September 25, 2017 by Greg Meckbach, Associate Editor
Cyber extortion can take several different forms, including attempts to blackmail employees into giving away sensitive information, and different insurers have different cyber policy wordings to deal with extortion, RIMS Canada Conference speakers suggested Monday.
In addition to “plain Jane ransomware,” one form of cyber extortion is called injunctive, cyber security expert Kevvie Fowler said during a RIMS Canada Conference panel, titled Cyber Extortion – The Next Generation.
“What makes injunctive extortion different is that no money actually changes hands,” Fowler said.
“The criminals are not actually looking for bitcoins … or any types of cryptocurrency. They are looking for access to systems.”
RIMS Canada takes place until Wednesday at the Metro Toronto Convention Centre.
Fowler said criminals conducting injunctive extortion may be looking for passwords.
“It could be someone is being blackmailed to look the other way when some type of crime actually happens,” he said. “That might be extorting a security guard to look the other way if a gang of thugs break into an organization and steal some kind of property.”
In addition to injunctive extortion, three other categories of cyber extortion are opportunistic, targetted, and proactive.
The opportunistic kind “is typically what most people deal with when they get hit with cyber extortion,” Fowler said. “It’s some form of malware that has infected the machine, that has encrypted data, and a message pops up demanding bitcoins in order for the data to be released.”
Targetted extortion “is when you have cyber criminals who are very focussed in terms of selecting a target, in terms of getting into systems, stealing information and then either contacting the organization or publicly reporting the fact that they had broken in and breached the organization,” Fowler said.
Targetted extortion is the “most difficult type of extortion to deal with,” Fowler added.
By contrast, with proactive extortion, criminals “are just sending a notice to the organization” threatening to break into their systems and steal data, he suggested.
“As silly as it sounds, it’s actually happening now in North America, and a lot of organizations are falling victim to it,” he warned.
Also speaking on the panel was Matthew Davies, vice president of professional, media and cyber liability for Chubb.
“You could easily have an extortion situation that morphs into a business interruption,” Davies said of cyber extortion. “We have a claim going on right now where malware was installed. It encrypted data. The IT department said, ‘We will deal with this.’ And four days later, they couldn’t figure out how to get rid of it and now there is a business interruption to the organization as a result.”
Davies added “there are many wordings out there in the cyber world” and “lots of different approaches” by different insurers offering cyber coverage.
“You do need to take a close look when you are selecting cyber carriers as to how their language compares to each other,” Davies told RIMS Canada attendees.