Who pays the ransom?

/ Security
n.o. it strategy image for who pays the ransom post.webp

Who Pays the Ransom?

What every business leader needs to decide before the day everything stops.

By Nate Olson, Fractional IT Director & vCIO | N.O. IT Strategy LLC | May 2026

Table of Contents

It was the first Tuesday in December 2025.

Walter Rowen arrived at Susquehanna Glass Co. in Columbia, Pennsylvania at 9 a.m. to find his entire operation under siege. Criminals had gotten into the network and locked down everything: financial records, inventory systems, customer data, employee files containing Social Security numbers and direct deposit information. The production floor went silent. He had no choice but to send 40 people home.

Then the demand arrived. One million dollars to get his own company back.

His grandfather built Susquehanna Glass in 1910. Walter Rowen was watching a 116-year-old family business hang in the balance on a Tuesday morning in December. He recently wrote about the experience himself in April 2026 inside Fortune magazine, detailing exactly what it felt like to be on the receiving end of a ransomware attack with no playbook and everything on the line.

For most leaders, a business is not just an asset on a balance sheet. It is something they built, something they are responsible for, something that employs real people with families and mortgages. When it goes down, that is not just a financial event. Ransomware does not care about any of that.

of SMB breaches included a ransomware component, compared to just 39% at larger organizations
0 %

What the first hour actually looks like

Most business leaders picture ransomware only as a technology problem, it is not. It is an organizational crisis that started with a technology failure. In the first hour, the decisions that matter most have nothing to do with IT.

Your systems are locked, you cannot access anything. Your backups may also be locked or deleted, because the attackers planned for that too. A deadline has been stated or a countdown timer is running. Someone in your organization has to make decisions they have never made before, under pressure, with incomplete information, and without a plan.

Susquehanna Glass got lucky in a very specific way. The attackers deleted the backup drives but did not encrypt them. Rowen overnighted the drives to a recovery firm in California, and by Friday nearly everything was back.

The cleanup still cost over $100,000. Attorneys, forensic investigators, data recovery, IT labor. They never paid a dollar of ransom. If the recovery had not worked, a 116-year-old business would have closed permanently.

The uncomfortable truth: More than half of ransomware attacks target organizations with fewer than 50 employees. Attackers choose smaller operations specifically because they are less likely to have tested backups, a written response plan, or anyone who knows what to do when the clock starts. Mid-market organizations face the same problem at higher dollar amounts.

“One of the fastest ways to jeopardize a ransomware claim is to pay the ransom before notifying your carrier. Most cyber policies require carrier consent before any payment is made, and acting unilaterally can put coverage for the ransom itself, and sometimes the broader claim, at risk. The carrier’s breach attorney and incident response team is also there to help you make a better decision in the moment, including whether paying is even legal.”

 Attribution: Joe Erle, Cyber Group Practice Leader, C3 Risk & Insurance Services.”

The median time from initial intrusion to ransomware execution dropped
0 days

What good preparation looks like

 Unfortunately, you cannot control whether you get attacked. However you can control if you are ready.

  • A written incident response plan with defined roles and a payment authorization chain.
  • A current cyber insurance policy reviewed annually, with sublimits that match your actual risk.
  • Tested, immutable backups stored somewhere the attackers cannot reach.
  • Legal counsel identified before you need them.
  • Your insurance policy stored securely, not on a shared network drive.
  • Someone in your organization who knows the plan and can execute it at 7 a.m. on a Tuesday.

That last one is where most organizations are exposed. Not because leadership does not care, but because nobody has made it anyone’s job to care.

The ransom question is not an IT question. It is a leadership question. The organizations that answer it before the attack are the ones that survive it.

The question nobody answers in advance

If your backups are gone and your systems are locked, do you pay?

This is not a technology decision. It is a business decision, a legal decision, and a financial decision. It needs to be made by the right person, with the right information, inside a defined window of time. Most organizations have never answered it. They find out what their answer is while the clock is ticking.

Before any payment decision can even be considered, 5 things have to happen first.

  1. Your cyber insurance carrier must be notified. Many policies require notification within 24 to 72 hours of discovery, missing that window can result in denied coverage. 
  2. Legal counsel must be engaged, not after decisions are made, but during. 
  3. The FBI must be notified. Reporting is voluntary, but it is also a prerequisite for the compliance check that follows.
  4. An OFAC check must be completed, because paying a sanctioned threat actor is a federal crime regardless of whether you knew they were on the list. 
  5. Finally, alternatives to payment must be exhausted or documented as unavailable, because free decryptors exist for many known ransomware strains.

