To benefit from cyber insurance in France, don't forget to file a complaint

Since April 2023, French regulation makes the payment of insurance compensation in case of cyberattacks conditional on the filing of a complaint within a reduced time frame.

This regulation has been enacted in the context of the French government decision to fight against the resurgence of cyberattacks, together with ransom demands, which have a significant impact on the economy.

The filing of complaints would allow the authorities to access crucial information to prosecute the perpetrators.

The text

Law No. 2023-22 of January 24, 2023, on the orientation and programming of the Ministry of the Interior (LOMPI) introduces a new chapter that includes a single article into the French insurance code.

Application date

This new law came into effect on April 24, 2023.

But in practice, even before that date, most cyber-insurance policies did already require the insured to file a complaint.

Relevant cyberattacks

Article L. 12-10-1 of the insurance code refers to the various breaches of an automated data processing system mentioned in articles 323-1 to 323-3-1 of the French criminal code (cyberattacks), that may be considered for compensation, including all offences against confidentiality, integrity and computer data and systems accesses, including illegal access, data interference, system interference as well as misuse of devices. This notably includes malware attacks (including ransomware); phishing (attempt to recover confidential information by pretending to be a known entity); data theft; defacing a system (unsolicited modification of a website); denial of service attacks (aimed at making a service unavailable); communication interceptions, for example on a public Wi-Fi network; and the exploitation of a previously uncorrected vulnerability present in software.

Types of damage: Debates related to ransom payments

Initially, the bill dealt specifically with insurance coverage and indemnification of “the payment of a ransom by the insured in the context of extortion” following such cyberattacks and ransomware attacks.

According to the impact assessment attached to the bill, “the payment of a ransom by the victim of an extortion is neither a crime nor an act of complicity (as the consent to the payment is not freely given, but results from the coercion that characterizes the crime). It follows that the principle of having an insurance covering the damage caused by the payment of the ransom does not seem to run up against any major legal obstacle”. The impact assessment also notes that “no Organization for Economic Co-operation and Development (OECD) country has taken measures to prohibit the payment of ransoms, nor has it prohibited the principle of insuring them.”

However, the fact that the law would have referred specifically to the insurance of ransom payments gave rise to strong reactions and debates, judging that it would be contrary to the policy of fighting against the proliferation of cyber threats and the financing of crime. This could have, indeed, been interpreted as a blank check from the legislator to proceed with ransom payments in the case of ransomware, even though the responsible authorities and the National Cybersecurity Agency of France’s (or Agence Nationale de la Sécurité des Systèmes d’Information or ANSSI) official position recommends not to pay. Authorities in other countries, such as the UK’s Information Commissioner’s Office (ICO), have made recommendations along the same lines. Several amendments on the prohibition of the payment of ransomware were put to the vote at the senate, but all were rejected.

The final text of the law is broader since it stops referring to insurance for the payment of ransoms and aims at any “loss and damage caused” by a cyberattack. Two new ministerial categories of guarantees have been added to the Insurance Code (article A. 344-2): “32. Damage to property resulting from attacks on information and communications systems” and “33. Consequential pecuniary losses to the same attacks”.

However, this does not mean that any given cyber risks insurance policy covers ransom payments nor, for that matter all the types of cyberattacks and/or consecutive losses.  The conditions and exclusions of the insurance policy must be carefully examined.

Condition: File a complaint within 72 hours

To benefit from the insurance coverage, the victim of a cyberattack must file a complaint to the “competent authorities” within 72 hours after being aware of the attack.

Even though the term “competent authorities” is not defined, the reference to “filing of complaint” (dépôt de plainte) leads to the assumption that this is a reference to the police, the gendarmerie, or the public prosecutor, which is also consistent with the purpose of the law.

The 72-hour time limit was chosen by reference to the time limit imposed for notifying personal data breaches to the French data protection authority (the Commission Nationale de l’Informatique et des Libertés  or CNIL) under the General Data Protection Regulation (GDPR). However, notifiable incidents are broader than personal data breaches under GDPR. Furthermore, many other notification obligations exist, with different thresholds and deadlines, such as notification of health data breaches to the French health authorities (ARS), notification to the ANSSI under the law transposing the NIS Directive (and, soon, the NIS 2 Directive), notification to the financial authorities (the Autoritéde Contrôle Prudentiel let de Résolution (ACPR) or the Banque de France), among others. This is a rather complex setting to navigate, especially in times of crisis. Preparation is, therefore, vital.

Purpose of the requirement

The purpose of making the payment of insurance compensation conditional on the filing of a complaint is to ensure that the judicial authorities are systematically informed to enable them to quickly launch investigations that will allow, at the very least, to understand cyberattack methods or, at best, to prevent them.

Indeed, until now, many companies were hesitant to alert the authorities, for fear of reputational data or of being accused of a lack of diligence in the management of their IT systems, or even a failure to fulfill their obligations in regarding the processing of personal data. They will now be forced to do so since compensation for their damages will be strictly subject to this filing of a complaint.

This collection of information should, ultimately, also benefit insurers as it is envisaged to share anonymized information via the ANSSI, “in order to refine knowledge of the cyber threat.” This access to information is essential to enable insurers to assess the risks and losses caused by cyberattacks, and ultimately offer more appropriate guarantees, as the French cyber-insurance market appear still nascent compared notably to the US market.

Information shared with the general public should also entice organizations to increase the level of security and prevention measures.

What to do

Having to file a complaint within a relatively short period of time and, if necessary, to manage other types of notifications, possibly in different countries if the incident has a cross-border scope, at the same time may prove particularly complicated for organizations. It also raises fundamental strategic questions as to how to handle incidents: Organizations may not be keen to lose control over the management of the incident (something that often happens when law enforcement authorities are involved).

As a first step, organizations that are established in France or have a French cyber insurance should include in their global incident management policy the action of assessing whether they it is in their best interest to file a complaint in France. Organizations also have to review carefully the content (e.g., conditions and exclusions) of their cyber policy. Amid a crisis, the insured must then gather the necessary factual elements while avoiding possible contradictions due to lack of time or resources.

Charles Helleputte heads up the EU Data Privacy, Cybersecurity & Digital Assets Practice of Squire Patton Boggs. A Partner with the firm in the Brussels office, Charles focuses on existing EU and national privacy, cybersecurity and data laws, such as the NIS Directive, GDPR and the Cybersecurity Act, and on upcoming developments, such as NIS 2, DORA, the AI Act and the ePrivacy Regulation. Charles has specific experience preparing and managing incidents in a cross-border context, where it is necessary to consider multiple cybersecurity, privacy and other regulatory and enforcement frameworks (such as NIS, PSD2, CTR, etc.). He can be reached at charles.helleputte@squirepb.com.

Stéphanie Faber heads the Data Privacy, Cybersecurity & Digital Assets Practice  of Squire Patton Boggs and is a senior member of the Intellectual Property & Technology Practice in the Paris office. She specializes in international business law, with more than 20 years of experience. Her legal practice encompasses business transactions and operations, as well as regulatory and compliance work. She can be reached at stephanie.faber@squirepb.com.

Related:

• ‘Pig butchering’ and other cybercrimes preying on human psychology rising fast
• 10 tips for cyber resilience in 2024
• 5 U.S. data privacy laws going into effect in 2024