{"id":208723,"date":"2026-05-04T13:19:00","date_gmt":"2026-05-04T17:19:00","guid":{"rendered":"https:\/\/testing.news-you-need.com\/index.php\/2026\/05\/04\/who-owns-the-decision-to-pay-ransomware-attackers\/"},"modified":"2026-05-05T01:25:14","modified_gmt":"2026-05-05T05:25:14","slug":"who-owns-the-decision-to-pay-ransomware-attackers","status":"publish","type":"post","link":"https:\/\/testing.news-you-need.com\/index.php\/2026\/05\/04\/who-owns-the-decision-to-pay-ransomware-attackers\/","title":{"rendered":"Who owns the decision to pay ransomware attackers?"},"content":{"rendered":"<p><a href=\"https:\/\/www.itbrew.com\/stories\/2026\/05\/04\/who-owns-the-decision-to-pay-ransomware-attackers\">Who owns the decision to pay ransomware attackers?<\/a><\/p>\n<p><a href=\"https:\/\/www.itbrew.com\/stories\/2026\/05\/04\/who-owns-the-decision-to-pay-ransomware-attackers\">https:\/\/www.itbrew.com\/stories\/2026\/05\/04\/who-owns-the-decision-to-pay-ransomware-attackers<\/a><\/p>\n<p>Publish Date: <a href=\"publish_date]\">2026-05-04 13:19:00<\/a><\/p>\n<p>Source Domain: <a href=\"www.itbrew.com\">www.itbrew.com<\/a><\/p>\n<p>Author: <a href=\"\"><\/a><\/p>\n<p> Using an unordered list, summarize the following article with between 4 and 8 key points. It\u2019s a question that\u2019s been around as long as lunch money: Do you pay the bully?Companies impacted by ransomware face this tough decision. Business leaders have to quickly understand factors like downtime and data backups, all while a deadline to pay approaches.A reader asked during an IT Brew live event in April: When an attack hits and the clock is ticking, who owns the decision to pay\u2014IT, legal, the CEO? How does that actually get decided?We talked with legal and risk pros about who usually makes the call, and where the IT pro fits in the payment plan.In the room. When it comes to ransomware, the decision-maker can vary between organizations. Anna Rudawski, privacy and cybersecurity partner at global law firm A&#038;O Shearman, sees the choice to pay or not pay often coming down to some combination of the CEO, CFO, and COO.Decision-makers, Rudawski told us, should be someone who understands the costs associated with recovery. That knowledge usually falls to someone like a CFO or COO. Calculations in IBM\u2019s 2025 Cost of a Data Breach report included cost factors like engagement of outside experts, product discounts, regulatory fines, and general notices to data subjects.You also need someone who understands the scope of what this disruption means from a business and operational standpoint\u2014and that\u2019s usually the CEO and COO, Rudawski added.Business leaders have to understand:The extent of a compromiseWhat they believe a threat actor may have exfiltrated or compromisedHow many lines of business and services are outWhat the customer impact looks likeWhat the expected downtime and recovery is\u201cBecause if your recovery time after an attack is 24 hours or 12 hours, that decision about whether or not to pay is to look a lot different than if your recovery time is we have to rebuild the entire thing,\u201d Rudawski said.Fewer people are paying! A recent report from cyber insurance provider Coalition found that ransomware claims severity (i.e., average loss) in 2025 decreased 19% year over year (YoY), with an average loss of $262,000. The decrease in claims severity, according to the insurer, is due to a growing trend of businesses refusing ransoms and \u201cinstead successfully leveraging viable data backups and restoration to get back online after an attack.\u201dTop insights for IT prosFrom cybersecurity and big data to cloud computing, IT Brew covers the latest trends shaping business tech in our 4x weekly newsletter, virtual events with industry experts, and digital guides.While 86% of orgs refused ransom, the ask has increased, with the average demand rising to over $1,019,000\u2014a sharp 47% YoY increase from $692,000, the report found.Anything to add? While IT might not be making the pay-or-not-pay decision, it is providing the C-suite execs with important details to inform their choice.Rudawski said IT pros will likely be asked for a \u201cforensic picture\u201d: the extent of the compromise and the service outages, what the attack path looks like, what they believe a threat actor may have exfiltrated or compromised.For Sue Bergamo, global CIO and CISO at executive advisory BTE Partners, a major question that an IT leader needs to answer: How quickly can we recover?\u201cCompetent CIOs and CISOs make sure that they have a good backup, a good disaster recovery plan, a good incident-response plan and a communication plan that goes along with it,\u201d Bergamo said.In the wake of a ransomware attack, there is an increasing pressure on IT to answer another core question: Do you rebuild systems from scratch, or recover with what you have? \u201cFilling in what the timelines around those are, what the realities of those decisions are, is something that they\u2019re going to rely on,\u201d Rudawski said.Moving forward. Christian Hansen, principal at tax advisory Baker Tilly, also sees an IT pro\u2019s perspective as valuable in the aftermath, a rethinking of the entire security program may be in order. Maybe a compromise began with a malicious email, but that doesn\u2019t mean a company can call it a day after more awareness training; a company may need to upgrade its infrastructure and add, say, MFA, or take a closer look at vulnerable assets like hardware at the end of its service life.\u201cAre there other areas that we need to now put some investment and time into that we were also unaware of?\u201d Hansen said.<br \/><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Who owns the decision to pay ransomware attackers? https:\/\/www.itbrew.com\/stories\/2026\/05\/04\/who-owns-the-decision-to-pay-ransomware-attackers Publish Date: 2026-05-04 13:19:00 Source Domain:&#8230;<\/p>\n","protected":false},"author":1,"featured_media":208724,"comment_status":"closed","ping_status":"","sticky":false,"template":"","format":"standard","meta":{"fifu_image_url":"https:\/\/cdn.sanity.io\/images\/bl383u0v\/production\/8a01ce613ba48b2dcbc846b502ae402275ede6f0-3632x2288.jpg?rect=0,190,3632,1907&w=1200&h=630&q=70&fit=crop&auto=format","fifu_image_alt":"","footnotes":""},"categories":[15],"tags":[30,24,34],"class_list":["post-208723","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-cybersecurity","tag-breach","tag-cybersecurity","tag-threat-actor"],"_links":{"self":[{"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts\/208723"}],"collection":[{"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/comments?post=208723"}],"version-history":[{"count":1,"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts\/208723\/revisions"}],"predecessor-version":[{"id":208725,"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts\/208723\/revisions\/208725"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/media\/208724"}],"wp:attachment":[{"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/media?parent=208723"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/categories?post=208723"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/tags?post=208723"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}