|
Cybersecurity Risk Management and Strategy Disclosure
|12 Months Ended
Dec. 31, 2024
|Cybersecurity Risk Management, Strategy, and Governance [Line Items]
|Cybersecurity Risk Management Processes for Assessing, Identifying, and Managing Threats [Text Block]
|
CNA’s information security and data privacy programs are designed to protect the confidentiality of nonpublic, sensitive personal and business information and the integrity and security of our information systems. These programs include processes that provide guidance for information security decision-making and risk management, and include standards to promote understanding and compliance with applicable laws and regulations. Administrative and technical safeguards that seek to mitigate cybersecurity threats and secure the Company’s information assets are also addressed on a risk-based basis. We have designed our enterprise-wide information security programs consistent with industry standards using the National Institute of Standards and Technology Cybersecurity Framework. These programs include processes implemented within our third-party risk management unit designed to identify, mitigate and monitor cybersecurity risk relating to vendors, suppliers and external partners who have access to our confidential information or our information systems. CNA engages both internal auditors and third-party information security experts in connection with reviewing such foregoing processes.
CNA monitors information security metrics globally. To elevate this information within the organization, our Chief Risk & Reinsurance Officer (CRRO) and Chief Compliance Officer (CCO) present cybersecurity reports and metrics to the Audit Committee of our Board of Directors every quarter. Reports address security events, third-party risk and vulnerabilities, including material risks from cybersecurity threats, and any significant unauthorized occurrences. These discussions are part of our overall enterprise risk management and also take place on at least an annual basis with the full Board of Directors, which is responsible for overseeing material risks, including cybersecurity risk, on an enterprise-wide basis.
At the senior management level, our Global Chief Security Officer (CSO) oversees CNA’s information security and data privacy programs and is responsible for establishing and implementing the security strategy alongside the Chief Information Officer (CIO), to whom the CSO reports directly. The CIO serves on the Enterprise Risk Committee, which is chaired by the CRRO.
The CSO leads the Information Security group within Information Technology, which manages the controls designed to identify, detect, protect against, respond to and recover from cybersecurity threats and cybersecurity incidents. This group includes a cybersecurity operations team that is responsible for information technology security monitoring and incident response activities, the latter covering the response coordination to cyber-attacks under the leadership and pursuant to the direction of the CSO. The Company engages in a continuous risk monitoring process that seeks to identify the likelihood and impact of internal and external threats to our information security systems and data, and assesses the sufficiency of the controls in place to mitigate these threats to acceptable levels on a risk-based basis. The CSO and CIO together lead efforts to design, implement and operate controls deemed necessary, commensurate with the materiality and criticality of identified risks and the sensitivity of the information assets and systems used throughout the organization. Our current CSO has a bachelor’s degree in Computer Information Systems and a master’s degree in Cybersecurity, and has over 20 years of experience building and executing information and cybersecurity strategies. Prior to joining CNA, our CIO served in a variety of roles at another major U.S. insurance company, both in business and technology, and has over 20 years of experience working with major U.S. Property & Casualty insurers.
Threats of security incidents and the impact of actual security incidents are initially assessed and managed by the CSO and CIO as described above. CNA has further implemented response plans that provide the basis for appropriate response to an unauthorized occurrence from a technical perspective, as well as from disclosure and regulatory perspectives.
These response plans also set forth the processes for internal reporting of a substantive unauthorized occurrence. The CSO reports such matters to the CIO and CCO, who is responsible for convening a team of cross-enterprise leaders to ensure comprehensive responsiveness to an occurrence. This group also analyzes unauthorized occurrences affecting CNA's or third parties’ IT systems or sensitive information, and directs the activities of CNA in responding to such incidents.
In addition, the group, under the leadership of the CCO, undertakes the appropriate internal notifications of any such occurrence, and responsive activities, to the General Counsel, Chief Executive Officer, Chief Financial Officer and Board of Directors, with executive management involvement in the same to the extent appropriate in the context of the nature of such occurrence.To date, no risks from cybersecurity threats, including as a result of any previous cybersecurity incidents, have materially affected or are reasonably likely to materially affect the Company. Please refer to “Any significant interruption in the operation of our business functions, facilities or systems or our vendors' facilities or systems could result in a materially adverse effect on our operations“ and “Any significant breach in our data security infrastructure or our vendors’ facilities or systems could disrupt business, cause financial losses and damage our reputation, and insurance coverage may not be available for claims related to a breach” under Item 1A Risk Factors.
|Cybersecurity Risk Management Processes Integrated [Flag]
|true
|Cybersecurity Risk Management Processes Integrated [Text Block]
|CNA’s information security and data privacy programs are designed to protect the confidentiality of nonpublic, sensitive personal and business information and the integrity and security of our information systems. These programs include processes that provide guidance for information security decision-making and risk management, and include standards to promote understanding and compliance with applicable laws and regulations.
