U.S. insurance giant CNA Financial Corporation coughed up US$ 40 million in late March 2021 to regain control of its network after a ransomware attack.

CNA Financial paid the hackers about two weeks after a trove of company data was stolen, and CNA officials were locked out of their network. In a statement, a CNA spokesperson said the company followed the law. She said the company consulted and shared intelligence about the attack and the hacker’s identity with the FBI and the Treasury Department’s Office of Foreign Assets Control, which said last year that facilitating ransom payments to hackers could pose sanctions risks.

In a security incident update published on May 12, CNA said it did “not believe that the systems of record, claims systems, or underwriting systems, where the majority of policyholder data – including policy terms and coverage limits – is stored, were impacted.”

