Do ransomware victims actually have a duty to disclose, or is silence the smarter play
Been thinking about this after seeing a few incidents in the finance space over the past year where companies clearly paid quietly and moved on. From a purely operational standpoint I get it. Public disclosure tanks stock price, invites lawsuits, and signals to every other ransomware crew that you're a soft target. The class action surge in 2025 made that calculus even worse. But then you've got FinCEN basically asking firms to file SARs with full IOCs so that threat, intel actually gets shared across the sector, and when companies go dark that whole feedback loop breaks down. I work mostly on the prevention side, AD hardening, microsegmentation, identity posture, so by the time ransomware hits something has already gone pretty wrong. Still, the post-incident decisions matter a lot for everyone else's defenses. The stats I've seen suggest only around 18% of hit firms are actually paying now which is, way down from a few years ago, and median payments dropped too, so the no-pay trend seems real. But I'm less sure about the disclosure piece. There's a difference between reporting to law enforcement quietly vs. full public transparency, and I feel like a lot of the debate conflates those two things. Has anyone here worked through an incident response where the disclosure decision was genuinely contested internally, and did the outcome change how you'd approach it next time?