Skip to main content
← All controls
RS.CO-3 / IR-8 NIST Cybersecurity Framework v1.1

Who has authority to authorise a ransom payment (or refuse one)? Has that decision been pre-discussed?

Demonstrate that the organization has formally designated decision authority for ransom payment authorization, documented that authority in incident response plans, and evidenced pre-incident discussion or approval of the decision framework by authorized stakeholders.

Description

What this control does

This control establishes a formal, documented decision authority for ransomware payment authorization, designating specific roles (e.g., CEO, CFO, General Counsel, Board Chair) empowered to approve or refuse payment demands. The authority matrix must be pre-defined and socialized before an incident occurs, including thresholds, consultation requirements, legal constraints, and ethical considerations. Pre-incident discussion ensures decision-makers understand organizational policy, regulatory obligations (e.g., OFAC sanctions, data breach notification laws), operational impact tolerance, and reputational consequences, enabling faster, more consistent crisis response.

Control objective

What auditing this proves

Demonstrate that the organization has formally designated decision authority for ransom payment authorization, documented that authority in incident response plans, and evidenced pre-incident discussion or approval of the decision framework by authorized stakeholders.

Associated risks

Risks this control addresses

  • Unauthorized personnel approve ransom payments to sanctioned entities, resulting in regulatory penalties and criminal liability under OFAC or equivalent sanctions regimes
  • Decision paralysis during active ransomware incident causes prolonged downtime, extended data exfiltration windows, and increased operational harm while stakeholders debate authority
  • Mid-level incident responders or IT staff make ad-hoc payment decisions without legal review, exposing the organization to compliance violations or funding prohibited terrorist organizations
  • Inconsistent ransom payment decisions across incidents create precedent expectations among attackers, encourage repeat targeting, and undermine organizational deterrence posture
  • Lack of pre-incident ethical and legal discussion results in hasty payments that violate organizational values, board directives, or contractual obligations with customers or partners
  • Payment authorization without proper chain-of-custody or legal consultation results in ineffective payments, loss of funds, or payment to wrong wallets with no decryption
  • Unclear authority leads to multiple executives authorizing conflicting actions (e.g., simultaneous payment and law enforcement engagement), compromising both negotiation and investigation

Testing procedure

How an auditor verifies this control

  1. Obtain the current ransomware incident response plan and any supplementary crisis management or business continuity plans that address extortion scenarios.
  2. Identify and extract the section(s) defining decision authority for ransom payment authorization, including named roles, titles, succession order, and any threshold criteria (e.g., payment amount, data sensitivity).
  3. Review board meeting minutes, executive committee records, or equivalent governance documentation from the past 24 months for evidence of ransomware payment policy discussion, tabletop exercises, or formal approval of the decision framework.
  4. Interview the designated decision authority (e.g., CEO, CFO, General Counsel) to confirm their awareness of the role, understanding of legal constraints (sanctions, reporting obligations), and participation in pre-incident planning discussions.
  5. Examine ransomware tabletop exercise after-action reports or simulation records to verify that payment authorization scenarios were included and decision authority was exercised or tested.
  6. Verify that the incident response plan references external consultation requirements, such as cyber insurance carrier notification, legal counsel review, law enforcement coordination, and sanctions screening before payment.
  7. Trace the escalation path from initial ransomware detection through technical response to executive notification, confirming documented procedures identify when and how the payment decision authority is engaged.
  8. Review any historical ransomware incidents (or near-miss extortion attempts) to validate that actual decision-making followed the documented authority framework, or that deviations triggered plan updates.
Evidence required Auditor collects the ransomware incident response plan with highlighted decision authority clauses, board or executive meeting minutes referencing ransomware payment policy discussions, tabletop exercise reports or attendance records showing executive participation, and interview attestations or email records confirming pre-incident socialization. If applicable, collect post-incident reports from prior ransomware events demonstrating adherence to or deviation from the documented authority structure, plus change records showing plan updates following lessons learned.
Pass criteria The organization maintains a documented, board- or executive-approved designation of ransom payment decision authority, with evidence of pre-incident discussion among designated decision-makers and confirmation that authority has been tested or exercised in tabletop scenarios within the past 24 months.