|Cybersecurity Risk Management Third Party Engaged [Flag]
|true
|Cybersecurity Risk Third Party Oversight and Identification Processes [Flag]
|true
|Cybersecurity Risk Materially Affected or Reasonably Likely to Materially Affect Registrant [Flag]
|false
|Cybersecurity Risk Board of Directors Oversight [Text Block]
|To elevate this information within the organization, our Chief Risk & Reinsurance Officer (CRRO) and Chief Compliance Officer (CCO) present cybersecurity reports and metrics to the Audit Committee of our Board of Directors every quarter. Reports address security events, third-party risk and vulnerabilities, including material risks from cybersecurity threats, and any significant unauthorized occurrences. These discussions are part of our overall enterprise risk management and also take place on at least an annual basis with the full Board of Directors, which is responsible for overseeing material risks, including cybersecurity risk, on an enterprise-wide basis.
|Cybersecurity Risk Board Committee or Subcommittee Responsible for Oversight [Text Block]
|
CNA monitors information security metrics globally. To elevate this information within the organization, our Chief Risk & Reinsurance Officer (CRRO) and Chief Compliance Officer (CCO) present cybersecurity reports and metrics to the Audit Committee of our Board of Directors every quarter. Reports address security events, third-party risk and vulnerabilities, including material risks from cybersecurity threats, and any significant unauthorized occurrences. These discussions are part of our overall enterprise risk management and also take place on at least an annual basis with the full Board of Directors, which is responsible for overseeing material risks, including cybersecurity risk, on an enterprise-wide basis.At the senior management level, our Global Chief Security Officer (CSO) oversees CNA’s information security and data privacy programs and is responsible for establishing and implementing the security strategy alongside the Chief Information Officer (CIO), to whom the CSO reports directly. The CIO serves on the Enterprise Risk Committee, which is chaired by the CRRO.
|Cybersecurity Risk Process for Informing Board Committee or Subcommittee Responsible for Oversight [Text Block]
|To elevate this information within the organization, our Chief Risk & Reinsurance Officer (CRRO) and Chief Compliance Officer (CCO) present cybersecurity reports and metrics to the Audit Committee of our Board of Directors every quarter. Reports address security events, third-party risk and vulnerabilities, including material risks from cybersecurity threats, and any significant unauthorized occurrences. These discussions are part of our overall enterprise risk management and also take place on at least an annual basis with the full Board of Directors, which is responsible for overseeing material risks, including cybersecurity risk, on an enterprise-wide basis.
|Cybersecurity Risk Role of Management [Text Block]
|
CNA monitors information security metrics globally. To elevate this information within the organization, our Chief Risk & Reinsurance Officer (CRRO) and Chief Compliance Officer (CCO) present cybersecurity reports and metrics to the Audit Committee of our Board of Directors every quarter. Reports address security events, third-party risk and vulnerabilities, including material risks from cybersecurity threats, and any significant unauthorized occurrences. These discussions are part of our overall enterprise risk management and also take place on at least an annual basis with the full Board of Directors, which is responsible for overseeing material risks, including cybersecurity risk, on an enterprise-wide basis.
At the senior management level, our Global Chief Security Officer (CSO) oversees CNA’s information security and data privacy programs and is responsible for establishing and implementing the security strategy alongside the Chief Information Officer (CIO), to whom the CSO reports directly. The CIO serves on the Enterprise Risk Committee, which is chaired by the CRRO.The CSO leads the Information Security group within Information Technology, which manages the controls designed to identify, detect, protect against, respond to and recover from cybersecurity threats and cybersecurity incidents. This group includes a cybersecurity operations team that is responsible for information technology security monitoring and incident response activities, the latter covering the response coordination to cyber-attacks under the leadership and pursuant to the direction of the CSO. The Company engages in a continuous risk monitoring process that seeks to identify the likelihood and impact of internal and external threats to our information security systems and data, and assesses the sufficiency of the controls in place to mitigate these threats to acceptable levels on a risk-based basis. The CSO and CIO together lead efforts to design, implement and operate controls deemed necessary, commensurate with the materiality and criticality of identified risks and the sensitivity of the information assets and systems used throughout the organization. Our current CSO has a bachelor’s degree in Computer Information Systems and a master’s degree in Cybersecurity, and has over 20 years of experience building and executing information and cybersecurity strategies. Prior to joining CNA, our CIO served in a variety of roles at another major U.S. insurance company, both in business and technology, and has over 20 years of experience working with major U.S. Property & Casualty insurers.
|Cybersecurity Risk Management Positions or Committees Responsible [Flag]
|true
|Cybersecurity Risk Management Positions or Committees Responsible [Text Block]
|
At the senior management level, our Global Chief Security Officer (CSO) oversees CNA’s information security and data privacy programs and is responsible for establishing and implementing the security strategy alongside the Chief Information Officer (CIO), to whom the CSO reports directly. The CIO serves on the Enterprise Risk Committee, which is chaired by the CRRO.
