Risk Factors Dashboard
Once a year, publicly traded companies issue a comprehensive report of their business, called a 10-K. A component mandated in the 10-K is the ‘Risk Factors’ section, where companies disclose any major potential risks that they may face. This dashboard highlights all major changes and additions in new 10K reports, allowing investors to quickly identify new potential risks and opportunities.
View risk factors by ticker
Search filings by term
Risk Factors - CNA
-New additions in green
-Changes in blue
-Hover to see similar sentence in last filing
ITEM 1A. RISK FACTORS
CNA’s information security and data privacy programs are designed to protect the confidentiality of nonpublic, sensitive personal and business information and the integrity and security of our information systems. These programs include processes that provide guidance for information security decision-making and risk management, and include standards to promote understanding and compliance with applicable laws and regulations. Administrative and technical safeguards that seek to mitigate cybersecurity threats and secure the Company’s information assets are also addressed on a risk-based basis. We have designed our enterprise-wide information security programs consistent with industry standards using the National Institute of Standards and Technology Cybersecurity Framework. These programs include processes implemented within our third-party risk management unit designed to identify, mitigate and monitor cybersecurity risk relating to vendors, suppliers and external partners who have access to our confidential information or our information systems. CNA engages both internal auditors and third-party information security experts in connection with reviewing the foregoing processes.
To date, no risks from cybersecurity threats, including as a result of any previous cybersecurity incidents, have materially affected or are reasonably likely to materially affect the Company. To date, no risks from cybersecurity threats, including as a result of any previous cybersecurity incidents, have materially affected or are reasonably likely to materially affect the Company. Please refer to “Any significant interruption in the operation of our business functions, facilities or systems or our vendors' facilities or systems could result in a materially adverse effect on our operations“ and “Any significant breach in our data security infrastructure or our vendors’ facilities or systems could disrupt business, cause financial losses and damage our reputation, and insurance coverage may not be available for claims related to a breach” under Item 1A Risk Factors .
Our business faces many risks and uncertainties. These risks and uncertainties could lead to events or circumstances that have a material adverse effect on our results of operations, equity, business, financial condition and insurer financial strength and corporate debt ratings. We have described below material risks that we face. There may be additional risks that we do not yet know of or that we do not currently perceive to be material that may also affect our business. You should carefully consider and evaluate all of the information included in this report and any subsequent reports we may file with the SEC or make available to the public before investing in any securities we issue.
Insurance Risks
If we determine that our recorded insurance reserves are insufficient to cover our estimated ultimate unpaid liability for claim and claim adjustment expenses, we may need to increase our insurance reserves which would result in a charge to our earnings.
We maintain insurance reserves to cover our estimated ultimate unpaid liability for claim and claim adjustment expenses, including the estimated cost of the claims adjudication process, for reported and unreported claims. Insurance reserves are not an exact calculation of liability but instead are complex management estimates developed utilizing a variety of actuarial reserve estimation techniques as of a given reporting date. The reserve estimation process involves a high degree of judgment and variability and is subject to a number of factors which are highly uncertain. These factors can be affected by both changes in internal processes and external events. Key variables include frequency of claims, claim severity, mortality, morbidity, discount rates, economic, social and medical inflation, claim handling policies and procedures, case reserving approach, underwriting and pricing policies, changes in the legal and regulatory environment and the lag time between the occurrence of an insured event and the time of its ultimate settlement. Mortality is the relative incidence of death. Morbidity is the frequency and severity of injury, illness, sickness and diseases contracted.
There is generally a higher degree of variability in estimating required reserves for long-tail coverages, such as long-term care, workers' compensation, general liability and professional liability, as they require a relatively longer period of time for claims to be reported and settled. The impact of changes in economic and social inflation, and medical costs are also more pronounced for long-tail coverages due to the longer settlement period. Certain risks and uncertainties associated with our insurance reserves are outlined in the Critical Accounting Estimates and the Reserves - Estimates and Uncertainties sections of MD&A in Item 7.
We are subject to the uncertain effects of emerging and potential claims and coverage issues that arise as industry practices and legal, judicial, social, economic, geopolitical and other environmental conditions change. The impact of social inflation continues to be significant, and the trajectory of its future impact remains uncertain. Further, the impact of social inflation continues to be significant and the trajectory of its future impact remains uncertain. In addition, passage of reviver statutes that extend, or eliminate, the statute of limitations for the reporting of claims, including statutes passed in certain states with respect to sexual molestation and sexual abuse, increase the uncertainty of the frequency of claims, and the impact of social inflation has, and may continue to, increase the severity of these claims. Further, broader economic and geopolitical conditions, including the imposition of significant tariffs by the U.S., as well as any related retaliatory tariffs, may result in considerable increases in certain costs that would increase loss costs. These issues have had, and may continue to have, a negative effect on our business, results of operations and financial condition by either extending coverage beyond the original underwriting intent or by increasing the number or size of claims, resulting in further increases in our reserves. The effects of unforeseen emerging or potential claim and coverage issues are extremely difficult to predict and may be material.
In light of the many uncertainties associated with establishing the estimates and making the judgments necessary to establish reserve levels, we continually review and change our reserve estimates in a regular and ongoing process as experience develops from the actual reporting and settlement of claims and as the legal, regulatory and economic environment evolves. When our recorded reserves are insufficient for any reason, the required increase in reserves is recorded as a charge against our earnings in the period in which reserves are determined to be insufficient. These charges have been and in the future could be substantial.
6
Our actual experience could vary from the key assumptions used to determine future policy benefit reserves for long-term care policies.
