Cyber extortion refers to a situation in which a third party threatens that if an organization does not pay money, or take a certain action, the third party will take an adverse action against the organization. Among other things, threats may include exploiting a security vulnerability identified by the extorter, reporting the organization’s security vulnerability to the press, or reporting the organization’s security vulnerability to regulators.
Below is a checklist for organizations that are confronted by a cyber extortion demand.
-
Is the threat credible?
-
If the exploitation of a security vulnerability is threatened, can the organization identify the vulnerability without the aid of the extortionist?
-
If the disclosure of non-public information is threatened, is there any evidence that the information has not already been disclosed or shared with others?
-
If an extortion demand is paid, what is the likelihood that your organization will receive similar demands in the near future?
-
If your organization were to pay the demand, is it likely that the recipient of the funds may be associated with terrorism or located in a restricted country?
-
Is cyber extortion covered under your cyber insurance policy?
The following provides a snapshot of information concerning cyber extortion.
9,715
The number of entities that reported being victimized by cyber extortion over a six month period.1
|
85%
Estimate of the percentage of cyber extortion cases that are not reported.2
|
$2,500 - $100,000
Range of unsolicited demands related to alleged security vulnerabilities made to Bryan Cave clients between 2014 and 2015.
|
[1] Id.
[2] NYA International, Cyber Extortion Risk Report (Oct. 2015) at 3.
[View source.]