The ransomware playbook for owners.
The owner's job in a ransomware event isn't to fix anything. It's to make the hard decisions — communication, legal, financial — fast and well.
If ransomware hits, your IT team or MSP handles the technical side. Your job as the owner is different. It's making the decisions only you can make — communication, legal exposure, financial commitments, whether to pay — and making them fast while staying calm. That requires its own playbook.
The questions only you can answer
Do we pay or not? Do we tell employees today or tomorrow? Do we tell clients before or after the forensics report? Do we bring in outside counsel? Do we notify the insurer even if it might raise our premium? Nobody below you can make those calls. And nobody in the crisis will have the patience to walk you through the tradeoffs in detail — you need to think them through in advance.
Two owner responses, two outcomes
“A small firm owner tried to handle a ransomware event quietly, without insurer or counsel, to "avoid a big deal."”
Red flag: Discovery happened three weeks later via a client. Regulatory deadlines were missed. Insurance coverage was voided because of late notification.
“Another owner called insurer, counsel, and MSP within the first two hours of discovery and followed their process.”
Red flag: Containment in 24 hours, notifications on schedule, insurance coverage held, clients kept trust. $180K event instead of a $700K event.
Owner-level decisions to pre-think
- Who notifies employees, clients, and regulators — and in what order?
- Under what conditions, if any, would you consider paying a ransom? (Talk to counsel and insurer before you need to decide.)
- Who on the board or leadership team needs to know immediately?
- What's your communication plan for existing clients?
- Who speaks to the press if it leaks?
We coach owners through the first 48 hours.
The owner's playbook is something we walk through with clients before a breach. If you want yours prepped, ask.
- 1Write a one-page owner playbook before you need it. Insurer, counsel, MSP, comms plan.
- 2Decide now — in consultation with counsel — what your position on ransom payment is.
- 3Identify who notifies whom. Put names, not roles, on the plan.
- 4Draft pre-written client communications for different incident severities.
- 5Review the playbook annually, ideally after every tabletop.
Want help securing your business?
Schedule a quick security review with our team. 15 minutes, no sales pressure — walk away knowing exactly where your gaps are.
Schedule a quick security reviewKeep reading
Ransomware starts small.
Ransomware doesn't arrive with sirens. It arrives as one boring email, one click, one moment of trust — and then spreads quietly for days before the lock.
ReadTip #10 · RansomwareWhat happens when you get breached.
A realistic walkthrough of the first 30 days after a breach — the calls, the costs, the clients, and what you wish you'd done sooner.
Read