Our future policy benefit reserves for long-term care policies are based on our best estimate actuarial assumptions, which are assessed quarterly and updated at least annually. Key actuarial assumptions include morbidity, persistency, premium rate actions and expenses. Key actuarial assumptions include morbidity, persistency, anticipated future premium rate increases and expenses. The adequacy of the reserves is contingent upon actual experience and our future expectations related to these key assumptions. If actual or expected future experience differs from these assumptions, the reserves may not be adequate, requiring us to increase reserves. The required increase in reserves is recorded as a charge against our earnings in the period in which reserves are determined to be insufficient. These charges have been and in the future could be substantial. The reserves are discounted using upper-medium grade fixed income instrument yields as of each reporting date. Discount rates are subject to interest rate and market volatility. See the Life & Group Policyholder Reserves portion of Reserves - Estimates and Uncertainties section of MD&A in Item 7 for more information.
Morbidity and persistency experience can be volatile and may be negatively affected by many factors including policyholder behavior, judicial decisions regarding policy terms, socioeconomic factors, cost of care inflation, changes in health trends and advances in medical care.
A prolonged period during which investment returns remain at low levels could result in shortfalls in investment income on assets supporting our obligations under long-term care policies. This risk may be more significant for our long-term care products when the long potential duration of the policy obligations exceeds the duration of the supporting investment assets. In addition, we may not receive regulatory approval for the level of premium rate increases we request. Any adverse deviation between the level of premium rate actions approved and the level included in our reserving assumptions may require an increase to our reserves. Any adverse deviation between the level of future premium rate increases approved and the level included in our reserving assumptions may require an increase to our reserves. Further, and as noted in the previous risk factor, the increasingly adverse impact of social inflation, particularly with respect to legal activity and judicial decisions, may impact our long-term care portfolio and reserves.
We are vulnerable to material losses from natural and man-made disasters. We are vulnerable to material losses from natural and man-made disasters.
Catastrophe losses are an inevitable part of our business. Various events can cause catastrophe losses. These events can be natural or man-made, and may include hurricanes, tornadoes, windstorms, earthquakes, hail, severe winter weather, droughts, fires, floods, riots, strikes, civil unrest, cyber-attacks, pandemics and acts of terrorism. The frequency and severity of these catastrophe events are inherently unpredictable. Exposure to cyber risk is increasing systematically due to greater digital dependence, which increases the potential for, and the potential losses due to, a catastrophic cyber event. Catastrophic cyber-attack scenarios are not bound by time or geographic limitations and cyber-related catastrophic perils don’t have well-established definitions or fundamental physical properties. In addition, longer-term natural catastrophe trends may be changing and new types of, and heightened, catastrophe losses may be developing due to climate change, its associated extreme weather events linked to rising temperatures and its effects on global weather patterns, greenhouse gases, sea, land and air temperatures, sea levels, rain, drought, hail and snow. In addition, longer-term natural catastrophe trends may be changing and new types of catastrophe losses may be developing due to climate change, its associated extreme weather events linked to rising temperatures and its effects on global weather patterns, greenhouse gases, sea, land and air temperatures, sea levels, rain, drought, hail and snow. Climate studies by government agencies, academic institutions, catastrophe modeling organizations and other groups indicate that climate change may be altering the frequency and/or severity of catastrophic weather events, such as hurricanes, tornadoes, windstorms, earthquakes, hail, severe winter weather, droughts, fires and floods.
The extent of our losses from catastrophes is a function of the total amount of our insured exposures in the affected areas, the frequency and severity of the events themselves, the level of our reinsurance coverage, reinsurance reinstatement premiums and state residual market assessments, if any. It can take a long time for the ultimate cost of any catastrophe losses to us to be finally determined, as a multitude of factors contribute to such costs, including evaluation of general liability and pollution exposures, infrastructure disruption, business interruption and reinsurance collectability. Further, significant catastrophic events or a series of catastrophic events have the potential to impose financial stress on the reinsurance industry, which could impact our ability to collect amounts owed to us by reinsurers, thereby resulting in higher net incurred losses.
Reinsurance coverage for "unconventional" terrorism events (such as nuclear, biological, chemical or radiological attacks) is provided only in limited circumstances. Our principal reinsurance protection against these large-scale terrorist attacks is the coverage currently provided through the Terrorism Risk Insurance Program Reauthorization Act of 2019 (TRIPRA) through December 31, 2027. However, such coverage is
7
subject to a mandatory deductible and other limitations. It is also possible that future legislation could change or eliminate the program, which could adversely affect our business by increasing our exposure to terrorism losses, or by lowering our business volume through efforts to avoid that exposure. It is also possible that future legislation could change 7Table of Contentsor eliminate the program, which could adversely affect our business by increasing our exposure to terrorism losses, or by lowering our business volume through efforts to avoid that exposure. For a further discussion of TRIPRA, see Part II, Item 7, MD&A - Catastrophes and Related Reinsurance.
As a result of the items discussed above, catastrophe losses are particularly difficult to estimate, could cause us to exhaust our available reinsurance limits, could lead to large losses and could adversely affect the cost and availability of reinsurance. Accordingly, catastrophic events could have a material adverse effect on our business, results of operations, financial condition and liquidity.
We have exposures related to asbestos and environmental pollution (A&EP) claims, which could result in material losses.
Our property and casualty insurance subsidiaries have exposures related to A&EP claims. Our experience has been that establishing claim and claim adjustment expense reserves for casualty coverages relating to A&EP claims is subject to uncertainties that are greater than those presented by more traditional property and casualty claims. Additionally, traditional actuarial methods and techniques employed to estimate the ultimate cost of claims for more traditional property and casualty exposures are less precise in estimating claim and claim adjustment expense reserves for A&EP. As a result, estimating the ultimate cost of both reported and unreported A&EP claims is subject to a higher degree of variability. On August 31, 2010, we completed a retroactive reinsurance transaction under which substantially all of our legacy A&EP liabilities were ceded to National Indemnity Company (NICO), a subsidiary of Berkshire Hathaway Inc., subject to an aggregate limit of $4 billion (Loss Portfolio Transfer). The cumulative amount ceded under the Loss Portfolio Transfer as of December 31, 2025 was $3.9 billion. If the other parties to the Loss Portfolio Transfer do not fully perform their obligations, net losses incurred on A&EP claims covered by the Loss Portfolio Transfer exceed the aggregate limit of $4 billion, or we determine we have exposures to A&EP claims not covered by the Loss Portfolio Transfer, we may need to increase our recorded net reserves which would result in a charge against our earnings. These charges could be substantial. Additionally, if the A&EP claims exceed the limit of the Loss Portfolio Transfer, we will need to assess whether to purchase additional limit or to reassume claim handling responsibility for A&EP claims from an affiliate of NICO. Any additional reinsurance premium or future claim handling costs would also reduce our earnings.
