Following a report by the Ministry of Finance’s Directorate General on the cyber insurance market, Bercy will include in a draft law the possibility of being compensated in the event of a ransomware attack. Obligation for companies only, filing a complaint.
This is a touchy subject that the government, and Bercy in particular, is addressing: cyber insurance. Following a report by the Directorate General of the Ministry of Finance on this market (started a little over a year ago), the Ministry of Economy and Finance proposed to the Council of Ministers on September 7, “a measure dedicated to cyber-ransoms within the direction and programming proposal of the Ministry of the Interior (LOPMI)” In the press release, it is clarified that this measure concerns the aggrieved party’s duty to file a compensation claim.
This is one of the proposals in the Treasury report, which wants to “condition the compensation of a cyber-ransom insurance on the victim filing a complaint in order to strengthen his support and improve the investigative operations of the police, justice and gendarmerie”. The proposal may seem surprising at first, for the message , which the authorities have hammered home, is not to pay ransoms in the event of an attack. But from theory to practice, there is often a gap. Some SMEs often have no choice but to pay to try to recover their data or gain access to their system.On the other hand, few victims come forward and file a complaint.
To structure a market in doubt
On the cyber insurance side, this decision puts market players back in the game at a time when several insurers had thrown in the towel. Axa and Generali had stopped offering contracts covering ransomware damage. In a report, parliamentarians were concerned about a link between cyber attacks and cyber insurance. Companies with cover thus became a prime target for hackers who were sure of getting paid. Guillaume Poupard, CEO of Anssi, had also addressed the insurers “focusing on ransom and gaining capacity to negotiate”. An open door for the arrival of unscrupulous middlemen.
The Ministry of Finance’s report therefore tries to clarify the legal framework for all actors. In addition to compensating victims with the duty to file a complaint, the administration pleads for “a general principle of insurability for administrative sanctions”, that is, not covering the potential fines associated with non-compliance with a legislative framework. such as GDPR. Among the other recommendations, the report provides possible solutions: “Parametric insurance, which allows for the automatic payment of a benefit established according to an automatically measurable index, the development of self-insurance solutions such as captive reinsurance could make it possible to create a cyber risk insurance market”. In order to reflect on these various proposals and other topics (exclusion of acts of war, form to be completed, etc.), a task force will be set up at the end of September, bringing together all the actors.