Extortion refers to situations where a third party demands that an organization pay money (or take some other action) or suffer an adverse consequences.  Modern day extortion often takes the form of “cyber-extortion” – where the threat and adverse consequence involves the disclosure of an organization’s information or an attack on an organization’s electronic infrastructure. 

There are many different examples of cyber-extortion in practice, but some of the most common include infecting an organization’s computer systems with malware that requires payment to unlock or remove (i.e., ransomware), exploiting a security vulnerability identified by the extorter, threatening to disclose an organization’s security vulnerabilities to the press or to other hackers, or even threatening to disclose an organization’s security vulnerabilities to government regulators.

The following provides a snapshot of information concerning cyber-extortion as well as a checklist for organizations that are confronted by an extortion demand:

What to think about when considering a cyber extortion demand:

1. How confident are you that a threat has been made against the organization?  Is it possible that the situation involves a white hat or grey hat hacker who does not intend to threaten the organization?
2. Is the threat credible?
3. If the exploitation of a security vulnerability is threatened, can the organization identify the vulnerability without the aid of the extortionist?
4. If the disclosure of non-public information is threatened, is there any evidence that the information has not already been disclosed or shared with others?
5. If the cyber-extortion was conducted in conjunction with the theft of personal information, does your organization have to report the event under data breach notification statutes regardless of whether the extortion demand is paid?
6. Does your organization have systems in place to mitigate any impact of the extortionist carrying through with their threat?  For example, if the threat involves the destruction of data (e.g., ransomware) does your organization have a disaster recovery system from which impacted data can be restored?
7. If an extortion demand is paid what is the likelihood that your organization will receive similar demands in the near future?
8. If your organization were to pay the demand is it likely that the recipient of the funds may be associated with terrorism or located in a restricted country?
9. Is cyber-extortion covered under your cyber insurance policy?
10. If information concerning the extortion, or your decision to pay (or not pay) were made public are you prepared to respond to inquiries from the public, the media, and regulators?

1. FBI, 2016 Internet Crime Report available at https://pdf.ic3.gov/2016_IC3Report.pdf

2. NYA International, Cyber Extortion Risk Report (Oct. 2015) at 3.

[View source.]