Clock Icon  

Ransomware and Public Entities: To Pay or Not to Pay?

Malware prevention ransomware infrastructure. Spyware detection. Trojan detection. Endpoint vulnerability. Zero-day detection. Corporate cybersecurity firewall protection image.

By Mark A. Sadler, JD, RPLU, CPLP, CIPP/US, CIPP/C

The Growing Threat in Public Sector Cybersecurity

Public sector cybersecurity is facing increasing pressure as public entities become prime targets for ransomware—malicious software that locks access to systems or data until a ransom is paid. The FBI defines ransomware as software that restricts access files or systems and demands payment for restoration. Threat Actors may also threaten to publish exfiltrated data in order to extort a ransom payment.  

Notable examples include:

  • Atlanta (2018): Estimated recovery cost of $17 million
  • Baltimore (2019): $19 million in losses and service disruptions

The average ransomware event costs $334,000, not including the operational impact on critical public services like 911, sanitation, and public transit.

Prevention and Preparedness in Public Sector Cybersecurity

The best defense against ransomware is a proactive public sector cybersecurity strategy. The Cybersecurity and Infrastructure Security Agency (CISA) offers a Ransomware Guide with best practices for hardening systems.

Key Steps

  • Maintain secure, up-to-date backups
  • Create a detailed incident response plan
  • Engage legal and technical experts
  • Report incidents to law enforcement (e.g., FBI's IC3)

Incident Response for Public Sector Cybersecurity

A strong response plan should include:

  • Isolating infected systems
  • Securing backups
  • Conducting forensic analysis
  • Notifying stakeholders
  • Evaluating recovery options

While some experts may open dialogue with attackers to verify decryption capabilities, the FBI does not support paying ransoms. Payment does not guarantee data recovery and may encourage further attacks.

Legal and Regulatory Risks

Federal Sanctions

The U.S. Department of Treasury’s Office of Foreign Assets Control (OFAC) warns that ransom payments may violate sanctions laws if funds reach sanctioned entities or countries (OFAC, 2021). Violations can result in civil or criminal penalties—even if unintentional.

OFAC considers voluntary self-reporting and a strong compliance program as mitigating factors in enforcement decisions.

State-Level Restrictions

Several states prohibit public entities from paying ransoms:

  • Florida: Prohibits ransom payments and mandates reporting within 12 hours of discovery (Fla. Stat. § 282.3186)
  • North Carolina: Bans both payment and communication with attackers (N.C. Gen. Stat. § 143-800(a))
  • Tennessee: Prohibits ransom payments by state entities and outlines reporting protocols (Tenn. Code Ann. § 4-1-423)
  • Ohio: Prohibits payment of a ransom unless a legislative authority formally approves the action in a specific resolution or ordinance (Am. Sub. House Bill 96, effective September 28, 2025)

Take Action: Strengthen Your Public Sector Cybersecurity

Ransomware attacks are not just costly—they're disruptive to essential public services and legally complex. Public entities should consider the following to strengthen their cybersecurity posture:

  • Review and update cybersecurity policies
  • Train staff on incident response protocols
  • Ensure legal and regulatory compliance

Being proactive is the most effective way to protect your organization, your data, and your community.

We’re Here to Help – Contact Our Loss Control Consultants Today

At Great American Insurance Group, we strive to ensure that our policyholders are not only aware of the hazards they face but are equipped with the necessary tools to prevent and combat them as effectively as possible. Interested in learning more? Talk to our team of experts.

For additional information on improving your organization’s safety and security, visit the Plan & Protect Hub.

Loss Control Categories

Take proactive action to prepare for different types of loss.