The cyber extortion question: To pay or not to pay

By Shawn Dougherty March 24, 2014

Shawn DoughertyRecently, the popular social media web service Meetup.com received a threatening e-mail demanding $300 to call off a distributed denial-of-service (DDoS) attack that had just begun on its system. The company made the decision not to pay the ransom demand. That led to an extensive attack that knocked the website off-line for periods of up to 24 hours over the next four days.

The decision not to pay was bold, and Meetup.com has worked to ensure that its members were not affected. In a blog post, the company’s CEO Scott Heiferman was very persuasive in defending the action not to pay what seems a paltry sum. He said the company believed the initial demand was simply an opening test, as the criminals would then push the values up in a painful cycle.

Ironically, the decision to fight and not pay the $300 resulted in much greater IT and public relations (PR) expenses. Not every business has top-shelf public relations, IT, or legal resources at its disposal as Meetup.com has, making it difficult to make a similar decision.

The insurance industry is responding to the risk of cyber extortion with specialized policies that help make available and pay for the valuable IT, legal, and PR services companies need. Policies can also cover the ransom demand if law enforcement or other involved parties deem the payment to be the proper course of action.

Cyber extortion is fast becoming an operational risk that must be managed and planned for. There’s no foolproof way to prevent becoming a victim of a cyber extortion event. Many businesses, government agencies, and individuals are increasingly becoming targets of this often random crime. Preparing a plan of action ahead of time can be highly valuable to a business during a cyber extortion crisis.

Part of the plan of action might be to invest in a cyber insurance policy that provides coverage for cyber extortion. Such a policy could be a real lifesaver and allow a business to make that decision to fight if it were to face the situation that Meetup.com did this month.

To learn more about the cyber extortion coverage offered through ISO Cyber Risk Solutions, please e-mail me at sdougherty@iso.com. Also, make sure to follow me on Twitter @doughertyshawn.

Stay tuned for the next blog post in our Cyber Monday Series.


Shawn Dougherty

Shawn Dougherty is the assistant vice president of ISO's Specialty Commercial Lines Division. He is responsible for providing the overall direction, leadership, and client service for ISO's cyber liability (e-commerce), D&O (management protection), businessowners, crime and fidelity, financial institutions, employment-related practices liability, and professional liability (other than medical) insurance programs. He is also the ISO product manager for the Lloyd's Wordings Repository, an electronic database of policy wordings and clauses regularly used within the London market. Mr. Dougherty has worked at ISO since 1988.