Cyber Risk: The Board Room Edition
The single most expensive sentence in a ransomware response plan is the one that gets said when the ransom note appears: “Just pay it.”
The second most expensive sentence is: “Don’t pay it.”
Both skip the only conversation that actually changes the outcome — which is the negotiation in between.
What the Data Says
NegIQ-234™ is the dataset I have spent the last year building: 234 documented ransomware negotiations, 24 criminal gangs, and more than 11,000 messages. We built it because the industry had stories, anecdotes, and IR vendor war-room legends — but no structured analysis of what actually happens inside the chat window.
The headline finding is this: in
79% of cases, the gang offered a discount when victims simply asked for one.
The asymmetry is staggering. The gangs know this. Most victims do not.
Why Most Companies Don’t Ask
When the ransom note hits, three things happen at once:
– Executive panic compresses the decision window.
– Legal counsel raises sanctions, OFAC, and regulatory concerns.
– The IR vendor — often billing by the hour — optimizes for forensic evidence collection, not deal terms.
In that environment, negotiation becomes an afterthought. The conversation gets handed to whoever happens to be in the response bridge with the patience to type — frequently somebody with no formal negotiation training and no authority to commit to anything. The gang notices in the first three messages.
The result is usually one of two outcomes: pay quickly at or near the demand, or refuse loudly and absorb the operational hit. The middle path — actual negotiation — gets skipped, even though the data says it produces the best risk-adjusted outcome roughly 79% of the time.
The Messenger Tactic
There is one move in the NegIQ-234™ dataset that produces a measurable, consistent improvement: never being the decision-maker in the chat window.
When the person typing operates explicitly as a messenger to leadership — “I need to take this number back to the executive team” — settlement outcomes improve by an average of roughly 20 percentage points compared to negotiations where the typist is framed as the decision-maker.
The reasons are mechanical:
– The messenger never has to concede in the moment. Every demand gets routed through a delay.
– The messenger can blame the unseen principal for refusals without damaging rapport.
– The messenger creates time — and time is the most valuable negotiation asset in a ransomware event.
This is Move 7 in the 8 Moves framework — Redirect and Counter. It is a textbook negotiation move that the cyber industry has not yet formalized into IR runbooks.
If your incident response plan does not name who plays the messenger and who plays the unseen principal, your plan is not finished.
Hit on NegIQ-234™
The most striking pattern in the dataset isn’t the 79%, or even the Messenger Tactic improvement. It’s this:
The difference between victims who got discounts and victims who didn’t was almost never the technical sophistication of the response. It was whether anyone formally asked.
The IR firms with stronger forensic capabilities did not get better negotiation outcomes than firms with weaker ones. The companies with bigger insurance towers did not get better outcomes than smaller ones. The variable that consistently mapped to settlement size was whether somebody on the response team treated the chat window as a negotiation — with prep, structure, and roles — versus a transaction.
This is a process gap, not a capability gap. Which means it’s fixable in a tabletop, not a budget cycle.
Board Callout
Don’t wait until you need a negotiation-trained cyber expert to find one. By the time you need them, you’re in crisis — and the people worth having on the line already have other clients.
Three actions, in order of effort:
Identify and retain a cyber-negotiation specialist before the next breach. A pre-existing relationship beats an emergency phone call every time. Boards in financial services, healthcare, and critical infrastructure should treat this the same way they treat outside counsel: known, retained, on call.
Build the bench internally. Send your CISO, GC, and IR lead through formal negotiation training. The skill is learnable; what isn’t learnable is doing it for the first time under fire.
At minimum, add negotiation scenarios to your tabletops. Most cyber tabletops focus on technical containment. Few include the chat-window negotiation, the insurance call, or the board briefing where the real decisions get made. Add those. Practice them.
The cost of preparation is small. The cost of improvisation, as MGM demonstrated, is measured in nine figures.
