The cyber extortion threat that your policies may overlook

A new cyber threat has emerged and it’s something that cyber insurance policies may not even cover.

Proactive extortion occurs when a cybercriminal contacts a selected company, by email or even “snail mail,” and informs the company that it has been targeted for extortion.

“You’re going to open up the letter or email message and it’s going to state that you’ve been targeted for extortion,” Kevvie Fowler, partner, cyber risk with Deloitte Canada, said in an interview with Canadian Underwriter Tuesday. He added the message will further state something like, “We haven’t broken into your systems yet, but unless you pay us a certain number of bitcoin, we are going to carry out the following actions.”

Those attacks could include distributed denial of service attacks (an attempt to make a website unavailable by overwhelming it with traffic), planting prohibited images or unleashing ransomware within an organization, for example.

“That’s increasing in terms of being a plausible attack here in Canada, and the interesting thing is nothing’s actually happened,” Fowler said. “So, if an organization has a cyber insurance policy, there hasn’t been an actual attack, and there are no damages at that point, is it covered or is it not covered?”

Some policies do cover proactive extortion, “believe it or not,” Fowler said. But most do not. “As the attacks continue to evolve, insurers are going to have to continue to evolve their products as well,” he said.

In some situations, there may be no attack and the extortion attempt may be a hoax, but the cyber insurer still pays out the ransom demand. “But what if the threat was real, and the organization and cyber insurer decide not to act on it, and then an organization’s systems are taken down?” Fowler asked. “Now the organization faces derivative lawsuits against the shareholders, class action lawsuits. Even these attempts and proactive extortion demands have to be treated seriously to make sure an organization is in a defensible position.”

Reputation or brand may even be held captive. “Again, people aren’t breaking in, stealing data, holding it for ransom,” Fowler said. “That’s still happening, but in terms of a new class of attacks, you have criminals who are now targeting people stating that they will plant some sort of images or do things to tarnish your reputation unless you pay them some extortion money. It’s not just holding data ransom, it’s holding your brand captive as well.”

Extortion attempts could even apply to devices such as pacemakers, where a computer worm is unleashed that sends a fatal charge to anyone with the device. “In those instance, it’s not just going to be an organization that is targeted, it’s going to be anyone who has loved ones or personally has these plantables within them,” Fowler said. “I definitely see human life being the ultimate goal, the Holy Grail, so-to-speak, of what cybercrime will be focusing on to get the biggest paydays and to be able to monetize these attacks.”