French Law Authorizes Insurability of "Cyber-Ransoms" Paid by Victims, Subject to Prompt Filing of Complaint
France's Orientation and Programming Law of the Ministry of the Interior ("LOMPI law"), published in the Official Journal of January 25, 2023, amends the insurance coverage of losses and damages paid in response to cyberattacks and confirm in principle the insurability of cyber-ransoms, but strictly subject to the requirement of prompt notification.
According to the law's sponsor, no member country of the Organization for Economic Co-operation and Development has "taken measures to prohibit the payment of such cyber- ransoms, nor prohibited the principle of their insurance coverage."
New article L. 12-10-1 of the Insurance Code provides: "The payment of a sum pursuant to an insurance contract clause covering compensation of an insured for losses and damages caused by an attack on automated data processing system [per Articles 323-1 to 323-3-1 of the Criminal Code] is subject to the filing of a complaint by the victim with the competent authorities no later than 72 hours after the victim becomes aware of the attack." (emphasis added.)
This article will come into force on April 24, 2023.
To be compensated under their cybersecurity insurance contracts, victims will have 72 hours, from the moment they realize that an attack on an automated data processing system has occurred (and not from its commission), to file a complaint with the "competent authorities" (judicial and police authorities, according to the report accompanying the law). This time constraint is intended to speed up investigations, facilitate the identification of perpetrators, and avoid the loss of funds.
This new provision applies to legal and natural persons covered by French insurance, in the context of their professional activity. It would therefore include 84% of large companies and 9% of mid-sized companies but only 0.2% of small enterprises.
The provision applies to all claims resulting from an attack on an automated data processing system covered by articles 323-1 to 323-3-1 of the Criminal Code, such as:
- Fraudulently accessing or operating in all or part of an automated data processing system;
- Obstructing or distorting the operation of an automated data processing system;
- Fraudulently introducing data into an automated processing system, or fraudulently extracting, holding, reproducing, transmitting, deleting, or modifying the data it contains; and
- Importing, holding, offering, transferring, or making available equipment, a computer program, or any data designed or specially adapted to commit one or more of the aforementioned offenses.
The "cyber-ransoms" demanded in cyberattacks therefore can now be covered by insurance in France, although victims will need to act quickly in order to benefit.
Beneficiaries of a cyber insurance policy covering breaches of their information systems will have to integrate the filing of a complaint within 72 hours in their cyber incident response procedure to avoid foreclosure.