It's a gray area - most big companies will get cybersecurity insurance - Then the insurance company pays the ransom (assuming your policy covers it.). When working at a Small Cap financial services company, our policy cost north of $2MM a year.
Such clear Game theory. If nobody pays ransom, the group suffers less over all. But targeted individuals suffer greatly. Targeted individuals have a high incentive to pay, which encourages more attacks on the group.
A previous company I worked for took the “high road”. Mostly cause the CIO was a delusional psychopath. She refused to pay the mere 1 mil ransom. Told the CEO the disaster recovery systems would bring the company back online in a few hours (everybody, except her apparently, knew the DR system was a total joke). Hackers wiped the encrypted drives of every machine in the company and said good day.
4 weeks later they had the website, basic email and server operations functioning again. 3 months later they had restored business continuity more or less.
She was fired a week after that.
I’m guessing it cost the company 10’s if not over 100 million.
I doubt it, especially if you make the executives personally liable. There are lots of other profitable things that companies generally don't do because they are illegal.