We are exposed to, and may face adverse developments related to, mass tort claims that could arise from, among other things, our insureds’ sale or use of potentially harmful products or substances, claims of sexual abuse and molestation against our insureds and changes to the social and legal environment, such as those related to abuse reviver statutes, issues related to altered interpretation of coverage and other new and emerging claim theories. 8Table of ContentsWe are exposed to, and may face adverse developments related to, mass tort claims that could arise from, among other things, our insureds’ sale or use of potentially harmful products or substances, changes to the social and legal environment, such as those related to abuse reviver statutes, issues related to altered interpretation of coverage and other new and emerging claim theories.
We face potential exposure to various types of existing, new and emerging mass tort claims, including those related to exposure to potentially harmful products or substances, such as glyphosate, lead paint, per- and polyfluoroalkyl substances (PFAS) and opioids, sexual abuse and molestation claims, claims arising from changes that expand the right to sue, remove limitations on recovery, extend the statutes of limitations or otherwise repeal or weaken tort reforms, such as those related to abuse reviver statutes; and claims related to new and emerging theories of liability, such as those related to global warming and climate change. Evolving judicial interpretations, increased participation by plaintiff's lawyers in insurance claims, rising litigation activity, higher monetary verdicts, abusive litigation practices, the growth of third-party litigation financing and new legislation regarding the application of various tort theories and defenses, including application of various theories of joint and several liability, as well as the application of insurance coverage to these claims, give rise to new and potentially more severe claim activity. For example, we have recorded, and may continue to record, increases in our mass tort reserves, driven substantially by abuse reviver statutes that have resulted in increased claims. Similar and continuing mass tort claim activity, including activity based on changing judicial interpretations and recent and proposed legislation, could have a material adverse effect on our business, results of operations and financial condition.
8
Strategic Risks
We face intense competition in our industry; we may be adversely affected by the cyclical nature of the property and casualty business and by the evolving landscape of our distribution network.
All aspects of the insurance industry are highly competitive and we must continuously allocate resources to refine and improve our insurance products and services to remain competitive. We compete with a large number of stock and mutual insurance companies and other entities, some of which may be larger or have greater financial or other resources than we do, for both distributors and customers. This includes agents, brokers and managing general underwriters who may increasingly compete with us, including as a result of markets continuing to provide them with direct access to providers of capital seeking exposure to insurance risk. Insurers compete on the basis of many factors, including products, price, services, ratings and financial strength. The competitor landscape has evolved substantially in recent years, with significant consolidation and new market entrants, such as insurtech firms, resulting in increased pressures on our ability to remain competitive, particularly in obtaining pricing that is both attractive to our customer base and risk-appropriate to us.
In addition, the property and casualty market is cyclical and has experienced periods characterized by relatively high levels of price competition, resulting in less restrictive underwriting standards and relatively low premium rates, followed by periods of relatively lower levels of competition, more selective underwriting standards and relatively high premium rates. We may lose business to competitors offering competitive insurance products at lower prices. As a result, our premium levels and expense ratio could be materially adversely impacted.
We market our insurance products worldwide primarily through independent insurance agents, insurance brokers, and managing general underwriters who also promote and distribute the products of our competitors, and in certain cases their own products. Any change in our relationships with our distribution network agents, brokers or managing general underwriters, including as a result of consolidation or their increased promotion and distribution of our competitors' or their own products, could adversely affect our ability to sell our products. As a result, our business volume and results of operations could be materially adversely impacted.
Our underwriting strategies currently rely on the effectiveness of reinsurance arrangements and we accordingly face risks relating to reinsurance, including obtaining reinsurance at a cost or on terms and conditions we deem acceptable, reinsurance counterparty risk and ineffective reinsurance coverage.
A primary reason we purchase reinsurance is to manage our exposure to risk, thereby facilitating our underwriting strategies in certain key areas. Under our ceded reinsurance arrangements, a reinsurer assumes a specified portion of our exposure in exchange for a specified portion of policy premiums. The availability and cost of the reinsurance protection we purchase, which affects the volatility and profitability of our business, as well as the level and types of risk we retain, is determined by many factors, including general economic conditions and conditions in the reinsurance market, such as the occurrence of significant reinsured events or unexpected adverse trends, including those associated with climate change. The availability and cost of the reinsurance protection we purchase, which affects the volatility and profitability of our business, as well as the level and types of risk we retain, is determined by many factors, including general economic 9Table of Contentsconditions and conditions in the reinsurance market, such as the occurrence of significant reinsured events or unexpected adverse trends, including those associated with climate change. If we are unable to obtain sufficient reinsurance at a cost or on terms and conditions we deem acceptable, our risk exposure will not be mitigated to the degree desired or we may forego such increased risk, thereby adversely impacting our underwriting strategies. In addition, use of reinsurance exposes us to credit risk of the reinsurers, as the reinsurance arrangements do not relieve us of the liability to the customer. If a reinsurer is unable to meet its financial obligations under a reinsurance arrangement, we will remain obligated under the original policies issued to our customers. Furthermore, while we use various risk management methods, including the use of reinsurance, to effectively manage risk, there is the possibility that one or more natural catastrophes and/or terrorism or other events could result in claims substantially exceeding expectations, thereby making the reinsurance strategy significantly less effective. Such reinsurance-related risks could have a material adverse effect on our business, results of operations and financial condition and adversely affect our underwriting strategies in certain lines of business.
