problem, it was a blueprint for how quickly the tables could turn. In the months that followed, insurers across the globe revised their stances. Some added ransomware sublimates, others introduced clauses excluding ransom coverage altogether.


00;41;58;25 - 00;42;29;05

Jeremy Ladner | The CISO Signal

Premiums climbed, but not because the risk had changed, but because now they'd seen it up close. Cyber insurance was never meant to eliminate loss. It was meant to transfer it, to redistribute it. But a breach revealed something difficult to admit. You can't insure against a system you're part of. If the company's pricing, the risk or also feeding the targets, then the model isn't just flawed, it's compromised.


00;42;29;11 - 00;43;09;03

Jeremy Ladner | The CISO Signal

Quietly, defenders began asking harder questions: Are we enabling ransomware by covering it or payouts fueling the criminal economy? Should we outlaw ransom payments altogether? There were no simple answers. OFAC had already made its position clear, paying sanctioned entities was illegal, but Phoenix, in CNA’s case, was not sanctioned. So the payment was legal. Ethically fraught, yes, but compliant. So what does it mean when a payment can be legal, effective and still feel like defeat?


00;43;09;05 - 00;43;44;01

Jeremy Ladner | The CISO Signal

This is the paradox of modern cyber defense. You can build well, you can detect early, you can comply with every regulation and still find yourself with no good options. CNA did what many would have done, what many will do. They contained the damage, protected their clients, restored operations and followed the law. But the moment they pressed send on that Bitcoin transaction, they stopped being just a victim and they became a signal to attackers.


00;43;44;01 - 00;44;12;14

Jeremy Ladner | The CISO Signal

It was a green light to peers. It was a warning and to regulators a case study in. Maybe that's the cost. No one calculates in the insurance tables. Not just the ransom, not just the downtime, but the moment a breach becomes a precedent. CNA moved on, filed their disclosures, closed the case. But for the rest of the industry, the breach never fully ended.


00;44;12;16 - 00;44;27;19

Jeremy Ladner | The CISO Signal

It left behind a question still echoing in the background. If the one who insures against the worst case scenario can't stop it, who can?


00;44;27;21 - 00;44;37;04

Jeremy Ladner | The CISO Signal

How do incidents like CNAs change the way CISOs today build trust with their boards or with their clients?


00;44;37;06 - 00;44;56;25

Matan Eli Matalon | CISO at OP Innovate

It's a good question. The trust with the boards as they don't care about the excuses. They don't care about the blame. They want to see receipts. They want to see a readiness. They want to see how you learned from that mistake. They want to see what you're going to do next and how you want to make sure this doesn't happen again.


00;44;56;28 - 00;45;21;04

Matan Eli Matalon | CISO at OP Innovate

So when building that trust again with the boards, you have to be able to show them that you are doing everything in your power to make sure this doesn't happen, whether it's playbooks, whether it's, policies, whether it's it's, you know, buying more security vendors and paying even more about, you know, for cyber insurance, you have to show them what you're doing in order to, to be prepared.


00;45;21;06 - 00;45;22;28

Jeremy Ladner | The CISO Signal

What should every CISO be doing, right now, to avoid being the next CNA?


00;45;27;10 - 00;45;47;16

Matan Eli Matalon | CISO at OP Innovate

Two things. Like I said, with the board, you have to be able to run the playbook. It's not about tabletop. Tabletop is nice to do once in a while, but you have to run the full simulation. You have to test everything, run the drills, test backups, kill your own services, and see who panics. Make sure that someone besides the system knows how to initiate the air.


00;45;47;16 - 00;46;13;02

Matan Eli Matalon | CISO at OP Innovate

You need to be able to have someone to try to hack you from the outside. Whether it's red teaming exercises or penetration tests. You need to do that as well because you know where your weaknesses are. But the attack but potential attackers can know about weaknesses that you don't know about. And if you bring someone from the outside which is unbiased in a white hat, gray hat type of service, then it can potentially get you a much clearer picture.


00;46;13;02 - 00;46;28;16

Matan Eli Matalon | CISO at OP Innovate

And we actually do that in open to it as well. We come to clients, we expose those, you know, unbiased vulnerabilities from the outside and tell them, you know, we found a lot of stuff that you didn't know about. And that way they come in and it usually changes the whole picture in their organization.


00;46;28;19 - 00;46;42;06

Jeremy Ladner | The CISO Signal

Interesting. Okay. You see a lot of different types of teams across different verticals in different sectors. What's one mistake you still see too often coming up again and again?


00;46;42;09 - 00;47;03;16

Matan Eli Matalon | CISO at OP Innovate

One mistake. As they previously said, it's the visibility. People just don't turn on that configuration when you're asked to to log the information from whether it's the roads, the firewall, the VPN, even if it's local logs like on the server itself or the endpoints, because afterwards we can come in and you investigate the incident, you just don't see anything.


00;47;03;19 - 00;47;20;15

Matan Eli Matalon | CISO at OP Innovate

Another thing is our shared credentials. A lot of the people still share the credentials. They send it in slack, they send it in the teams, they put it in the Google Docs on the cloud, and even more, they don't have the MFA. So sometimes the attacker gets it so easy and he just grabs that password and just does what he wants.


00;47;20;15 - 00;47;40;25

Matan Eli Matalon | CISO at OP Innovate

And you're not even able to see that anomaly because it's legitimate activity. You know, people a lot of the time obsessed over the zero days because it's cool. It's sexy. But it's what I see from the past few years. It's always the door. Someone forgot to lock it. That simple, you know, mechanism that it's so obvious that people sometimes forget to turn it on.


00;47;40;27 - 00;48;11;01

Jeremy Ladner | The CISO Signal

But, thank you for those words of wisdom. It was great having you on the show. Looking forward to having you back again. And now onto our closing. Every breach leaves a mark, not always in the systems, sometimes in the story, and sometimes in the mirror. CNA wasn't the first company to get hit. They weren't the first to pay, but they were one of the first to show what it looks like when the people who price the risk become the risk.


00;48;11;04 - 00;48;38;28

Jeremy Ladner | The CISO Signal

For years, insurers spoke with certainty. They modeled loss events calculated premiums and forecasted frequency. But cybersecurity isn't weather. It doesn't move and seasons. It shifts, it adapts, and it learns in this breach made that clear. The attackers didn't need to break the rules. They just needed to study the ones that everyone else was already playing by. CNA paid the ransom.


00;48;38;28 - 00;49;11;00

Jeremy Ladner | The CISO Signal

They followed the law and they recovered. But the breach was never just about one company. It was a signpost for the industry. A moment where the guardians of risk discovered just how vulnerable they really were. And now everyone's policy feels a little more fragile. This is the world we live in now, where safety is a negotiation, where trust is provisional, and where the people who promise protection sometimes need it most.


00;49;11;02 - 00;49;26;15

Jeremy Ladner | The CISO Signal

Today, security experts must always be prepared, always vigilant and always listening… For The CISO Signal.


00;49;26;17 - 00;49;53;08

Jeremy Ladner | The CISO Signal

All episodes are based on publicly available reports, post-mortems and expert analysis. While we've done our best to insure accuracy, some cybersecurity incidents evolve over time and not all details have been confirmed. Our goal is to inform and entertain, not to assign blame. Where facts are unclear, we've used cautionary language and we always welcome your corrections. Thanks for listening to The CISO Signal.


 
 
 

Comments

bottom of page