Co-Founder Heather Haughian featured in InformationWeek: To Pay or Not to Pay The Ransomware Dilemma

Co-Founder Heather Haughian featured in InformationWeek: To Pay or Not to Pay The Ransomware Dilemma

Culhane Meadows’ co-founder and managing partner Heather Haughian was recently featured in an article by InformationWeek which discusses how to best respond to a ransomeware attack.

Here are some excerpts from Heather’s interview:

So, your company gets hit with a ransomware demand. What next? Law enforcement agencies, like the Federal Bureau of Investigation, typically caution against making ransom payments. But the ultimate decision isn’t always easy to make, especially with costly downtime and sensitive data hanging in the balance.

Ideally, a company will have a well-rehearsed incident response plan in place, but the stakeholders involved will still have to make the tough call when incident response goes from a tabletop exercise to reality.

The Initial Response

As soon as a ransomware demand is made, a company’s cybersecurity team needs to jump into action. The first step is to inform everyone who will be involved in responding to the incident, inside and outside of the company. “The IT/ security team should never be operating in a vacuum when these events occur,” warns Heather Clauson Haughian, a co-founding partner of law firm Culhane Meadows.

Each company’s team, structure, and incident response plan will vary. Typically, internal stakeholders include the CISO, the rest of the leadership team, general counsel, impacted business group leads, and communications. Depending on the company and severity of the incident, a ransomware demand may also merit board-level involvement.

“Your legal counsel and your cyber carrier will help you determine who else should be notified depending on whether the ransomware incident has comprised any systems that could have led to unauthorized access of data,” says Clauson Haughian.

In addition to getting all the key players involved, cybersecurity teams need to determine the extent of the incident. “Confirm that the infected computers/devices have been isolated or completely severed from the company’s network, because ransomware typically scans the affected network and attempts to propagate laterally to other systems,” says Clauson Haughian.

To Pay

The question of whether to pay is not always easily answered. Both decisions come with consequences.

InformationWeek’s Cyber Risk and Resiliency Report: How CIOs are Dueling Disaster in 2023 surveyed 180 IT and cybersecurity professionals. Of those respondents, 10% reported paying a ransom to recover files encrypted in a ransomware attack. The report found 33% of respondents believe that paying was the right decision, while 39% believe time will tell. Those who think it was the wrong decision to pay: 2%.

Not to Pay

What happens if a company opts not to pay? This decision may be made when a company has adequate offline backups to restore its systems. “Having robust backups that live in the cloud and are completely offline are critical to a successful recovery and reducing downtime as much as possible,” says Ma.

Companies may also be able to unencrypt the ransomed data using free and publicly available tools.

While choosing not to pay means a company won’t have to shoulder the cost of the ransom or run the risk of an OFAC sanction violation, there are still consequences.

Even if companies can recover encrypted data, it could be a cumbersome, time-consuming process that impacts business operations, according to Burke. Plus, ransomware gangs are likely to make good on their threats of deleting and/or publishing data. Downtime and reputational damage can be costly.


Deciding to pay or not is just one leg of the arduous journey through ransomware response. Once the choice has been made, the incident response team must face the prospect of recovery.

Regardless of whether a company pays or not, understanding how the attack happened is vital to recovery. Clauson Haughian emphasizes the importance of conducting a root cause analysis to identify the ransomware variant and determine why the attack was successful.

Leadership teams also need to consult with their cybersecurity insurance carrier and legal counsel to ensure they know when and how to disclose the attack.

Preparing for the Next Attack

Making it to the either side of a ransomware attack may lead to a collective sigh of relief, but it is a lesson to be remembered. “No organization is immune from ‘next time,” cautions Burke.

Following a ransomware attack, spend the time to evaluate what worked in the incident response plan and what could be improved. If an organization does not have a plan in place or a sufficient data recovery program, it should develop incident response protocols and immutable backups.

“It’s hard to avoid being thought of as a victim following an attack, However, with the right assistance, an organization can come out better prepared than before they were challenged,” says Larson.

To read the entire article, click HERE

About Culhane MeadowsBig Law for the New Economy®
The largest woman-owned national full-service business law firm in the U.S., Culhane Meadows fields nearly 70 partners in twelve major markets across the country. Uniquely structured, the firm’s Disruptive Law® business model gives attorneys greater work-life flexibility while delivering outstanding, partner-level legal services to major corporations and emerging companies across industry sectors more efficiently and cost-effectively than conventional law firms. Clients enjoy exceptional and highly-efficient legal services provided exclusively by partner-level attorneys with significant experience and training from large law firms or in-house legal departments of respected corporations. U.S. News & World Report has named Culhane Meadows among the country’s “Best Law Firms” in its 2014 through 2024 rankings and many of the firm’s partners are regularly recognized in Chambers, Super Lawyers, Best Lawyers and Martindale-Hubbell Peer Reviews.

The foregoing content is for informational purposes only and should not be relied upon as legal advice. Federal, state, and local laws can change rapidly and, therefore, this content may become obsolete or outdated. Please consult with an attorney of your choice to ensure you obtain the most current and accurate counsel about your particular situation.