However they don’t really need to because there are plenty of documented cases, and the incident response company you hire will almost certainly have prior knowledge of the group you’re forced to deal with.

If they had a history of fucking over their “customers”, the IR team you hired would know and presumably advise against paying.