Cyber insurance: the French legal framework is changing
Law no. 2023-22 of January 24, 2023 on the orientation and programming of the Interior Ministry creates a new article L. 12-10-1 in the French Insurance Code.
This article makes the payment of sums under an insurance contract aimed at compensating losses and damages caused by certain cyber attacks conditional upon a criminal complaint no later than 72 hours after the victim becomes aware of the attack.
This new article only applies where the cyber attack can be qualified as one of the offenses listed in Articles 323-1 to 323-3-1 of the French Criminal Code. They penalize four strictly defined offenses against what the French legal system calls "automated data processing systems", i.e. computer hardware and software systems used to process data (personal or non-personal data), such as rating software, credit card system, telecommunication network, website hosted on a server and connected to the Internet... Under these articles, it is punishable to fraudulently access or maintain oneself into such systems, hinder their proper functioning, break into them to act on the data they store or hold or make available any type of instrument or data intended to commit one of the above mentioned offenses.
It should be noted that the initial version of the new article L. 12-10-1 of the French Insurance Code and its intermediate versions discussed during the parliamentary debates were first aiming at authorizing to insure the risk in relation of the payment of ransoms. This was quite surprising for the actors of the IT security sector and State authorities such as the French National Agency for IT Security (ANSSI), which recommended until then not to pay the ransom demands in case of cyber-attackers in order not to maintain the mafia networks behind.
As of April 24, 2023, the date on which article L. 12-10-1 of the French Insurance Code will come into force, the French system will therefore allow insuring the payment of ransoms (among other “losses and damages”) paid in the context of a ransomware attacks, on the condition that a complaint is filed within 72 hours by the victim.
The legal framework for cyber attacks continues to expand in France. With data breach notification under the General Data Protection Regulation, notification of security incidents under the recent Directive on measures for a high common level of cybersecurity across the Union (NIS 2 Directive) and the filing of criminal complaints under cyber insurance law, operators should demonstrate increased vigilance and adapt their response plan to security incidents.
Article provided by INPLP members: Charlotte Barraco-David and Marie-Hélène Tonnellier (OYAT, France)
Dr. Tobias Höllwarth (Managing Director INPLP)