Law firm BakerHosteler handles more than 1,250 cyber-related incidents a year. ("Cash Money (part two)" by jtyerse is marked with CC BY-NC-ND 2.0.)

It's taking longer to negotiate ransomware demands. That is a good thing.

Law firm BakerHosteler, which handles more than 1,250 cyber-related incidents a year, said in its annual Data Security and Incident Response report that the typical ransomware negotiation for its clients in 2021 lasted eight days. That is roughly twice as long as the five days in 2020.

"It's about urgency. So if you needed to decrypt because operations are down, something's broken, or something's not working, you're trying to negotiate quickly because the faster you pay, the faster you can restore," said Craig Hoffman, partner with the firm who co-leads its Digital Risk Advisory and Cybersecurity team.

BakerHostetler's statistics provide a platform- and negotiator-independent look at how enterprises with high-end legal advice handle breaches. All single-company-based statistics are biased toward a customer base. In 2019, BakerHostetler clients paid on average three times as much as those using Palo Alto's incident response team, a possible consequence of the size of the firms involved. In 2020, that dropped to twice as much, even as statistics for the average payments for both skyrocketed. But in 2021, BakerHostetler clients' average payments dropped from $795,000 to $510,000, with PAN's client's jumping from $311,000 to $570,000, the first time the law firm's client base paid less. BakerHostetler thinks time of negotiation might be a reason why.

If time is not a scarce resource, the negotiating advantage is back in the hands of the consumer. Between 2020 and 2021, the average ransomware payment dropped by a third among BakerHostetler clients. And the difference was particularly pronounced in those who spent more time negotiating. The median negotiation time for firms paying $1 million or more was eight days. The time for those paying between $200,000 and $1 million: 10 days.

That is probably for more than one reason. If you are able to be patient, it could be because you have backups and are only negotiating to prevent leaks, said Hoffman. It could just as easily mean that companies had better segmentation, preventing the most critical systems from being encrypted, said Ted Kobus, head of the  Digital Assets and Data Management practice at BakerHostetler. Or it could just mean being patient for the sake of making more informed decisions.

"Because of all the data we've collected in the history with these threat actors, they have a better understanding of what the next few weeks look like, and what they can gain out of that next few weeks while they're still figuring out how the incident impacts them," said Kobus.

"I think that enterprises are becoming a little bit more nimble," Kobus said.