The CSO leads the Information Security group within Information Technology, which manages the controls designed to identify, detect, protect against, respond to and recover from cybersecurity threats and cybersecurity incidents. This group includes a cybersecurity operations team that is responsible for information technology security monitoring and incident response activities, the latter covering the response coordination to cyber-attacks under the leadership and pursuant to the direction of the CSO. The Company engages in a continuous risk monitoring process that seeks to identify the likelihood and impact of internal and external threats to our information security systems and data, and assesses the sufficiency of the controls in place to mitigate these threats to acceptable levels on a risk-based basis. The CSO and CIO together lead efforts to design, implement and operate controls deemed necessary, commensurate with the materiality and criticality of identified risks and the sensitivity of the information assets and systems used throughout the organization. Our current CSO has a bachelor’s degree in Computer Information Systems and a master’s degree in Cybersecurity, and has over 20 years of experience building and executing information and cybersecurity strategies. Prior to joining CNA, our CIO served in a variety of roles at another major U.S. insurance company, both in business and technology, and has over 20 years of experience working with major U.S. Property & Casualty insurers.
Threats of security incidents and the impact of actual security incidents are initially assessed and managed by the CSO and CIO as described above. CNA has further implemented response plans that provide the basis for appropriate response to an unauthorized occurrence from a technical perspective, as well as from disclosure and regulatory perspectives.
These response plans also set forth the processes for internal reporting of a substantive unauthorized occurrence. The CSO reports such matters to the CIO and CCO, who is responsible for convening a team of cross-enterprise leaders to ensure comprehensive responsiveness to an occurrence. This group also analyzes unauthorized occurrences affecting CNA's or third parties’ IT systems or sensitive information, and directs the activities of CNA in responding to such incidents.In addition, the group, under the leadership of the CCO, undertakes the appropriate internal notifications of any such occurrence, and responsive activities, to the General Counsel, Chief Executive Officer, Chief Financial Officer and Board of Directors, with executive management involvement in the same to the extent appropriate in the context of the nature of such occurrence.
|Cybersecurity Risk Management Expertise of Management Responsible [Text Block]
|Our current CSO has a bachelor’s degree in Computer Information Systems and a master’s degree in Cybersecurity, and has over 20 years of experience building and executing information and cybersecurity strategies.
|Cybersecurity Risk Process for Informing Management or Committees Responsible [Text Block]
|
CNA monitors information security metrics globally. To elevate this information within the organization, our Chief Risk & Reinsurance Officer (CRRO) and Chief Compliance Officer (CCO) present cybersecurity reports and metrics to the Audit Committee of our Board of Directors every quarter. Reports address security events, third-party risk and vulnerabilities, including material risks from cybersecurity threats, and any significant unauthorized occurrences. These discussions are part of our overall enterprise risk management and also take place on at least an annual basis with the full Board of Directors, which is responsible for overseeing material risks, including cybersecurity risk, on an enterprise-wide basis.
At the senior management level, our Global Chief Security Officer (CSO) oversees CNA’s information security and data privacy programs and is responsible for establishing and implementing the security strategy alongside the Chief Information Officer (CIO), to whom the CSO reports directly. The CIO serves on the Enterprise Risk Committee, which is chaired by the CRRO.
The CSO leads the Information Security group within Information Technology, which manages the controls designed to identify, detect, protect against, respond to and recover from cybersecurity threats and cybersecurity incidents. This group includes a cybersecurity operations team that is responsible for information technology security monitoring and incident response activities, the latter covering the response coordination to cyber-attacks under the leadership and pursuant to the direction of the CSO. The Company engages in a continuous risk monitoring process that seeks to identify the likelihood and impact of internal and external threats to our information security systems and data, and assesses the sufficiency of the controls in place to mitigate these threats to acceptable levels on a risk-based basis. The CSO and CIO together lead efforts to design, implement and operate controls deemed necessary, commensurate with the materiality and criticality of identified risks and the sensitivity of the information assets and systems used throughout the organization. Our current CSO has a bachelor’s degree in Computer Information Systems and a master’s degree in Cybersecurity, and has over 20 years of experience building and executing information and cybersecurity strategies. Prior to joining CNA, our CIO served in a variety of roles at another major U.S. insurance company, both in business and technology, and has over 20 years of experience working with major U.S. Property & Casualty insurers.Threats of security incidents and the impact of actual security incidents are initially assessed and managed by the CSO and CIO as described above. CNA has further implemented response plans that provide the basis for appropriate response to an unauthorized occurrence from a technical perspective, as well as from disclosure and regulatory perspectives.
|Cybersecurity Risk Management Positions or Committees Responsible Report to Board [Flag]
|true
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef