This is where many boards have a misconception.
While there are specialized firms that facilitate ransomware payments, there is no broker that removes decision-making, liability, or regulatory risk from the company.
In practice, payment works like this:
The company decides whether to pay
Insurance constrains what is covered, when, and through whom
Specialized incident-response firms facilitate execution
Legal counsel oversees sanctions, compliance, and disclosure
The company always:
Provides the funds (directly or via reimbursement)
Retains legal and regulatory responsibility
Owns the outcome of the decision
Insurance companies:
Do not wire money
Do not hold cryptocurrency
Do not communicate with attackers
They approve coverage and require the use of pre-approved partners.
If a board’s answer to “Would we pay?” is “Depends” or “Yes,” then one governance step is unavoidable:
The organization should have a pre-established relationship with a qualified ransomware response firm.
Not to plan for payment — but to ensure:
Decision-making doesn’t happen in chaos
Legal and insurance requirements are understood in advance
Execution, if ever authorized, is controlled and compliant
Common firms boards may encounter in this role include:
Coveware
Arete Incident Response
GuidePoint Security
GroupSense
Kivu Consulting
Having these relationships in place doesn’t commit a company to paying. It ensures the board retains control, speed, and optionality if pressure forces a decision.
One important and often overlooked risk
Ransomware payment can create legal exposure if the recipient is a sanctioned entity. In the U.S., the Treasury Department’s Office of Foreign Assets Control (OFAC) prohibits payments to individuals, groups, or organizations on sanctions lists, which can include terrorist organizations, nation-state actors, or affiliated criminal groups. Even when a company is acting under duress, intent does not eliminate liability. This is why sanctions screening, legal oversight, and insurer-approved response partners are required before any payment is considered — and why ransomware payment is not simply a financial decision, but a regulated activity with potential civil and criminal consequences.
Coming next
Rather than debating payment in the abstract, the better question is whether the organization actually has the controls in place to support a “yes” or confidently stand behind a “no.” In the next post, I’ll share a simple board-level tool designed to assess ransomware readiness across recovery capability, downtime tolerance, regulatory exposure, and business continuity. The goal isn’t to tell boards what decision to make — it’s to make sure the decision, whichever way it goes, is grounded in reality rather than assumptions.
