Internet Security

5 Key Factors to Consider Before Agreeing to a Ransomware Settlement

Written by twitiq

In many cases, cybercriminals attack companies that hold PII. This data often has value, such as credit card numbers or healthcare records.

When this happens, there is no guarantee that a company can regain access to the data they need without paying a ransom. However, there are several things a business should consider before agreeing to a settlement.


During the initial hours or days after an incident, there’s often a flurry of activity with the insured, breach counsel, and the carrier about whether to pay a ransom. This may include hourly or daily status updates and calls about whether to engage in direct conversations with the criminals.

If the company cannot access backups, the decision may quickly become one of time and money. The longer it takes to restore data, the higher the financial costs—including revenue loss, lost customers, reputational harm, and excessive recovery expenses.

Threat actors are also increasing their post-exploitation coercion tactics, threatening to publicly release the exfiltrated data of companies that don’t pay up. For example, Alphv recently published a list of infected victims on a data leak site after an 8-figure ransom was unpaid.

Ultimately, the decision to pay or not to pay is not just a financial one—it’s a moral judgment, especially in healthcare, where a hospital chain recently chose to fight its attackers and lost 623,000 patient records. That choice saved the company millions of dollars, but impacted patients had to be diverted to competitors, and some even died from delays in care.


A damaging reputation may be the most challenging and expensive cost of a ransomware attack, both for victims and their cyber insurance carriers. Customers may switch to competitors, and the public admission of a ransomware incident can cause further damage by doubting an organization’s ability to safeguard customer data.

When attacks first became common, it was easy for victim organizations to accept that a reputational hit was just the price of doing business. However, as cyberattacks have increased in severity and sophistication, it’s harder for companies to shrug off the negative impacts.

According to professionals in cybersecurity like Fortinet, one of the most significant issues with ransomware settlements is that threat actors have been known to increase their demands and expose stolen data online after companies decline to pay. Additionally, facilitating a payment to an attacker could be illegal if the threat actor is sanctioned under the U.S. Treasury’s Office of Foreign Assets Control. In these cases, the best strategy is to turn to an incident response team with experience negotiating with threat actors.


A ransomware attack is expensive, and the costs can be even higher when companies are hit with multiple lawsuits and settlements. There are also hidden or soft costs like lost revenue, business disruption, brand erosion, and loss of trust by customers, partners, and investors.

The decision to pay or fight back against hackers depends on financial, operational, and ethical considerations. A company must have access to technical, legal, and communication experts to help make the right call.

For example, healthcare provider Scripps Health recently agreed to a $3.5 million ransomware settlement to hackers who compromised more than 1.2 million current and former patients. This was a much cheaper option than shutting down digital operations, diverting ambulance traffic, and postponing scheduled procedures, which would have cost the company more than $60 million.

But paying a ransom encourages bad actors and raises the stakes for victims. Hackers often demand more money for each subsequent payment or threaten to publish stolen data online. In addition, paying a ransom can trigger state-level penalties and fines under healthcare privacy laws or violations of corporate cyber security policies.


A well-versed information security team can prevent a ransomware attack. Understanding all the factors associated with recovering from a ransomware incident is essential.

The first step involves identifying which systems are affected. This requires centralized log management, which allows I.T. professionals to correlate the data from the network and host security devices. A centralized system also helps them quickly isolate a single attack and determine its impact on the organization.

Once the affected data has been identified, your CISO should work with an I.T. vendor to identify and prioritize recovery efforts. This can help minimize downtime and the potential for a business interruption claim.

During this process, your CISO should work with your insurance broker to determine if any coverage is available. A reputable insurance broker will review your entire suite of policies, including general commercial liability, fidelity, and specialty terrorism or kidnap and ransom coverage. They will also help you create a documented incident response plan that clearly defines which stakeholders should be engaged during an attack.


It used to be that attackers would compromise a company, encrypt the data and demand a ransom. Then the criminals would either promise to erase the stolen data or sell it on darknet marketplaces if a victim didn’t pay up.

Those days are fading away, however. Threat actors have become much more sophisticated, and if an organization has adequate backups, it can restore its systems and avoid a ransom payment altogether.

Additionally, most cyber insurance policies now offer ransom payment coverage.

About the author