Cyber extortion refers to a situation in which a third party threatens that if an organization does not pay money, or take a certain action, the third party will take an adverse action against the organization. Among other things, threats may include exploiting a security vulnerability identified by the extorter, reporting the organization’s security vulnerability to the press, or reporting the organization’s security vulnerability to regulators.
Below is a checklist for organizations that are confronted by a cyber extortion demand.
- Is the threat credible?
- If the exploitation of a security vulnerability is threatened, can the organization identify the vulnerability without the aid of the extortionist?
- If the disclosure of non-public information is threatened, is there any evidence that the information has not already been disclosed or shared with others?
- If an extortion demand is paid, what is the likelihood that your organization will receive similar demands in the near future?
- If your organization were to pay the demand, is it likely that the recipient of the funds may be associated with terrorism or located in a restricted country?
- Is cyber extortion covered under your cyber insurance policy?
The following provides a snapshot of information concerning cyber extortion.
The number of entities that reported being victimized by cyber extortion over a six month period.1
Estimate of the percentage of cyber extortion cases that are not reported.2
$2,500 - $100,000
Range of unsolicited demands related to alleged security vulnerabilities made to Bryan Cave clients between 2014 and 2015.