The new ransom: cyber extortion
A cybersecurity issue that many companies fail to prepare for or even consider is cyber extortion, especially distributed denial of service (DDoS) threats involving ransom demands. Such attacks are intended to impede a victim’s capability to conduct business online until the ransom is paid. Hackers have not abandoned traditional data breaches however, these incidents are not as lucrative because the black market for credit card and Social Security data is over saturated. Any company or organization, regardless of size, is at risk and should consider what’s at stake if they are threatened with a cyber extortion claim. Confirmed victims of cyber extortion include everything from police departments to fortune 500 hundred companies.
Initially, companies such as payment processing vendors, online gaming sites, and those that stood to lose the most from a service outage were most prone to DDoS attacks. However, automated ransomware, malware that disables a computer system by encrypting data and locking the victim out, provided hackers with the ability to target essentially anybody. For example, a pop-up window displays a demand for ransom, typically with a threat to delete or publicly share the data if restitution is not paid in time. These occurrences can be costly and time-consuming therefore an insurance solution can be extremely valuable when taking pressure off of the business.
While nobody wants to give in to the demands of an anonymous extortionist, some people have gone to great lengths to avoid being strong-armed. This is not an advised risk management decision. One such company was Code Spaces, which was the victim of a DDoS attack and refused to pay the ransom. They chose instead to change passwords in an effort to take back their account, but the extortionist responded by randomly deleting files after having created backup logins. Most of the company’s data, backups, machine configurations, and offsite backups were either partially or completely deleted.
More often than not, companies opt not to take the risk and pay the ransom. Maintaining a positive and secure reputation rather than disclosing that they have been breached is one of the primary reasons why some choose to cooperate with extortionist rather than bringing it to the attention of law enforcement. The threat of public exposure rather than data loss is often enough to receive payment from businesses that fear embarrassment or loss of reputational stature.
So would a kidnap, ransom, and extortion policy (KR&E) exclude a cyber event? As with any policy, it depends if the event’s circumstances coincide with how the policy is worded. However, it is reasonable to expect to find some degree of coverage in most cyber policies. Cyber extortion needs to be specifically requested as it is rarely acted on; that being said it is fairly easy to obtain. The financial backing that comes with a cyber insurance policy can provide financial security for a company and its employees, as well as the breach response expertise necessary to navigate an attack when one happens.
About the Author
Spencer Mahoney is a Client Executive at Gallagher WGA, working on structuring and negotiating complicated insurance placement for clients in the Property and Casualty area. Mr. Mahoney specializes in dealing with energy and technology clients.