Cyber extortion refers to a situation in which a third party threatens that if an organization does not pay money, or take a certain action, the third party will take an adverse action against the organization. Among other things, threats may include exploiting a security vulnerability identified by the extorter, reporting the organization’s security vulnerability to the press, or reporting the organization’s security vulnerability to regulators.

Below is a checklist for organizations that are confronted by a cyber extortion demand.

  1. Is the threat credible?
  2. If the exploitation of a security vulnerability is threatened, can the organization identify the vulnerability without the aid of the extortionist?
  3. If the disclosure of non-public information is threatened, is there any evidence that the information has not already been disclosed or shared with others?
  4. If an extortion demand is paid, what is the likelihood that your organization will receive similar demands in the near future?
  5. If your organization were to pay the demand, is it likely that the recipient of the funds may be associated with terrorism or located in a restricted country?
  6. Is cyber extortion covered under your cyber insurance policy?

The following provides a snapshot of information concerning cyber extortion.


The number of entities that reported being victimized by cyber extortion over a six month period.1


Estimate of the percentage of cyber extortion cases that are not reported.2

$2,500 - $100,000

Range of unsolicited demands related to alleged security vulnerabilities made to Bryan Cave clients between 2014 and 2015.