We may be adversely affected by technological changes or disruptions in the insurance marketplace.
Technological changes in the way insurance transactions are completed in the marketplace, and our ability to react effectively to such change, may present significant competitive risks. For example, more insurers are utilizing or may begin utilizing "big data" analytics or artificial intelligence (AI) to make underwriting or other
9
decisions that impact product design and pricing. If such utilization by our industry peers is more effective than how we use our data and information, including through our own use of AI, we will be at a competitive disadvantage. There can be no assurance that we will continue to compete effectively with our industry peers due to technological changes; accordingly, this may have a material adverse effect on our business, results of operations and financial condition.
In addition, agents and brokers, technology companies, or other third parties may create alternate distribution channels for commercial business that may adversely impact product differentiation and pricing. For example, they may create a digitally enabled distribution channel that may adversely impact our competitive position. Our efforts or the efforts of agents and brokers with respect to new products or alternate distribution channels, as well as changes in the way agents and brokers utilize greater levels of data and technology, including AI, could adversely impact our business relationship with independent agents and brokers who currently market our products, resulting in a lower volume and/or profitability of business generated from these sources. Our efforts or the efforts of agents and brokers with respect to new products or alternate distribution channels, as well as changes in the way agents and brokers utilize greater levels of data and technology, including artificial intelligence, could adversely impact our business relationship with independent agents and brokers who currently market our products, resulting in a lower volume and/or profitability of business generated from these sources.
Further, our business could be affected as our policyholders adopt AI technologies. Policyholder use of AI could introduce novel exposures that may result in new or increased claims. Widespread adoption of AI could fundamentally disrupt entire industries, which could impact the demand for certain products.
We face considerable competition within our industry for qualified, specialized talent and any significant inability to attract and retain talent may adversely affect the execution of our business strategies.
The successful execution of our business strategies depends on our ability to attract and retain qualified talent. The successful execution of our business strategies depends on our ability to attract and retain qualified talent. Due to the intense competition in our industry and from businesses outside the industry for qualified employees, especially those in key positions and those possessing highly specialized knowledge and industry experience in areas such as underwriting, data and analytics and technology, we may encounter obstacles to our ability to attract and retain such employees, which could materially adversely affect our business, results of operations and financial condition.
We are controlled by a single stockholder which could result in potential conflicts of interest.
Loews beneficially owned approximately 92% of our outstanding shares of common stock as of December 31, 2025, and is in a position to control actions that require the consent of stockholders, including the election of directors, amendment of our Restated Certificate of Incorporation and any merger or sale of substantially all of our assets. In addition, as of January 1, 2026 three officers of Loews, including the CEO of Loews (who is also a director of Loews), along with one additional director of Loews (who is also the Chairman of the Board of Loews) and one director emeritus of Loews, serve on our Board of Directors. In addition, and as of January 1, 2025 three officers of Loews, including the CEO of Loews (who is also a director of Loews), along with one additional director of Loews (who is also the Chairman of the Board of Loews) and one director emeritus of Loews, serve on our Board of Directors. We have also entered into services agreements and a registration rights agreement with Loews, and we may in the future enter into other agreements with Loews. It is possible that potential conflicts of interest could arise in the future for our directors who are also officers and/or directors of Loews with respect to a number of areas relating to the past and ongoing relationships of Loews and us, including tax and insurance matters, financial commitments and sales of common stock pursuant to registration rights or otherwise.
Financial Risks
We may incur significant realized and unrealized investment losses and volatility in net investment income arising from changes in the financial markets.
Our investment portfolio is exposed to various risks, such as interest rate, credit spread, issuer default, equity prices and foreign currency, which are unpredictable. Financial markets are highly sensitive to changes in economic conditions, monetary policies, tariff policies, tax policies, interest rates, domestic and international geopolitical issues and many other factors. Financial markets are highly sensitive to changes in economic conditions, monetary policies, tax policies, interest rates, domestic and international geopolitical issues and many other factors. Changes in financial markets, including fluctuations in interest rates, credit, equity prices and foreign currency prices, and many other factors beyond our control can adversely affect the value of our investments, the realization of investment income and the rate at which we discount certain liabilities. Our investment portfolio is also subject to increased valuation uncertainties when investment markets are illiquid. The valuation of investments is more subjective when markets are illiquid, thereby increasing the risk that the estimated fair value (i.e., the carrying amount) of the portion of our investment portfolio that is carried at fair value in our financial statements is not reflective of the prices at which actual transactions could occur.
10
We have significant holdings in fixed maturity investments that are sensitive to changes in interest rates. A decline in interest rates may reduce the returns earned on new fixed maturity investments, thereby reducing our net investment income, while an increase in interest rates may reduce the value of our existing fixed maturity investments, which could increase our net unrealized losses or reduce our net unrealized gains included in Accumulated other comprehensive income (AOCI). The value of our fixed maturity investments is also subject to risk that certain investments may default or become impaired due to deterioration in the financial condition of issuers of the investments we hold or in the underlying collateral of the security.
In addition, we invest a portion of our assets in limited partnerships and common stock which are subject to greater market volatility than our fixed maturity investments. Limited partnership investments generally provide a lower level of liquidity than fixed maturity or equity investments, which may also limit our ability to withdraw funds from these investments. The timing and amount of income or losses on such investments is inherently variable and can contribute to volatility in reported earnings.
Further, we hold a portfolio of commercial mortgage loans. We are subject to risk related to the recoverability of loan balances, which is influenced by declines in the estimated cash flows from underlying property leases, fair value of collateral, refinancing risk and the creditworthiness of tenants of credit tenant loan properties, where lease payments directly service the loan. Any changes in actual or expected collections would result in a charge to earnings.
