The French government has decided to act in the fight against the resurgence of cyberattacks, together with ransom demands, which have a significant impact on the economy. By anticipating the development of the cyber risk insurance market in France, the French government has decided to make the payment of insurance compensation conditional on the filing of a complaint within a reduced time frame. This would allow the authorities to access crucial information to prosecute the perpetrators. Initially intended to cover ransom payments, the parliamentary debate changed the text to give it a broader reach.

The Text

Law No. 2023-22 of January 24, 2023, on the orientation and programming of the Ministry of the Interior (LOMPI) introduces a new chapter that includes a single article into the French insurance code.

Chapter X – Cyber Risk Insurance

Art. L. 12- 10-1. – The payment of a sum pursuant to the clause of an insurance contract intended to compensate an insured for loss and damages caused by a breach of an automated data processing system mentioned in articles 323-1 to 323-3-1 of the criminal code is subject to the filing of a complaint by the victim with the competent authorities no later than seventy-two hours after the victim becomes aware of the breach.

This section applies only to legal entities and natural persons in the course of their business.”

Application Date

This new law comes into effect on April 24, 2023.

Relevant Cyberattacks

Article L. 12-10-1 of the insurance code refers to the various breaches of an automated data processing system mentioned in articles 323-1 to 323-3-1 of the French criminal code (cyberattacks), that may be considered for compensation, including all offences against confidentiality, integrity and computer data and systems accesses, including illegal access, data interference, system interference as well as misuse of devices.

Types of Damage: Debates Related to Ransom Payments

Initially, the bill dealt specifically with insurance coverage and indemnification of “the payment of a ransom by the insured in the context of extortion” following such cyberattacks and ransomware attacks.

According to the impact assessment attached to the bill, “the payment of a ransom by the victim of an extortion is neither a crime nor an act of complicity (as the consent to the payment is not freely given, but results from the coercion that characterizes the crime). It follows that the principle of having an insurance covering the damage caused by the payment of the ransom does not seem to run up against any major legal obstacle”. The impact assessment also notes that “no Organization for Economic Co-operation and Development (OECD) country has taken measures to prohibit the payment of ransoms, nor has it prohibited the principle of insuring them.”

However, the fact that the law would have referred specifically to the insurance of ransom payments gave rise to strong reactions and debates, judging that it would be contrary to the policy of fighting against the proliferation of cyber threats and the financing of crime. This could have, indeed, been interpreted as a blank check from the legislator to proceed with ransom payments in the case of ransomware, even though the responsible authorities and the National Cybersecurity Agency of France’s (or ANSSI) official position recommends not to pay. Authorities in other countries, such as the UK’s Information Commissioner’s Office (ICO), have made recommendations along the same lines. Several amendments on the prohibition of the payment of ransomware were put to the vote at the senate, but all were rejected.

The final text of the law is broader since it stops referring to insurance for the payment of ransoms and aims at any “loss and damage caused” by a cyberattack.

However, this does not mean that any given cyber risks insurance policy covers ransom payments. The conditions and exclusions of the insurance policy must be carefully examined.

Condition: File a Complaint Within 72 Hours

To benefit from the insurance coverage, the victim of a cyberattack must file a complaint to the “competent authorities” within 72 hours after being aware of the attack.

Even though the term “competent authorities” is not defined, the reference to “filing of complaint” (dépôt de plainte) leads to the assumption that this is a reference to the police, the gendarmerie, or the public prosecutor, which is also consistent with the purpose of the law. Indeed, the purpose of making the payment of insurance compensation conditional on the filing of a complaint is to ensure that the judicial authorities are systematically informed to enable them to quickly launch investigations that will allow, at the very least, to understand cyberattack methods or, at best, to prevent them.

The 72-hour time limit was chosen by reference to the time limit imposed for notifying personal data breaches to the Commission Nationale de l’Informatique et des Libertés (CNIL) under the General Data Protection Regulation (GDPR). However, notifiable incidents are broader than personal data breaches under GDPR. Furthermore, many other notification obligations exist, with different thresholds and deadlines, such as notification of health data breaches to the French health authorities (ARS), notification to the Agence Nationale de la Sécuritédes Systèmes D’information (ANSSI) under the law transposing the NIS Directive (and, soon, the NIS 2 Directive), notification to the financial authorities (the Autoritéde Contrôle Prudentiel let de Résolution (ACPR) or the Banque de France), among others. This is a rather complex setting to navigate, especially in times of crisis. Preparation is, therefore, vital.

Having to file a complaint within a relatively short period of time and, if necessary, to manage other types of notifications, possibly in different countries if the incident has a cross-border scope, at the same time may prove particularly complicated for organizations. It also raises fundamental strategic questions as to how to handle incidents: Organizations may not be keen to lose control over the management of the incident (something that often happens when law enforcement authorities are involved). Moreover, amid a crisis, the insured must gather the necessary factual elements while avoiding possible contradictions due to lack of time or resources.

Our teams specializing  in cybersecurity as well as in litigation and insurance, are available to answer your questions and assist you in the legal aspects of addressing cyber risks and crisis management.