Since GARMIN is a publicly traded company, couldn’t an investor demand to know if the money was paid, and if they don’t get an answer, they could go to the SEC? Could they sue?
Interesting question. The dynamics surrounding which questions get proper answers in shareholder meetings is always interesting to me. There is no right way and bullshitting certain questions is an art. On grounds of material impact this question is hard to skip an answer to. Perhaps the payoff wasn't that material in the end, but the hack was. So even a small fry shareholder could ask this in the shareholder meeting and expect an answer. Skipping to answer good questions often leads to more in the future, so that's the balance the CEO and investor relations face. One could always reach out to analysts to try and get some critical mass going.
I would think that it will be duly included in the company's financial statements, so that the material impact of this overall is duly reported. But obviously there will be no reference to any ransom.
I would also suspect that they never paid any ransom. They probably only paid consulting fees to security/ransomware experts (wink wink).
There is the Matt Levine answer to this which is 'Everything is Securities Fraud' [0]. He claims this is partially because securities law is broad and relatively functional, violations of other laws end up being pursued under securities law.