Governance

The CNA Board of Directors monitors the effectiveness of policy and decision making across the organization with the purpose of growing shareholder value over the long term.

The Board’s responsibilities include selecting qualified candidates for membership, and they consider the strength of candidates based on their character, judgement, business experience, and areas of expertise. Loews has approximately 90% ownership in CNA, and five out of 10 directors on CNA’s Board of Directors represent Loews. Our Chief Executive Officer serves on the Board.

Learn more about CNA's Board of Directors.

CNA has a formalized risk governance structure that starts with the Board of Directors and cascades to underlying company committees, business units, and ultimately, all employees. We seek to promote a strong risk management culture and the belief that effective risk management is the responsibility of all employees.

Enterprise Risk Management

Our Enterprise Risk Committee, chaired by the Chief Risk & Reinsurance Officer, meets quarterly and is responsible for the oversight of CNA’s risk management framework on an enterprise-wide basis.

• Membership includes senior executives from all relevant business and functional areas (e.g., Investments, Underwriting, Actuarial, Claims, Finance).
• Risk owners provide updates on their key risks and controls, as well as key risk indicators, which form the basis of the Enterprise Risk Management function’s quarterly Enterprise Risk Report.
• The Chief Risk & Reinsurance Officer also reports quarterly to the Audit Committee of the Board of Directors.

We strive to maintain a prudent approach and require investment personnel to always act with an appropriate amount of care and in the best interests of the Company in the management of our investment portfolio.

Governance of Investment Portfolio

CNA’s Finance Committee of the Board of Directors reviews investment portfolio performance and investment activity in quarterly meetings with the asset manager. All statutory insurance company transactions are reviewed and approved quarterly by the Board of Directors.

At least annually, the Board reviews and approves the investment policy statement of each statutory company. Our investment policy statement provides guidance for our investment decisions. The portfolio is managed to duration and credit quality targets – and we believe it is broadly diversified – and considers asset liability management, as well as prepayment, interest rate, and credit risks. In addition, an operating group meets monthly to discuss and monitor investment results, trading activity, and portfolio metrics relative to targets.

CNA regularly assesses risks, both to its investment portfolio and individual holdings, considering emerging trends and their potential impact on specific sectors. Risk assessments could include ESG-related risks such as climate-related impacts, energy prices, litigation exposure, public perception of corporate social responsibility and legal compliance.

We also conduct research on certain ESG-related topics to better inform our investment strategy. For example, we periodically analyze energy and related investments to inform our analysis of the energy and power industries and other aspects of carbon transition in the economy. We aim to be disciplined in our evaluation of each investment’s risk return profile and the risks related to our entire investment portfolio.

Our Investments

Our portfolio is high credit quality, and our asset allocation is primarily fixed income, which provides a stable source of investment income. A portion of our investments have had the added effect of supporting certain environmental and social improvements. 

Our fixed income portfolio includes municipal bonds that support communities by providing funding for education, transportation infrastructure, water and sewer projects, and general liquidity needed to support the operations of communities. In addition, we have invested in solar bonds that allow consumers to finance and install residential solar powered systems and provided financing for renewable energy projects, which will help in the transition from fossil fuels.

Data privacy and information security are of utmost importance are utmost concerns for CNA, our customers and our stakeholders. CNA has established structures and programs to manage and address data privacy and security at the at the leadership and employee levelsenior executive level and at the employee level.

Protecting information and maintaining stakeholder trust are foundational to CNA’s commitment to responsible business practices and strong corporate governance. We continuously invest in cybersecurity, privacy, and data governance programs designed to safeguard sensitive information, support operational resilience, and promote the responsible use of technology across our organization.

Data Security & Governance

To help foster a culture of accountability and awareness, all employees complete annual data privacy and cybersecurity awareness training. This training reinforces CNA’s policies, ethical standards, and shared responsibility to protect company, customer, and partner information.

CNA maintains a multidisciplinary approach to cybersecurity and data governance supported by experienced professionals with industry-recognized certifications (CISSP, IAPP, Security Industry Cybersecurity Certification, etc) and expertise in information security, privacy, and risk management. These capabilities help strengthen oversight, governance, and the ongoing maturity of our security program.

Our security strategy is built on a defense-in-depth approach that combines preventive, detective, and responsive controls to help identify and mitigate evolving cyber threats; If one layer fails, additional layers detect and respond to threats. We continuously assess the changing threat landscape and enhance our capabilities to support the confidentiality, integrity, and availability of critical information assets.

