Earlier this week, The Impact Team breached the databases of Ashley Madison, a Canadian-based adulterous dating website. As a result, the hackers gained access to 37 million personal profiles containing such sensitive information as sexual fantasies, credit card data and nude photographs.
While the incident seems to mirror recent cybercrimes on organizations like Target and Home Depot, it actually exposes a new threat that is growing in frequency and presents new opportunities for brokers to provide related coverage.
“Technically speaking, this is actually a case of cyber extortion,” said Brian Rosenbaum, national cyber and privacy practice leader at
Aon Risk Services. “Sometimes it’s motivated by political views, sometimes it’s for financial gain, but either way, it involves someone threatening to release information in order to force a company to do something.”
In Ashley Madison’s case, hackers assert that they were acting in consumers’ defense since the website’s $19 fee to remove personal data was ineffective and “their purchase details are not removed as promised, and include real name and address, which is of course the most important information the users want removed.”
While this catalyst for cyber extortion isn’t common, many businesses may not realize that the act itself is on the rise.
“Cyber extortion is on the upswing now,” Rosenbaum said. “Years ago it wasn’t a big issue, but there’s been a lot of development of malware and intrusion software that make cyber extortion more viable now.”
Even tech companies are vulnerable, as cyber attacks demanding ransom money have hit such savvy organizations as Vimeo, Meetup, Basecamp, Bit.ly and MailChimp, according to the
The New York Times. As a result, Rosenbaum encourages business owners to invest in suitable cyber coverage, which can include protection against extortions.
“A cyber policy is what we call a cafeteria-type policy. It has various insuring agreements that cover different risks,” he said. “Cyber extortion is an insuring agreement, and with this coverage, if somebody infiltrates your system and holds you for ransom, your insurance will pay the ransom and extra expenses needed to terminate the extortion.”
He differentiates this from kidnap, ransom and extortion policies, which protect the enterprise itself, but not outside parties affected by a breach.
“In Ashley Madison’s case, the threat was to release customers’ personal information. Kidnap, ransom and extortion would cover the company’s own intellectual property, but a cyber extortion policy would cover the third party information of the insured,” he said.
While Rosenbaum acknowledges that “regulatory intervention in the risk transfer consideration is not unprecedented,” he feels that mandating this type of coverage on a widespread basis would be too much of a hurdle since it would be “a monumental task” to delineate which industries constitute as high-risk.
Still, while it’s not officially regulated for most enterprises, he sees many private sector organizations requiring a certain baseline of coverage before they will enter into an agreement with another entity.
“A lot of industries have made this a contractual obligation, essentially saying: Want to do business with us? Then buy this insurance.”