Who owns the decision to pay ransomware attackers?

It’s a question that’s been around as long as lunch money: Do you pay the bully?

Companies impacted by ransomware face this tough decision. Business leaders have to quickly understand factors like downtime and data backups, all while a deadline to pay approaches.

A reader asked during an IT Brew live event in April: When an attack hits and the clock is ticking, who owns the decision to pay—IT, legal, the CEO? How does that actually get decided?

We talked with legal and risk pros about who usually makes the call, and where the IT pro fits in the payment plan.

In the room. When it comes to ransomware, the decision-maker can vary between organizations. Anna Rudawski, privacy and cybersecurity partner at global law firm A&O Shearman, sees the choice to pay or not pay often coming down to some combination of the CEO, CFO, and COO.

Decision-makers, Rudawski told us, should be someone who understands the costs associated with recovery. That knowledge usually falls to someone like a CFO or COO. Calculations in IBM’s 2025 Cost of a Data Breach report included cost factors like engagement of outside experts, product discounts, regulatory fines, and general notices to data subjects.

You also need someone who understands the scope of what this disruption means from a business and operational standpoint—and that’s usually the CEO and COO, Rudawski added.

Business leaders have to understand:

• The extent of a compromise
• What they believe a threat actor may have exfiltrated or compromised
• How many lines of business and services are out
• What the customer impact looks like
• What the expected downtime and recovery is

“Because if your recovery time after an attack is 24 hours or 12 hours, that decision about whether or not to pay is to look a lot different than if your recovery time is we have to rebuild the entire thing,” Rudawski said.

Fewer people are paying! A recent report from cyber insurance provider Coalition found that ransomware claims severity (i.e., average loss) in 2025 decreased 19% year over year (YoY), with an average loss of $262,000. The decrease in claims severity, according to the insurer, is due to a growing trend of businesses refusing ransoms and “instead successfully leveraging viable data backups and restoration to get back online after an attack.”

While 86% of orgs refused ransom, the ask has increased, with the average demand rising to over $1,019,000—a sharp 47% YoY increase from $692,000, the report found.

Anything to add? While IT might not be making the pay-or-not-pay decision, it is providing the C-suite execs with important details to inform their choice.

Rudawski said IT pros will likely be asked for a “forensic picture”: the extent of the compromise and the service outages, what the attack path looks like, what they believe a threat actor may have exfiltrated or compromised.

For Sue Bergamo, global CIO and CISO at executive advisory BTE Partners, a major question that an IT leader needs to answer: How quickly can we recover?

“Competent CIOs and CISOs make sure that they have a good backup, a good disaster recovery plan, a good incident-response plan and a communication plan that goes along with it,” Bergamo said.

In the wake of a ransomware attack, there is an increasing pressure on IT to answer another core question: Do you rebuild systems from scratch, or recover with what you have? “Filling in what the timelines around those are, what the realities of those decisions are, is something that they’re going to rely on,” Rudawski said.

Moving forward. Christian Hansen, principal at tax advisory Baker Tilly, also sees an IT pro’s perspective as valuable in the aftermath, a rethinking of the entire security program may be in order. Maybe a compromise began with a malicious email, but that doesn’t mean a company can call it a day after more awareness training; a company may need to upgrade its infrastructure and add, say, MFA, or take a closer look at vulnerable assets like hardware at the end of its service life.

“Are there other areas that we need to now put some investment and time into that we were also unaware of?” Hansen said.