Cyber extortion can take various forms. One of the better publicised attack vectors is ransomware, which is a type of malware that can infect a computer system and encrypt data until a ransom is paid, often in the form of a “cryptocurrency” such as Bitcoin. A high-profile example of a ransomware attack was the recent “WannaCry” virus which severely impacted a number of UK state health bodies that had failed to implement software updates.
Another form of cyber extortion may involve threats to release, disseminate or destroy data obtained by some form of unauthorised access. Once confidential data has been extricated, cyber criminals may demand a ransom in order to release it. This kind of attack may not involve any sort of malware, so systems often remain operational during and after the breach. However, if the ransom demand is not met then malware or a DDoS attack may follow.
The “business model” for these cyber criminals appears to involve demanding relatively modest ransoms in order to restore normal services and/or refrain from leaking sensitive data. Faced with the choice between paying a small ransom and losing precious data and/or business income, it is understandable why some businesses would pay the ransom. Indeed, ransom payments resulting from cyber extortion are understood to be one of the fastest growing areas of cyber insurance claims.
Cyber insurance policies often cover cyber extortion, including the payment of a ransom demand. Generally speaking, the payment of a ransom is neither unlawful or contrary to public policy as a matter of English law. However, these are complex legal issues which need a careful consideration of the facts.
Cyber extortion seems to be a growing risk which the insurance market is responding to. However the legal complexities of dealing with a cyber extortion event require careful consideration on a case by case basis.
Source: IUMI (By Matthew Montgomery, Senior Associate, and Joseph Malpas, Trainee Solicitor, HFW, IUMI Professional Partner)