Cyber extortion refers to a situation in which a third party threatens that if an organization does not pay money, or take a certain action, the third party will take an adverse action against the organization. Among other things, threats may include exploiting a security vulnerability identified by the extorter, reporting the organization’s security vulnerability to the press, or reporting the organization’s security vulnerability to regulators.

The following provides a snapshot of information concerning cyber-extortion as well as a checklist for organizations that are confronted by an extortion demand:

$209 Million

The amount collected by cyber-extortion criminals in 2015.1


Estimate of the percentage of cyber-extortion cases that are not reported.2

$2,500 to $100,000

Range of unsolicited demands related to alleged security vulnerabilities made to Bryan Cave clients between 2014 and 2015.

What to think about when considering a cyber extortion demand:

  1. Is the threat credible?
  2. If the exploitation of a security vulnerability is threatened, can the organization identify the vulnerability without the aid of the extortionist?
  3. If the disclosure of non-public information is threatened, is there any evidence that the information has not already been disclosed or shared with others?
  4. If an extortion demand is paid what is the likelihood that your organization will receive similar demands in the near future?
  5. If your organization were to pay the demand is it likely that the recipient of the funds may be associated with terrorism or located in a restricted country?
  6. Is cyber-extortion covered under your cyber insurance policy?