Ransomware Security Planning and Risk Management for CNA Financial Corporation
Kwasi Appiah
Hank Williams
University of Maryland Global Campus
CMAP 605 7615 Foundations of Cybersecurity Management
3/3/2025
, 2
Abstract
CNA Financial Corporation is a New York-based insurance company, and it is listed in the stock
exchange market that, too, suffered from a ransomware attack that affected its operations and
made it realize the loopholes in its security system. This paper aims to discuss the given case of a
ransomware attack based on the general increase in ransomware attacks and the background of
the company’s mission, size, and global presence. It assesses the current state of security,
examines the issues that can potentially arise, and makes strategies to ensure that the company
has a secure structure as required in the industry. The plan has three key security objectives: the
confidentiality of customer information, data integrity of financial and operational systems, and
availability of the systems. It also describes proposed technical and procedural safeguards, roles
and responsibilities, timeline for implementation, plan for maintaining the system, and legal and
ethical aspects. This approach ensures that CNA has a mechanism to prevent or at least lessen
the impacts of future cyberattacks.
Kwasi Appiah
Hank Williams
University of Maryland Global Campus
CMAP 605 7615 Foundations of Cybersecurity Management
3/3/2025
, 2
Abstract
CNA Financial Corporation is a New York-based insurance company, and it is listed in the stock
exchange market that, too, suffered from a ransomware attack that affected its operations and
made it realize the loopholes in its security system. This paper aims to discuss the given case of a
ransomware attack based on the general increase in ransomware attacks and the background of
the company’s mission, size, and global presence. It assesses the current state of security,
examines the issues that can potentially arise, and makes strategies to ensure that the company
has a secure structure as required in the industry. The plan has three key security objectives: the
confidentiality of customer information, data integrity of financial and operational systems, and
availability of the systems. It also describes proposed technical and procedural safeguards, roles
and responsibilities, timeline for implementation, plan for maintaining the system, and legal and
ethical aspects. This approach ensures that CNA has a mechanism to prevent or at least lessen
the impacts of future cyberattacks.