After months of debates, on 24 January 2023, France enacted the Orientation and Programming Law (LOPMI) which introduced amendments to the insurability of losses and damages paid in response to cyber-attacks.
At the center of the debates: the insurability of ransom payments. The LOPMI has confirmed such insurability with conditions. Pursuant to article 5 of the LOPMI, introduced under the French Insurance Code at article L. 12-10-1:
“The payment of a sum pursuant to an insurance contract clause covering compensation of an insured for losses and damages caused by an attack on automated data processing system [per Articles 323-1 to 323-3-1 of the Criminal Code] is subject to the filing of a complaint by the victim with the competent authorities no later than 72 hours after the victim becomes aware of the attack.”
This new provision will come into force on 24 April 2023.
From that date, insurers will be able to limit the payment of compensation for cyber-ransom payment to companies which have filed a complaint with the police within 72 hours.
The time period of 72 hours is similar to that of the data breach notification requirement of the GDPR. The starting point for calculating the time is also comparable: the victim needs to be aware that an attack on an automated data processing system has occurred (meaning that this point in time is not necessarily the exact time of commission of the attack).
An “attack on an automated data processing system” is the French criminal offense generally found in case of cyberattacks as it covers the following acts:
- Fraudulently accessing or operating in all or part of an automated data processing system;
- Obstructing or distorting the operation of an automated data processing system;
- Fraudulently introducing data into an automated processing system, or fraudulently extracting, holding, reproducing, transmitting, deleting, or modifying the data it contains; and
- Importing, holding, offering, transferring, or making available equipment, a computer program, or any data designed or specially adapted to commit one or more of the aforementioned offenses.
Ransomware is the No. 1 cyber threat in France. In this context, the aim of the LOPMI with this new reporting requirement is to assist the authorities to access information and identify perpetrators, which should facilitate investigations in relation to cyber-attacks, and ransomware in particular.
After a cyber-attack, companies rarely file criminal complaints. If they are forced to do so in order to be compensated by insurers for cyber-ransom payment, the authorities should have a more comprehensive view of cyber-attacks.
The LOPMI has raised criticisms as it can be seen as confirming the payment of ransoms by companies as a normal practice, even though this is contrary to the policy of fighting against the proliferation of cyber threats and the financing of crime, and that the responsible authorities and the National Cybersecurity Agency of France (ANSSI) recommend the victims not to pay. Several amendments to the prohibition of the payment of ransomware were put to vote at the Senate, but all had been rejected.
Still, the LOPMI does not bless ransom payments in all circumstances: if the victim knows that its ransom payment is likely to benefit a terrorist organization, then it should avoid making such payment at all cost or it would be subject to criminal liability pursuant to article 421-2-2 of the French criminal code. It is the knowledge that the payment will be used in whole or in part to finance a terrorist action that is the critical element here. Equally, if the victim is also subject to US regulations, it should carefully check that it is not making a payment to a country, organization or person that is listed on the OFAC sanctions lists. From a practical standpoint, making the decision to pay based on an analysis of the circumstances, having to file a complaint within a relatively short period of time, and managing other types of notifications (GDPR, NIS 2, and possibly sectorial notifications) where necessary, may prove particularly challenging for companies. All in all, cyber incident response procedures have to be carefully structured and tested.