As a result of these factors, we may not earn an adequate return on our investments, may be required to write down the value of our investments and may incur losses on the disposition of our investments all of which could materially adversely affect our business, results of operations and financial condition. As a result of these factors, we may not earn an adequate return on our investments, may be required to write down the value of our investments and may incur losses on the disposition of our investments all of which could materially adversely affect our business, results of operations and financial condition.
Operational Risks
We use analytical models to assist our decision making in key areas such as pricing, reserving, catastrophe risks and capital modeling and may be adversely affected if actual results differ materially from the model outputs and related analyses.
We use various modeling techniques and data analytics (e.g. scenarios, predictive, stochastic and forecasting) to analyze and estimate exposures, loss trends and other risks associated with our assets and liabilities. This includes both proprietary and third-party modeled outputs and related analyses to assist us in decision-making related to underwriting, pricing, capital allocation, reserving, investing, reinsurance and catastrophe risk, among other things. We incorporate numerous assumptions and forecasts about the future level and variability of policyholder behavior, loss frequency and severity, interest rates, equity markets, inflation, capital requirements, and currency exchange rates, among others. The modeled outputs and related analyses from both proprietary models and third parties are subject to various assumptions, uncertainties, model design errors and the inherent limitations of any statistical analysis. Further, climate change may make modeled outcomes less certain or produce new, non-modeled risks.
In addition, the effectiveness of any model can be degraded by operational risks, including the improper use of the model, input errors, data errors and human error. As a result, actual results may differ materially from our modeled results. Our profitability and financial condition substantially depends on the extent to which our actual experience is consistent with assumptions we use in our models and ultimate model outputs. If, based upon these models or other factors, we misprice our products or fail to appropriately estimate the risks we are exposed to, our business, results of operations and financial condition may be materially adversely affected.
Any significant interruption in the operation of our business functions, facilities or systems or our vendors' facilities or systems could result in a materially adverse effect on our operations.
Our business is highly dependent upon our ability to perform, in an efficient and uninterrupted manner, through our employees or vendor relationships and using our and their facilities and systems, necessary business functions, such as providing internet support and 24-hour call centers, processing new and renewal business, providing customer service, processing and paying claims and other obligations and issuing financial statements.
Our, or our vendors', facilities and systems could become unavailable, inoperable, or otherwise impaired from a variety of causes, including natural events, such as hurricanes, tornadoes, windstorms, earthquakes, severe
11
winter weather and fires, or other events, such as explosions, terrorist attacks, computer security breaches or cyber-attacks, riots, hazardous material releases, medical epidemics or pandemics, utility outages, interruptions of data processing and storage systems or unavailability of communications facilities or systems. Likewise, we could experience a significant failure, interruption or corruption of one or more of our or our vendors' information technology, telecommunications, or other systems for various reasons, including significant failures or interruptions that might occur as existing systems are replaced or upgraded. The shut-down or unavailability of one or more of our or our vendors’ systems or facilities for these or any other reasons could significantly impair our ability to perform critical business functions on a timely basis.
In addition, because our and our vendors' information technology, telecommunications and other systems interface with and depend on third-party systems, we could experience service denials if demand for such service exceeds capacity or a third-party system fails or experiences an interruption. In addition, because our and our vendors' information technology and telecommunications systems interface with and depend on third-party systems, we could experience service denials if demand for such service exceeds capacity or a third-party system fails or experiences an interruption. If sustained or repeated, such events could result in a deterioration of our ability to perform necessary business functions.
The foregoing risks could expose us to monetary and reputational damages. The foregoing risks could expose us to monetary and reputational damages. Potential additional exposures relating to significant interruptions to our operations may include substantially increased compliance costs, as well as increased costs relating to investments in computer system and security-related upgrades, and such costs may not be recoverable under our relevant insurance coverage. Potential additional exposures relating to significant interruptions to our operations may include substantially increased compliance costs, as well as increased costs relating to investments in computer system and security-related upgrades, and such costs may not be recoverable under our relevant insurance coverage. We have made, and continue to make, investments to improve our security and infrastructure.
If our business continuity plans or system security do not sufficiently address these risks, they could have a material adverse effect on our business, results of operations and financial condition. If our business continuity plans or system security do not sufficiently address these risks, they could have a material adverse effect on our business, results of operations and financial condition.
Any significant breach in our data security infrastructure or our vendors’ facilities or systems could disrupt business, cause financial losses and damage our reputation, and insurance coverage may not be available for claims related to a breach.
A significant breach of our data security infrastructure may result from actions by our employees, vendors, third-party administrators, or unknown third parties or through cyber-attacks. The risk of a breach can exist whether software services are in our or third party administered data centers or are cloud-based software services. The sophistication of cybersecurity threats continues to escalate, and the measures we take to mitigate the risk of cyber incidents and to safeguard our systems and data may be insufficient. Further, the increasing use of AI within our systems and those of our vendors and third-party administrators to achieve operational efficiencies and within threat actors’ attack strategies, may further expose our systems or those of our vendors and third-party administrators to the risk of cyber-attacks. Breaches have occurred, and may occur again, in our systems and in the systems of our vendors and third-party administrators, both current and former, in that past vendors and third-party administrators may still retain certain confidential and sensitive information in their systems. Breaches have occurred, and may occur again, in our systems and in the systems of our vendors and third-party administrators, both current and 12Table of Contentsformer, in that past vendors and third-party administrators may still retain certain confidential and sensitive information in their systems. During the fourth quarter of 2025, we were notified of a data breach impacting a vendor of a business associate of our current employee health insurance administrator. The breach was traced to compromised credentials leveraged by a threat actor, with the impacted vendor shutting down and rebuilding the affected environment upon discovery of the breach. Following a forensics analysis, it was determined that a substantial number of our employees (and dependents of employees) were impacted. We understand that the subject vendor will be providing required breach notifications to all impacted individuals.
