Cyber extortion refers to a situation in which a third party threatens that if an organization does not pay money, or take a certain action, the third party will take an adverse action against the organization. Among other things, threats may include exploiting a security vulnerability identified by the extorter, reporting the organization’s security vulnerability to the press, or reporting the organization’s security vulnerability to regulators.
The following provides a snapshot of information concerning cyber-extortion as well as a checklist for organizations that are confronted by an extortion demand:
The amount collected by cyber-extortion criminals in 2015.1
Estimate of the percentage of cyber-extortion cases that are not reported.2
$2,500 to $100,000
Range of unsolicited demands related to alleged security vulnerabilities made to Bryan Cave clients between 2014 and 2015.
What to think about when considering a cyber extortion demand:
- Is the threat credible?
- If the exploitation of a security vulnerability is threatened, can the organization identify the vulnerability without the aid of the extortionist?
- If the disclosure of non-public information is threatened, is there any evidence that the information has not already been disclosed or shared with others?
- If an extortion demand is paid what is the likelihood that your organization will receive similar demands in the near future?
- If your organization were to pay the demand is it likely that the recipient of the funds may be associated with terrorism or located in a restricted country?
- Is cyber-extortion covered under your cyber insurance policy?