In 2015, a group calling itself The Impact Team stole user data from one of the Internet’s most notorious dating websites.
Operating under the provocative slogan “Life is short. Have an affair,” AshleyMadison.com is a service designed to enable users to engage in extramarital romances. Though the site was frequently the target of severe moral critiques, users were able to operate under relative anonymity.
All of that changed in mid-July when The Impact Team announced it had gained access to 37 million profiles containing such sensitive information as sexual fantasies, credit card data and nude photographs. Hackers demanded that the website close or face the publication of the information – something that happened a month later.
Avid Life Media, which owns Ashley Madison, was almost immediately hit with a $578 million class-action lawsuit, and CEO Noel Biderman was forced to resign.
While the incident and subsequent events seem to mirror recent cybercrimes on organizations like Target and Home Depot, they actually expose a new threat that is growing in frequency and presents new opportunities for brokers to provide related coverage.
“Technically speaking, this is actually a case of cyber extortion,” says Brian Rosenbaum, national cyber and privacy practice leader at
Aon Risk Services. “Sometimes it’s motivated by political views, and sometimes it’s for financial gain, but either way, it involves someone threatening to release information in order to force a company to do something.”
In Ashley Madison’s case, the would-be vigilantes asserted that they were acting in consumers’ defense, as the website’s $19 fee to remove personal data was ineffective and “their purchase details are not removed as promised, and include real name and address, which is of course the most important information the users want removed.”
While this motive for cyber extortion is highly uncommon, the act itself is seemingly not. Despite a lack of firm statistics – few companies want to admit they’ve been the victim of extortion – anecdotal evidence suggests it’s on the rise.
“Cyber extortion is on the upswing now,” Rosenbaum says. “Years ago it wasn’t a big issue, but there’s been a lot of development of malware and intrusion software that make cyber extortion more viable now.”
Even tech companies are vulnerable. Cyber attacks demanding ransom money have hit such savvy organizations as Vimeo, Meetup, Basecamp, Bit.ly and MailChimp.
Hackers certainly have the means to release the information, and it often has a devastating impact on the business. In addition to the class-action lawsuit facing Avid Life Media, cyber insurance spectators watched this April as cyber criminals released via WikiLeaks several embarrassing emails from Sony Pictures executives obtained during the 2014 breach of the entertainment company.
“Cyber breaches are now not a simple ‘one-time event,’ as many other types of risk can be,” says Jack Elliott-Frey, a broker with cyber insurance specialist SafeOnline. “What we have seen with Sony is the determination by hackers, once inside the network, to extract as much information as possible and drip-feed it via the most destructive channels – in this case, the media – over a certain period of time.”
Although these hacks are often sustained, Elliott-Frey notes that cyber policies should also consider what happens when the attacks finally cease.
“It demonstrates the importance of a cyber policy that covers not only preventative techniques, but also a post-breach strategy involving IT forensics or other third parties that can assess and help your organization prepare for any further damaging events.”
As for the more financially obvious fallout related to extortion, Rosenbaum encourages brokers to help business owners locate suitable cyber coverage that includes protection against this new and emerging risk.
“A cyber policy is what we call a cafeteria type policy. It has various insuring agreements that cover different risks,” he says.
“Cyber extortion is an insuring agreement, and with this coverage, if somebody infiltrates your system and holds you for ransom, your insurance will pay the ransom and extra expenses needed to terminate the extortion.”
Rosenbaum differentiates this from kidnap, ransom and extortion policies, which protect the enterprise itself, but not outside parties affected by a breach. “In Ashley Madison’s case, the threat was to release customers’ personal information. Kidnap, ransom and extortion would cover the company’s own intellectual property, but a cyber extortion policy would cover the third party information of the insured,” he says.
While Rosenbaum acknowledges that “regulatory intervention in the risk transfer consideration is not unprecedented,” he feels that mandating this type of coverage on a widespread basis would be too much of a hurdle since it would be “a monumental task” to delineate which industries are high-risk.
Still, while it’s not officially regulated for most enterprises, he sees a need for many private-sector organizations to require a certain baseline of coverage before they enter into an agreement with another entity.
“A lot of industries have made this a contractual obligation,” he says. “[They’re] essentially saying, ‘Want to do business with us? Then buy this insurance.’”