Key focus areas of our program include:

• Strengthening visibility and response capabilities to address emerging threats and anomalous activity
• Protecting high-value systems, applications, and information assets
• Implementing preventive and detective security controls across the enterprise
• Safeguarding sensitive and critical data through monitoring and governance practices
• Supporting operational resilience and responsible technology management across global operations

Digitization

CNA views digitization as an opportunity to improve our business processes and efficiency and lessen our environmental impact. It also enables us to be more connected to our partners, including our network of brokers and agents.

Through online portals, automation and digital solutions, we can digitally transmit information across our global network. CNA pursues opportunities to utilize innovative technology, including artificial intelligence and robotics, to optimize efficiencies. We often develop these solutions in-house or work with external partners to integrate these tools into our systems.

For further information on related policies including cyber security, please refer to the 2025 CNA Annual Report.

Our Enterprise Risk Committee, chaired by the Chief Risk & Reinsurance Officer, meets quarterly and is responsible for the oversight of CNA’s risk management framework on an enterprise-wide basis.

• Membership includes senior executives from all relevant business and functional areas (e.g., Investments, Underwriting, Actuarial, Claims, Finance).
• Risk owners provide updates on their key risks and controls, as well as key risk indicators, which form the basis of the Enterprise Risk Management function’s quarterly Enterprise Risk Report.
• The Chief Risk & Reinsurance Officer also reports quarterly to the Audit Committee of the Board of Directors.

The use of artificial intelligence creates opportunities for innovation, enhanced customer experiences, improved decision making, and increased efficiency and productivity – but also presents risks that must be responsibly managed.

CNA implements AI technologies in a controlled and risk-based manner, with oversight by the CNA AI Governance Committee.  All CNA employees have a responsibility to use AI tools and platforms appropriately and prudently in accordance with the Company’s AI policies and standards.

CNA has established a comprehensive AI governance program to manage and mitigate AI-related risks during the testing, implementation and ongoing use of artificial intelligence. This program operates at both the senior executive level and at the employee level.

Management Approach to AI Governance

CNA is committed to using AI in a manner that aligns with our values and promotes fairness, equity and accountability. We are committed to mitigate the risk of bias in our AI Technologies, ensure data privacy and security, and to foster transparency in how AI technologies are implemented.

The CNA global artificial intelligence policy was initially published and communicated to all CNA employees, contractors and affiliates in 2024 and is subject to annual review and updates to ensure alignment with new regulatory requirements, emerging risks, and evolving industry standards .  The policy is informed by evolving regulations and frameworks, including the EU AI Act, the NAIC Model Bulletin on AI, and the NIST AI Risk Management Framework.

Highlights of CNA AI Policy:

• Responsible AI Principles: CNA’s use of AI is guided by principles emphasizing human accountability, safety, fairness, privacy, transparency, security, and compliance with applicable laws. 
• Ethical Safeguards and Prohibited Uses: The policy prohibits certain high-risk or unethical AI uses (e.g., social scoring, manipulative practices, certain biometric applications) and requires human oversight for decision-making. 
• Risk Management Framework: CNA identifies and mitigates key AI risks, including operational, reputational, cybersecurity, privacy, legal, and intellectual property risks, as well as risks specific to generative AI (e.g., inaccurate outputs, data exposure). 
• User Responsibilities and Controls: Employees must use AI tools responsibly, follow approved use cases, protect sensitive data, and comply with related policies (e.g., privacy, security, third party risk). 
  Ongoing Monitoring and Training: The policy includes continuous monitoring, periodic reassessment of AI systems, and mandatory employee training to ensure compliance and responsible use.

At CNA, we promote a culture of integrity, and our leaders stress the importance of conducting business ethically. Each employee at CNA is responsible for upholding our reputation and must personally attest to the Code of Business Conduct and Ethics and the Commitment to Professional Conduct.

In addition, we require all employees to read and acknowledge key corporate compliance policies, including our Global Anti-Corruption Policy, which outlines expectations under applicable anti-corruption laws worldwide. Employees are also expected to adhere to policies supporting our broader compliance framework, including those addressing conflicts of interest, economic sanctions, data privacy, and the reporting of concerns through our ethics and compliance hotline. In addition, we require all employees to read and acknowledge their understanding of the Global Anti-Corruption Policy, which covers the approach to behaviors and expectations addressed in major anti-corruption laws globally.

At CNA, we believe it is vital to monitor and engage in the public policy making process to maintain effective business operations and to promote positions that are important to our employees, policyholders and shareholders. We engage responsibly and comply with applicable state and federal laws. 

Learn more about our Public Policy Engagement and Political Contributions by year:

• 2025
• 2024
• 2023
• 2022
• 2021
• 2020