As companies become steadily more dependent upon their cyber systems to operate, so cyber extortion becomes a greater peril, says Michelle Crorie.
Following the recent cyber-attack on telecommunications provider TalkTalk in the UK, it is clear that such breaches continue to develop at a faster pace than the authorities can develop methods of preventing them.
In the past six months alone, a number of high-profile incidents have made the public and insurers ever more aware of the risks faced by individuals and companies alike in relation to cyber-extortion.
One such example is the attack on the Ashley Madison website in July 2015, a site which encourages married users to cheat on their spouses, in which hackers gained access and reportedly sought to force the owners to close the site before leaking the personal information of its users online when they failed to do so.
In addition, since last year, a group called DD4BC has been targeting large UK financial institutions, demanding that they pay a Bitcoin ransom or experience a large-scale attack likely to knock client-facing services offline. To date
the group has been responsible for more than 140 attacks.
On 21 October, 2015, TalkTalk, which has over 4 million users, fell victim to cyber attackers, and the banking and personal details of customers may have been
compromised. TalkTalk has been contacted by a group claiming responsibility and demanding payment of a ransom, although details of the demand had not been
released at the time of writing.
This is precisely the escalation in extortions which was feared following the spate of high volume/low value extortions, notably in 2013 from Cryptolocker, which
amassed ransom payments totalling $27m worldwide across the year and in May 2014 when Apple products in Australia were hacked requiring users to pay a ransom to access their devices.
Cyber extortion also lays bare the defects in a victim’s cyber security which can lead to litigation from users or regulatory consequences. TalkTalk, for example,
has admitted that some of its customer data was not encrypted, which could lead to the Information Commissioner’s Office (ICO) inflicting a fine of up to £500,000 ($767,000), if it considers that TalkTalk did not take sufficient steps to protect its customers’ information.
As companies have become steadily more dependent upon their cyber systems to operate, so cyber extortion becomes a greater threat to businesses. Special insurance solutions have always provided cover for such scenarios relating to interference to property but this has been extended in recent times to electronic data. Now specific cyber extentions are reasonably common as well as comprehensive cyber insurance cover being on offer.
A special risks cyber wording often extends “property” to include electronic data with customized covers to reimburse payments made in response to threats to
introduce a computer virus designed to damage, destroy or corrupt the insured’s electronic data.
Questions about “denial of access” are therefore being wrapped into specific cyber extensions. Such extensions can also include losses to the business from the attack (business interruption), together with investigation costs and response consultant assistance.
An overlap has therefore developed with a standard cyber policy that would include first-party loss such as business interruption losses and investigation costs together with third-party liability from a data breach, for example. Some such policies will also offer “cyber extortion” cover as an extension to a cyber policy.
The quality of response consultants is particularly important in securing a swift and effective resolution of an extortion claim. Data breach experts have emerged in recent times and insurers are consistently updating their panel of experts to be able to support an insured’s crisis management team.
“Cyber extortion lays bare the defects in a victim’s
cyber security, which can lead to litigation or regulatory
Cyber extortion insurance compliments broader cyber data breach liability insurance and assists with the immediate problem of managing a hacker’s demand, which while not the traditional life and death scenario can realistically cut to the heart of a company’s survival. TalkTalk’s share price dropped by more than 10% during the immediate period after the attack was announced. If the ICO determines that TalkTalk could have done more to prevent the theft of its customers’ data, this could have a long-lasting damaging effect on the firm’s reputation. Businesses that have not purchased adequate protection will want to make considering their insurance an urgent priority.