Breaches that affect our data security infrastructure or our vendors' facilities or systems, may cause a failure to protect the personal information of our customers, claimants or employees, or sensitive and confidential information regarding our business or policyholders and may result in operational impairments and financial losses, significant harm to our reputation and the loss of business with existing or potential customers. Breaches could affect our data framework or cause a failure to protect the personal information of our customers, claimants or employees, or sensitive and confidential information regarding our business or policyholders and may result in operational impairments and financial losses, significant harm to our reputation and the loss of business with existing or potential customers. The breach of confidential information also could give rise to legal liability and regulatory action under data protection and privacy laws, as well as evolving regulation in this regard. While we do not believe breaches that have occurred and resultant actions will have a material adverse effect on our business, these or similar incidents, or any other breach of our or our vendors’ data security infrastructure could have a material adverse effect on our business, results of operations and financial condition. While we do not believe such breaches that have occurred and resultant actions will have a material adverse effect on our business, these or similar incidents, or any other such breach of our or our vendors’ data security infrastructure could have a material adverse effect on our business, results of operations and financial condition.
Although we maintain cybersecurity insurance coverage insuring against costs resulting from cyber-attacks, we do not expect the amount available under our coverage policy to cover all potential losses from cyber-attacks. Although we maintain cybersecurity insurance coverage insuring against costs resulting from cyber-attacks (including the March 2021 attack), we do not expect the amount available under our coverage policy to cover all losses from cyber-attacks. In addition, potential disputes with our insurers about the availability of insurance coverage could occur.
12
Further, should we experience future cyber incidents, or should industry trends drive rate increases resulting from growth in volume and significance of cyber incidents broadly, we may incur higher costs for cybersecurity insurance coverage.
The risks relating to future breaches in our, or our vendors', data security infrastructure or systems, including in connection with cyber incidents, could have a material adverse effect on our business, results of operations or financial condition or may result in significant operational impairments and financial losses, as well as significant harm to our reputation. The risks relating to future breaches in our, or our vendors', data security infrastructure or systems, including in connection with cyber incidents, could have a material adverse effect on our business, results of operations or financial condition or may result in significant operational impairments and financial losses, as well as significant harm to our reputation.
Inability to detect and prevent significant employee or third-party service provider misconduct, inadvertent errors and omissions, or exposure relating to functions performed on our behalf could result in a materially adverse effect on our business, results of operations and financial condition.
We may incur losses which arise from employees or third-party service providers engaging in intentional, negligent or inadvertent misconduct, fraud, errors and omissions, failure to comply with internal guidelines, including with respect to underwriting authority, or failure to comply with regulatory requirements. Our or our third-party service providers' controls may not be able to detect all possible circumstances of such noncompliant activity and the internal structures in place to prevent this activity may not be effective in all cases. When new technologies, such as AI, are incorporated into our or our third-party service providers' processes, they may introduce additional complexity and present greater risk to the effectiveness of these controls. For example, generative AI systems may "hallucinate" producing inaccurate or misleading information, and model performance may degrade over time, leading to flawed recommendations. AI models may perpetuate or amplify biases present in underlying data, which could result in discriminatory or unfair outcomes in areas such as underwriting and claims. The potential for employees or third-party service providers, through intentional or inadvertent actions, to enable AI models to be trained on our data or our insureds' data introduces risks of unauthorized use or disclosure of sensitive information and erosion of data privacy. AI may also be used to perpetuate fraud, or to manipulate or evade monitoring and detection controls.
Portions of our insurance business is underwritten and serviced by third parties. With respect to underwriting, our contractual arrangements with third parties will typically grant them limited rights to write new and renewal policies, subject to contractual restrictions and obligations, including requiring them to underwrite within the terms of our licenses. Should these third parties issue policies that exceed these contractual restrictions, we could be deemed liable for such policies and subject to regulatory fines and penalties for any breach of licensing requirements. It is possible that in such circumstance we might not be fully indemnified for such third parties’ contractual breaches.
Additionally, we rely on certain third-party claims administrators, including the administrator of our long-term care claims, to handle policyholder services and perform significant claim administration and claim adjudication functions. Any failure by such administrator to properly perform service functions may result in losses as a result of over-payment of claims, legal claims against us and adverse regulatory enforcement exposure.
We have also licensed certain systems from third parties. We cannot be certain that we will have access to these systems or that our information technology or application systems will continue to operate as intended.
These risks could adversely impact our reputation and client relationships and have a material adverse effect on our business, results of operations and financial condition.
Loss of key vendor relationships and issues relating to the transitioning of vendor relationships could compromise our ability to conduct business.
In the event that one or more of our vendors suffers a bankruptcy, is sold to another entity, sustains a significant business interruption or otherwise becomes unable to continue to provide products or services at the requisite level, we may be adversely affected. We may suffer operational impairments and financial losses associated with failure by vendors to properly perform service functions, transferring business to a new vendor, assisting a vendor with rectifying operational difficulties or assuming previously outsourced operations ourselves. Our inability to provide for appropriate servicing if a vendor becomes unable to fulfill its contractual obligations to us, either through transitioning to another service provider temporarily or permanently or assuming servicing internally, may have a materially adverse effect on our business, results of operations and financial condition.
13
We are subject to capital adequacy requirements and, if we are unable to maintain or raise sufficient capital to meet these requirements, regulatory agencies may restrict or prohibit us from operating our business.
