Paying ransomware demands may help firms get back to business quickly but can also encourage criminals to continue their activities.

Panelists were asked to take “pro” and “con” positions on the issue of paying ransomware regardless of how they personally felt during a session on ransomware at the Professional Liability Underwriting Society’s 2020 Cyber Symposium in New York Tuesday.

“In many cases it comes out economically beneficial to the companies to pay,” said Tamara Snowdon, senior vice president at Marsh USA Inc. in New York.

However, there is no guarantee firms will get their data back, said Killian Brady, New York-based vice president at consulting firm Arceo.ai, a cyber security technology company. “The most alarming part” is the question of whether “you are encouraging this sort of behavior,” and attracting more criminals to the crime, he said.

Companies should place themselves in a position where they can make a choice whether to pay, said David B. Anderson, vice president, Northeast cyber technology practice, for Lockton Cos. in New York.

It is a matter of someone who “feeds a monster” in the hope of getting their data back vs. having encouraged better data-handling practices before the ransomware attack occurred, he said.

It is important to understand what has changed with respect to ransomware, Mr. Brady said. “For years, we were more focused on understanding criminal behavior” regarding monetizing personally identifiable financial and health information, which criminals sold on the black market, he said.

But because it is hard to sell this information on the black market before it loses its value, and companies are now better positioned to protect their data, criminals have now shifted to ransomware as a “much quicker way to monetize data,” he said.

Disruption caused by ransomware can include financial losses, loss of information, a business slowdown, the need to rebuild systems and a bad reputation, said Ayesha I. West, vice president, cyber liability, at Everest Insurance, a unit of Everest Re Group Ltd. in New York. “The severity can be extreme,” she said.

“We’re seeing that everyone is a target,” including small and middle market companies that became targets last year, Ms. Snowdon said.

Criminals also go after high-profile targets and in some cases study firms’ U.S. Securities and Exchange Commission filings to learn how much cash they have on hand, to determine their demand, Mr. Brady said.

There are variations of ransomware, Mr. Brady said.  Some criminals help others in return for a fee or commission, he said.  The “jigsaw” type of ransomware gives victims 24 hours to pay, then starts releasing data on an hourly basis until it is paid. “The multiple, different types of ransomware demonstrate the actors in this space are really creative,” he said.

With data breaches, firms have some time to decide how to respond, but “here you don’t have that window of opportunity to make sure you’re exploring all your options,” he said.

The panel also discussed how ransomware is frequently paid in bitcoins. Every time there is a high-profile ransomware case involving bitcoin, “the price of bitcoin jumps a bit,” said Richard L. Reiter, a partner with Wilson Elser Moskowitz Edelman& Dicker LLP in White Plains, New York, who moderated the session.

Enabling a culture where employees are wary of attachments is one way to address the issue, Mr. Anderson said. Firms should also take advantage of security features in their computer systems, he said.

It is frustrating that there is no silver bullet to eliminate any possibility of becoming a ransomware victim, but following best practices and cyber hygiene can reduce the risk, Mr. Brady said.  This means not just having a policy in place but testing it, he said.