What OFAC means for your organization: The U.S. Treasury Department’s Office of Foreign Assets Control prohibits ransom payments to sanctioned groups. Ransomware gangs linked to North Korea, Russia, and Iran are on that list. “I did not know they were sanctioned” is not a legal defense. This check has to happen before payment, not after.

Average downtime in the event of a ransomware attack
0 days

Who actually has authority to say yes

This is the question that paralyzes organizations in the middle of an incident. A $50,000 demand lands on a Friday morning. The CEO is traveling and your IT vendor is asking what you would like them to do. Nobody has a clear answer because nobody decided in advance.

In a well-prepared organization, payment authority is defined before the attack.

Demand AmountWho Can Authorize
Under your defined thresholdCEO or designated executive, with legal counsel engaged and the insurance carrier notified.
Mid-range demandCEO, CFO, and legal counsel together, unanimously. Board notification required within 24 hours.
Above your upper thresholdBoard of directors or governing body, with outside legal counsel and an OFAC opinion letter recommended.

Those dollar thresholds are placeholders. Your organization needs to define the actual amounts with legal counsel before an incident happens, not during one.

 

of small businesses rely on untrained internal staff or the business owner to manage cybersecurity entirely.
0 %

The detail that will surprise you

Ransomware groups often read your insurance policy before they set the demand. You read that correctly, this is not some kid in his moms basement, these are organized and professional teams who understand your policy better than you at times. 

If attackers access your network and find your cyber policy stored on a shared drive or server, they use it to calibrate the ransom. They look at your coverage limits, your ransomware sublimits, and your willingness-to-pay indicators. Initial demands increasingly mirror policy coverage amounts.

In the summer of 2025, Coalition Incident Response documented a North American law firm attack by the Qilin ransomware group where the threat actor cited specific provisions of the victim’s insurance policy during negotiations. They threatened to notify the firm’s clients directly if payment was not made. The initial demand was nearly $900,000. The policy had been sitting on a shared network drive.

Your cyber insurance policy is a sensitive document. It needs to be stored like one.

For small businesses specifically, total incident costs ranged between $120k and 1.24 Million
$ 120000

When insurance actually works

Not every story ends in disaster. When the policy is current, the prerequisites are met, and the carrier gets notified fast, insurance can cover most or all of the damage.

Coalition, one of the largest cyber insurers in the United States, published claims data in 2025 covering the full year of 2024. Across their portfolio, 56% of claims were resolved with zero out-of-pocket cost to the policyholder. The average recovery per claim was $278,000. Insurance worked, for the organizations that had coverage in place and reported the incident promptly.

The data on negotiation is also encouraging. When professional incident response teams handle the negotiation, final payments consistently come in well below the initial demand, often 60% lower or more. The opening number is not the final number.

What good preparation looks like

 

Unfortunately, you cannot control whether you get attacked. However you can control if you are ready.

  • A written incident response plan with defined roles and a payment authorization chain.
  • A current cyber insurance policy reviewed annually, with sublimits that match your actual risk.
  • Tested, immutable backups stored somewhere the attackers cannot reach.
  • Legal counsel identified before you need them.
  • Your insurance policy stored securely, not on a shared network drive.
  • Someone in your organization who knows the plan and can execute it at 7 a.m. on a Tuesday.

That last one is where most organizations are exposed. Not because leadership does not care, but because nobody has made it anyone’s job to care.

The ransom question is not an IT question. It is a leadership question. The organizations that answer it before the attack are the ones that survive it.

If you want to build a comprehensive incident response plan for your organization following the NIST SP 800-61 Computer Security Incident Handling Guide, prepare for a cyber insurance renewal, or audit your current coverage against your actual security posture, get in touch at noitstrategy.com.

Strategic Briefings are published for informational purposes and reflect the author’s independent analysis. This document does not constitute legal or insurance advice. Consult qualified counsel for decisions specific to your organization.

Coming up in Strategic Briefing No. 13

This briefing was written for business owners and leaders. In our next briefing, we flip to the technical side. What is IT’s job when the attack is happening, what do they do first, what do they preserve, and what decisions belong to them versus you and leadership? Written for business owners who need to understand what their IT side is actually doing when it matters most.

Sources

  1. Walter Rowen, president of Susquehanna Glass Co., Columbia, Pennsylvania. Fortune, April 16, 2026. fortune.com/2026/04/16/small-business-owner-hidden-tax-cyber-ransomware-131-billion
  2. Coalition Incident Response, documented case involving the Qilin ransomware group. August 2025. coalitioninc.com/blog/cyber-insurance/how-hackers-leverage-insurance-details-in-ransomware-attacks
  3. Coalition 2025 Cyber Claims Report, full-year 2024 data. Coalition Inc., May 2025. coalitioninc.com/announcements/2025-cyber-claims-report