Insurance companies such as ours are subject to capital adequacy standards set by regulators to help identify companies that merit further regulatory attention. In the U.S., these standards apply specified risk factors to various asset, premium and reserve components of our legal entity statutory basis of accounting financial statements. For IAIGs, such as CNA, the standards also seek to quantify risk across the insurance group in order to assess group capital. Current rules, including those promulgated by insurance regulators and specialized markets, such as Lloyd's, require companies to maintain statutory capital and surplus at a specified minimum level determined using the applicable jurisdiction's regulatory capital adequacy formula. If we do not meet these minimum requirements, we may be restricted or prohibited from operating our business in the applicable jurisdictions and specialized markets. If we are required to record a material charge against earnings in connection with a change in estimated insurance reserves, or the occurrence of a catastrophic event or otherwise, or if we incur significant losses related to our investment portfolio, which severely deteriorates our capital position, we may violate these minimum capital adequacy requirements unless we are able to raise sufficient additional capital. We may be limited in our ability to raise significant amounts of capital on favorable terms or at all.
Our insurance subsidiaries, upon whom we depend for dividends in order to fund our corporate obligations, are limited by insurance regulators in their ability to pay dividends.
We are a holding company and are dependent upon dividends, loans and other sources of cash from our subsidiaries in order to meet our obligations. Ordinary dividend payments, or dividends that do not require prior approval by the insurance subsidiaries' domiciliary insurance regulator, are generally limited to amounts determined by formulas that vary by jurisdiction. If we are restricted from paying or receiving intercompany dividends, by regulatory rule or otherwise, we may not be able to fund our corporate obligations and debt service requirements or pay our stockholders dividends from available cash. As a result, we would need to pursue other sources of capital which may be more expensive or may not be available at all.
Rating agencies may downgrade their ratings of us, thereby adversely affecting our ability to write insurance at competitive rates or at all and increasing our cost of capital. 14Table of ContentsRating agencies may downgrade their ratings of us, thereby adversely affecting our ability to write insurance at competitive rates or at all and increasing our cost of capital.
Ratings are an important factor in establishing the competitive position of insurance companies. Our insurance company subsidiaries, as well as our public debt, are rated by rating agencies, including, A.M. Best Company (A.M. Best), Moody's Investors Service, Inc. (Moody's), Standard & Poor's (S&P) and Fitch Ratings, Inc. (Fitch). Ratings reflect the rating agency's opinions of an insurance company's or insurance holding company's financial strength, capital adequacy, enterprise risk management practices, operating performance, strategic position and ability to meet its obligations to policyholders and debt holders, and may also reflect opinions on other areas such as information security and climate risk.
The rating agencies may take action to lower our ratings in the future as a result of any significant financial loss or changes in the methodology or criteria applied by the rating agencies. The rating agencies may take action to lower our ratings in the future as a result of any significant financial loss or changes in the methodology or criteria applied by the rating agencies. The severity of the impact on our business is dependent on the level of downgrade and, for certain products, which rating agency takes the rating action. Among the adverse effects in the event of such downgrades would be the inability to obtain a material volume of business from certain major insurance brokers, the inability to sell a material volume of our insurance products to certain markets and the required collateralization of certain future payment obligations or reserves. Further, if one or more of our corporate debt ratings were downgraded, we may find it more difficult to access the capital markets and we may incur higher borrowing costs.
In addition, it is possible that a significant lowering of the corporate debt ratings of Loews by certain of the rating agencies could result in an adverse effect on our ratings, independent of any change in our circumstances.
For further discussion of our ratings, see the Ratings subsection within the Liquidity and Capital Resources section of MD&A in Item 7.
14
We are subject to extensive existing state, local, federal and foreign governmental regulations that restrict our ability to do business and generate revenues; additional regulation or significant modification to existing regulations or failure to comply with regulatory requirements may have a materially adverse effect on our business, results of operations and financial condition.
The insurance industry is subject to comprehensive and detailed regulation and supervision. Most insurance regulations are designed to protect the interests of our policyholders and third-party claimants, rather than our investors. Each jurisdiction in which we do business has established supervisory agencies that regulate the manner in which we do business. Any changes in regulation could impose significant burdens on us. In addition, the Lloyd's marketplace sets rules under which its members, including our Hardy syndicate, operate.
These rules and regulations relate to, among other things, the standards of solvency (including risk-based capital measures), government-supported backstops for certain catastrophic events (including terrorism), investment restrictions, accounting and reporting methodology, establishment of reserves and potential assessments of funds to settle covered claims against impaired, insolvent or failed private or quasi-governmental insurers. In addition, rules and regulations are being introduced, or are being considered, in the areas of AI, information security and climate change, which may also affect our business. In addition, rules and regulations are being introduced, or are being considered, in the areas of artificial intelligence, information security and climate change, which may also affect our business. We also are subject to numerous regulations governing the protection of personal and confidential information of our customers and employees, including medical records, credit card data and financial information. These laws and regulations, including regulations related to cybersecurity protocols (which continue to evolve in breadth, sophistication and maturity in response to an ever-evolving threat landscape), are increasing in complexity and number, change frequently, sometimes conflict, and could expose us to significant monetary damages, regulatory enforcement actions, fines and/or criminal prosecution in one or more jurisdictions. Regulators at the federal, state and international level have adopted or may adopt new regulations related to, among other matters, climate change and greenhouse emissions, and could impose new regulations requiring disclosure of underwriting or investment in certain industry sectors.
Regulatory powers also extend to premium rate regulations which require that rates not be excessive, inadequate or unfairly discriminatory. Regulatory powers also extend to premium rate regulations which require that rates not be excessive, inadequate or unfairly discriminatory. State jurisdictions ensure compliance with such regulations through market conduct exams, which may result in losses to the extent non-compliance is ascertained, either as a result of failure to document transactions properly, failure to comply with internal guidelines or otherwise. The jurisdictions in which we do business may also require us to provide coverage to persons whom we would not otherwise consider eligible or restrict us from withdrawing from unprofitable lines of business or unprofitable market areas. The jurisdictions in which we do business may also require us to provide coverage to persons whom we would not otherwise 15Table of Contentsconsider eligible or restrict us from withdrawing from unprofitable lines of business or unprofitable market areas. Each jurisdiction dictates the types of insurance and the level of coverage that must be provided to such involuntary risks. Our share of these involuntary risks is mandatory and generally a function of our respective share of the voluntary market by line of insurance in each jurisdiction.
