Some insurance companies offer kidnap, ransom and extortion policies that also protect against cyberextortion
. In addition, many sell funds transfer fraud coverage, which is part of a crime insurance policy to protect against cybertheft.
MG: Should a company pay a cyberextortion demand, especially under a scenario in which they know the attack capability of the bad guy is real?
In fact, according to the SANS Institute, a computer security training, certification and research organization, the FBI receives more than one report of cyberextortion every day.
"The targets of cyberextortion are not unique to large or small or medium," said Kevin Kalinich, cyber/network risk global practice leader for Aon Risk Solutions, "ft can hit any size company in any type of industry."
"The main thing that should be done with respect to cyberextortion is to have backups that are offline but are accessible," Fuhrman said.
Cyberextortion policies, they said, generally include a stipulation that the insurance carrier must agree to the ransom sum before it's paid.
Since many DDoS attacks and cyberextortion demands are initiated from locations other than North America, particularly in jurisdictions that are logistically difficult with regard to cooperation, it is a daunting task for law enforcement to find and prosecute the offenders.
The first step is to create a cyberextortion response policy.
But specific steps can be taken by executives to mitigate the damage, including creating a cyberextortion response policy, implementing technical mitigation steps and closely liaising with law enforcement.
Four years later, cyberextortion has become one of the top emerging risks for executives.
But now that there are more and more cases being publicized, and executives are realizing there are a lot of people who are capable of making this happen, cyberextortion has become something executives need to seriously consider as a part of their companies' insurance portfolio."
The insurance covers liability, media, cyberextortion
, property loss, loss of e-revenue, public relations costs and the cost of criminal rewards--AIG will post up to a $50,000 reward for information leading to the arrest and conviction of a hacker.