Insurance firm CNA is working to restore its systems and is investigating if policyholders’ data has leaked after a “sophisticated” cyber attack.

The Chicago-based firm, which has a turnover of more than $1.1bn a year and offers cyber insurance products, has announced it was hit by an attack on 21 March.

The company immediately disconnected its systems, including corporate email, and took its website offline, but these have both now been restored. The company said its email is protected by multi-factor authentication and a security platform to help detect and block threats.

“Based on our forensic investigation to-date, our forensic experts have confirmed that the malware used by the Threat Actor in the CNA environment, including the ransomware, does not contain the ability to automatically spread to any internal or external systems,” a CNA spokesperson said. “Also, additional security software has been deployed in the CNA environment.”

“We are well into the restoration phase and making significant progress across our internal systems to safely return our environment to a fully operational state,” the company said.

The Investigation into the incident is however “ongoing”.

“The security of our data and that of our insureds and other stakeholders is of the utmost importance to us” a spokesperson said. “Should we determine that this incident impacted our insurers’ or policyholders’ data, we’ll notify those parties directly.”

The incident has prompted warnings that criminals may be trying to access cyber insurance policy details to give them leverage in ransom “negotiations.”

Aaron Portnoy, Principal Scientist at Randori, speaking to SC Magazine, said “Possessing the cyber insurance policy details at the outset allows ransomware groups to maximize their success by setting a price that falls within the bounds of the coverage.”

Register for free to receive the latest cyber security, data protection and privacy news and analysis straight to your inbox