15
ITEM 1B. UNRESOLVED STAFF COMMENTS
None.
ITEM 1C. CYBERSECURITY
CNA monitors information security metrics globally. CNA monitors information security metrics globally. To elevate this information within the organization, our Chief Risk & Reinsurance Officer (CRRO) and Chief Compliance Officer (CCO) present cybersecurity reports and metrics to the Audit Committee of our Board of Directors every quarter. Reports address security events, third-party risk and vulnerabilities, including material risks from cybersecurity threats, and any significant unauthorized occurrences. These discussions are part of our overall enterprise risk management and also take place on at least an annual basis with the full Board of Directors, which is responsible for overseeing material risks, including cybersecurity risk, on an enterprise-wide basis.
At the senior management level, our Global Chief Security Officer (CSO) oversees CNA’s information security and data privacy programs and is responsible for establishing and implementing the security strategy alongside the Chief Information Officer (CIO), to whom the CSO reports directly. The CIO serves on the Enterprise Risk Committee, which is chaired by the CRRO.
The CSO leads the Information Security group within Information Technology, which manages the controls designed to identify, detect, protect against, respond to and recover from cybersecurity threats and cybersecurity incidents. The CSO leads the Information Security group within Information Technology, which manages the controls designed to identify, detect, protect against, respond to and recover from cybersecurity threats and cybersecurity incidents. This group includes a cyber defense team that is responsible for information technology security monitoring and incident response activities, including the response coordination to cyber-attacks. The Company engages in a continuous risk monitoring process that seeks to identify the likelihood and impact of internal and external threats to our information security systems and data, and assesses the sufficiency of the controls in place to mitigate these threats to acceptable levels on a risk-based basis. The CSO and CIO together lead efforts to design, implement and operate controls deemed necessary, commensurate with the materiality and criticality of identified risks and the sensitivity of the information assets and systems used throughout the organization. Our current CSO has a bachelor’s degree in Computer Information Systems and a master’s degree in Cybersecurity, and has over 20 years of experience building and executing information and cybersecurity strategies. Prior to joining CNA, our CIO served in a variety of roles at another major U.S. insurance company, both in business and technology, and has over 20 years of experience working with major U.S. Property & Casualty insurers.
Threats of security incidents and the impact of actual security incidents are initially assessed and managed by the CSO and CIO. Threats of security incidents and the impact of actual security incidents are initially assessed and managed by the CSO and CIO as described above. CNA has further implemented response plans that provide the basis for appropriate response to an unauthorized occurrence from a technical perspective, as well as from disclosure and regulatory perspectives.
These response plans also set forth the processes for internal reporting of a substantive unauthorized occurrence. These response plans also set forth the processes for internal reporting of a substantive unauthorized occurrence. The CSO reports such matters to the CIO and CCO, who is responsible for convening a team of cross-enterprise leaders to ensure comprehensive responsiveness to an occurrence. This group also analyzes unauthorized occurrences affecting CNA's or third parties’ IT systems or sensitive information, and directs the activities of CNA in responding to such incidents.
16
In addition, the group, under the leadership of the CCO, undertakes the appropriate internal notifications of any such occurrence, and responsive activities, to the General Counsel, Chief Executive Officer, Chief Financial Officer and Board of Directors, with executive management involvement in the same to the extent appropriate in the context of the nature of such occurrence.
Recently Filed
Click on a ticker to see risk factors
| Ticker * | File Date |
|---|---|
| L | an hour ago |
| CNA | an hour ago |
| MAS | 2 hours ago |
| CURB | 2 hours ago |
| CVS | 3 hours ago |
| ACRE | 12 hours ago |
| T | 16 hours ago |
| BE | 16 hours ago |
| SIGI | 16 hours ago |
| UTL | 16 hours ago |
| RXO | 16 hours ago |
| APAD | 16 hours ago |
| ITT | 17 hours ago |
| CLF | 17 hours ago |
| VNO | 17 hours ago |
| ON | 17 hours ago |
| PI | 17 hours ago |
| BSAA | 17 hours ago |
| ZWS | 17 hours ago |
| BRX | 17 hours ago |
| KN | 17 hours ago |
| MRSH | 17 hours ago |
| FCFS | 17 hours ago |
| WM | 17 hours ago |
| NSC | 21 hours ago |
| OHI | 22 hours ago |
| LADR | 1 day, 1 hour ago |
| ALX | 1 day, 1 hour ago |
| AAT | 3 days, 16 hours ago |
| LVS | 3 days, 16 hours ago |
| RTX | 3 days, 17 hours ago |
| APTV | 3 days, 17 hours ago |
| SYF | 3 days, 17 hours ago |
| POWI | 3 days, 17 hours ago |
| MAA | 3 days, 17 hours ago |
| CHAC | 3 days, 17 hours ago |
| VTR | 3 days, 17 hours ago |
| ELV | 3 days, 18 hours ago |
| MSCI | 3 days, 18 hours ago |
| HNOI | 3 days, 19 hours ago |
| HAL | 3 days, 19 hours ago |
| AXP | 3 days, 21 hours ago |
| RLEA | 3 days, 21 hours ago |
| ATR | 3 days, 21 hours ago |
| MTD | 3 days, 21 hours ago |
| TXN | 3 days, 22 hours ago |
| UNP | 3 days, 23 hours ago |
| OMF | 4 days ago |
| BIIB | 4 days, 2 hours ago |
| PM | 4 days, 2 hours ago |
