Ransomware incidents rarely begin as boardroom issues. At first, they look operational: encrypted systems, unavailable files, locked accounts. But they quickly become legal, commercial and governance issues requiring decisions under pressure and with incomplete information.
For Irish organisations, particularly legal practices and regulated professional services firms, those decisions now sit against GDPR obligations, evolving NIS2 governance expectations, client confidentiality duties, and increasing scrutiny of board oversight.
To pay or not to pay
This is the question boards often hope they will never have to answer.
The dilemma is rarely as simple as principle versus pragmatism. Organisations need to weigh:
- the realistic prospect of restoration from backups,
- the risk of data still being published,
- contractual service failures,
- the risk of sanctions exposure,
- whether payment may encourage repeat targeting,
- insurer involvement and policy conditions, and
- whether, if the ransom is paid, decryption keys will even work
For legal firms, the stakes are even higher if privileged client material has been compromised.
The legal issue is not just whether to pay but whether the organisation can later demonstrate that the decision was informed, proportionate, legally assessed, properly documented and made with awareness of regulatory and sanctions implications
Downtime: when the commercial clock starts immediately
It’s easy to underestimate how quickly ransomware becomes a business continuity crisis rather than a cyber event. The questions become brutally commercial:
- How long can we operate manually?
- Which services are genuinely business critical?
- What client deadlines are now at risk?
- Are court filings, closings, payroll, or regulated submissions affected?
- What revenue is lost per day of outage?
For law firms, outages may affect transaction completions, litigation filings, escrow processes, access to matter records, and billing.
The challenge is to make commercially defensible prioritisation decisions, often before all the facts and what caused the attack are known. Ideally, law firms want to have defined some key things in your cyber security and ransomware response plans:
- What are your critical systems?
- What revenue impact thresholds apply?
- What scenarios could result in client harm?
- How do you escalate issues externally?
- Who has the final say on the critical decisions.
Without this, legal firms are forced into ad-hoc judgment at exactly the worst time.
Reputational harm: damage beyond the Incident
In many ransomware cases, the longer-term damage is not technical.
Clients may tolerate a short outage, but they are less forgiving of poor communication, delayed disclosure, weak governance, or leaks of sensitive data. For legal practices, trust is central to the client relationship.
The reputational question boards wrestle with is often “What will this incident say about how we govern risk?”
That is why legal, PR, forensic, insurer, and board messaging must align from the earliest stage.
Regulator expectations: the governance lens
One of the biggest shifts in ransomware response is that regulators increasingly assess board behaviour, not just technical failings. The NIS2 Directive, the EU’s updated legal framework for cyber security, places increasing emphasis on management body accountability, governance, and evidence of oversight. At the same time, if personal data is involved, the GDPR’s 72-hour reporting window can run in parallel. Boards now need to evidence:
- risk-based recovery decisions
- third-party forensic engagement
- external reporting pathways
The question after an incident is no longer simply “Were your systems secure?”, but “How did the board govern the crisis?” That is a much more difficult question to answer after the fact.
The insurance and client contract dilemma
Another pressure point is the intersection between cyber insurance obligations and client contractual promises. Boards may need to reconcile insurer notification requirements with contractual disclosure obligations and legal reporting deadlines — all simultaneously.
Complying with one obligation may risk breaching another.
The least bad option
Ransomware rarely presents a clean decision. Organisations are forced to make a series of least-bad decisions under significant pressure.
Those that respond best are usually not the ones with the most sophisticated technology, but those with:
- tested ransomeware plans,
- legal privilege frameworks,
- pre-agreed decision criteria,
- clear client communication templates,
- regulatory and insurer reporting matrices, and
- reputational crisis governance
In practice, ransomware resilience is now as much a governance capability as it is a cyber capability.
Final thought
For Irish legal and professional services boards, ransomware is no longer just a technology issue. It is a governance stress test.
The real exposure lies in how quickly leaders can make defensible decisions around payment, downtime, disclosure, privilege, and reputation – and demonstrate afterwards that those decisions were reasonable, documented, and capable of withstanding scrutiny.
Paul Delahunty is Chief Information Security Officer at Stryve, a leading Irish multi-cloud and cybersecurity company and ICTTF Cyber Security Company of the Year 2022. Paul is CIO and IT Leaders Security Leader of the Year 2023 and 2024, and is the Tech Excellence Awards CIO of the Year 2024.
