To Pay, or Not to Pay: 58% of CISOs Say They Would Pay the Ransom for Their Data

Ransomware attacks have become a routine threat, prompting executives to weigh the cost of downtime against the moral and legal implications of paying a ransom. The Absolute Software survey, covering 750 senior security leaders, reveals a majority—58%—who would opt to pay, reflecting growing pressure to restore operations quickly. This mindset is fueled by the proliferation of AI‑driven defenses that, while improving detection, have not eliminated the business impact of encryption, leaving many boards unwilling to tolerate prolonged outages.

Government agencies such as the UK National Cyber Security Centre and the FBI maintain a hard‑line stance against ransom payments, warning that they fund criminal enterprises and offer no certainty of data recovery. Real‑world data supports this caution: IDC reports 37% of ransomware victims pay, yet only 60% of those paying small‑ and medium‑size enterprises regain any data, and a small but notable 5% receive only partial decryption. Insurance carriers are tightening coverage terms, often requiring proof of robust backup strategies before honoring claims, which pushes organizations toward stronger data resilience measures.

For corporate leaders, the decision hinges on the maturity of backup and incident‑response capabilities. Companies that have tested, air‑gapped backups can recover up to 29% of encrypted files without paying, compared with a 33% failure rate for those that refuse payment and lack reliable restores. The M&S episode, with an estimated $400 million loss, illustrates that the financial fallout of a non‑payment strategy can dwarf ransom costs. Executives must therefore conduct rigorous cost‑benefit analyses, align cyber‑risk policies with realistic recovery options, and communicate clear expectations to shareholders to navigate the evolving ransomware landscape.