Disruption in cyber insurance. On Wednesday, the deputies approved by 365 votes to 102 the bill on orientation and programming by the Ministry of the Interior (Lopmi). Barring an unlikely reversal of the situation, the text will be finally adopted after the senators’ vote on 14 December.
Among the most debated details of the project, Article 4 has been the subject of heated debate among cybersecurity players for months. The reason ? Its purpose is to amend the insurance code to make the reimbursement of losses and damages caused by a cyber attack subject to the filing of a complaint by the victim within 72 hours of the discovery of the incident.
In the process of being voted on, this new restriction for the victims of cyber attacks should come very quickly: the bill specifies that it will come into force three months after its promulgation, that is, probably between the months of March and April 2023.
New charges for the victims
Interpreted as a victory for the insurance lobby, the law makes some people cringe. ” The intention is good, but not the way », gets annoyed by The gallery Olivier Belondrade, Vice President of Cercle Montesquieu, an association of directors and legal directors. ” When you are the victim of a cyber attack, especially when you are a small business, filing a complaint is not a priority. We think above all about communication with shareholders, with employees, with customers… “, he enumerates.
In fact, the filing of a complaint is often forgotten in the incident response. The gendarmerie specified The gallery at the beginning of the year, law enforcement received only one complaint for every 267 successful ransomware cyberattacks, although they can provide significant support for incident response. But above all, they need the complainants to recover as much data as possible to get back at the cybercriminals and hope to stop. This is also one of the reasons for Article 14 of the Act.
But Olivier Belondrade is not so worried about filing a complaint as about the time limit attached to it: ” Penalties for non-compliance with the deadline for filing an appeal in case of forfeiture are extremely severe. This is the only insurance law situation where this is the case. Even for theft where a complaint is necessary, there is no such quick forfeiture clause. As a result, for a matter of procedure, certain companies, and especially the smallest ones, could lose their coverage because they would not think about the complaint. During a cyber attack, companies generally call on external service providers to support them both in crisis communication (with customers, partners, internally, etc.) and on the IT side. Insurance companies therefore cooperate with companies that they send to their customers in the event of damage as quickly as possible.
In other words, costs (from several tens to several hundred thousand euros) accrue quickly. With the new law, if the victim forgets to file a complaint within 72 hours, she will in theory have to take responsibility for them herself, even if she has paid contributions. The only small victory for victims: The deadline for filing a complaint was 48 hours in the original bill, but it was extended by 24 hours after the deal was reached in the joint committee. It is now in line with the legal deadline for reporting data breaches to Cnil [l’autorité française des données, ndlr] integrated into the General Data Protection Regulation (GDPR).
More than a ransom story
While the discussions focused on the specific case of refunds in the case of ransomware payment – a measure discouraged by experts but used in practice in the hope of repairing some of the damage caused by the attack – the law actually targets a larger set of scenarios. “The words ransom and ransomware were not put in the wording of the law, and it is not by chance: the law will allow care beyond the only repayment of ransom, allows refund of all economic consequences of cyber attacks. Some argue that this law would encourage criminals to act. But the reality is that companies must ensure »assesses the lawyers for Jeantet Xavier Pernot, Pierre Linais, Fréderic Sardain and Olivier Lyon-Lynch, met by The gallery.
Today, cyber risk is already covered by insurance, but apart from very large companies, few organizations have the funds to underwrite. The problem is that claims (especially in the case of ransomware) can be very high and exceed a million euros. Integrating SMEs into the insurance pool will allow them to smooth out the risk and avoid peak effects. “This law brings change in the consideration of cyber risk, which becomes uniform at national level. However, we know that insurance companies need volume to maintain a financially sustainable model. “, Jeantet’s lawyers add. “ This is also a step forward for insured, as this avoids a distortion of competition between insured victims depending on whether they are located in a country that allows insurance option for ransom or not. »
Towards mandatory cyber insurance?
Behind the debate over the deadline for filing a complaint, some companies fear it will add to the existing uncertainty about the status of the targets of successful cyber attacks. Indeed, they are both in a victim position, but they can also be held responsible for insufficiently protecting their customers’ and partners’ data, which can lead to administrative fines. This ambiguity partly explains the companies’ reluctance to file a complaint: hiding the incident as best as possible seems to some a better pragmatic solution.
For Olivier Belondrade and the legal directors whose opinions he passes on, the law benefits insurers – as it consolidates the framework for the cyber market – but also publishers and software and incident response providers who will develop new products to accompany the upgrading of businesses. But the potential victims are only subject to increasingly tighter frameworks.
“ The people who have the most power to improve our resistance to cyber attacks, the publishers, are never held accountable. For example, we could have a cyberscore, not only for companies, but also for cybersecurity products, to push for more transparency. But instead we place the weight of this responsibility on the victim “, he laments before concluding, ” pIt has been decided that cyber insurance is basic, so we should consider making it compulsory as civil insurance for renting an apartment or as car insurance. »