Well if it is, that can be expensive in money and reputation – it may even get you into the press, so everyone can see what you did.
Panera Bread likely paid a ransom in March ransomware attack (bleepingcomputer.com)
In the UK there is also this advice to consider:
It is probably better to have a plan in place that shows you have taken at least the basic steps in protecting your organisations, customers and stake holders information – then if you have to pay you can at least mitigate the story.
Here is some help to get you started:
Clive Catton MSc (Cyber Security) – by-line and other articles