[https://www.bloomberg.com/news/articles/2021-05-20/cna-financial-paid-40-million-in-ransom-after-march-cyberattack](https://www.bloomberg.com/news/articles/2021-05-20/cna-financial-paid-40-million-in-ransom-after-march-cyberattack)Alternate link for those paywalled by Bloomberg: [https://www.businessinsurance.com/article/20210520/NEWS06/912341988/CNA-paid-$40-million-cyber-ransom,-Bloomberg-reports](https://www.businessinsurance.com/article/20210520/NEWS06/912341988/CNA-paid-$40-million-cyber-ransom,-Bloomberg-reports)
**It’s time for a law against ransom payments.**
This is a public-goods problem — individual companies find it economically attractive to pay ransom, which imposes externalities (greater risk of being extorted, because this encourages extortion) on others.
Executives it in a room and say “we’ll lose $xM in business if we’re down for a week, it’s cheaper to pay”. That’s the same logic as dumping toxic waste, i.e. an individual company finding it economically beneficial to pollute the river behind its factory, imposing externalities (dirty water etc) on others.
The solution is to make laws against polluting, and likewise against paying extortionists.