The bad news is that your company just wired a six-figure payment to an extortionist's offshore bank account in exchange for a pledge from the criminal -- whatever that's worth -- to spare your network from a threatened distributed denial-of-service attack.
The good news is someone at your company had the foresight to buy insurance that covers this kind of unnatural disaster.
What? You say you didn't know that insurance policies cover cyber extortion payments? Join the club.
The details are fascinating: if you buy such coverage from Chubb Corp, for example, the actual extortion payment can be covered for up to $US25 million, depending on what premium you're prepared to pay, says Tracey Vispoli, a Chubb vice president.
And that's just the start. Should the payment "be destroyed, disappear or be confiscated for some reason or another", fear not, as that loss is covered, too, Vispoli says. Need to hire an independent negotiator to handle the ugliness of dealing with an extortionist? Covered. Need a public relations cleansing as a result of bad publicity? Chubb's got your back covered.
If corporate victims literally have nothing to lose, well, paying an extortionist to go away suddenly looks more prudent than making a potentially expensive stand on principle. That such payments are bad for society as a whole seems beyond debate.
Of course, the existence of this insurance offers yet another good reason that lawmakers are unlikely to outlaw the payments.
I certainly do not blame the insurers for selling this coverage, or companies for buying it. Vispoli says about a quarter of companies carry some kind of cyber insurance and that it's within these broader policies that you'll find specific coverage for extortion. There is an underwriting process that precedes this coverage, so at the very least a company buying it has the opportunity to test its perimeter defences.
"We do require that the insured go through a third-party security audit that looks very much the same as the ISO-17799 (standards for security management)," Vispoli says.
"My sources would suggest that this particular type of peril is on the rise. The problem is obtaining statistical information. There's a suggestion that perhaps 70 percent of such events go unreported. They don't want the public relations nightmare that is associated with an extortion demand."
Which left me pleasantly surprised to learn that Chubb requires by contract that its customers report extortion demands to the authorities. I've argued that it should be legally mandated as well.