The measures presented as part of the French Ministry of the Interior's draft orientation and programming law, known as LOPMI, have come as something of a surprise to cyber insurance specialists. One of them provides for a framework for insurance reimbursement clauses for ransomware, including a requirement to lodge a complaint in order to trigger insurance cover in the event of a cyber-ransomware attack.
Record levels of computer attacks in 2021
The average amount of ransom paid reached a new record in 2021, at $2.2 million, according to the latest report from cybersecurity research unit Unit 42. Although targeted organizations rarely pay the price demanded, it is nevertheless up 78%, to $541,000. To convince victims, criminals use the double extortion strategy, which consists of recovering the company's most sensitive data, then encrypting it and distributing it on the Dark Web. If the ransom is not paid, the attackers threaten to publish much more data, which could damage the company's image.
France is particularly targeted by these "name-and-shame" attacks. Observations by Unit 42 researchers show that more than a third of the organizations that will fall victim in 2021 will be in Europe, and particularly in France.
Controlling the payment of cyber-ransom money
Presented to the Council of Ministers on March 16, the French Ministry of the Interior's draft policy and programming law aims to provide a better response to the "security and territorial challenges of the coming years". To combat cybercrime more effectively, the bill provides for a framework for insurance reimbursement clauses for ransomware. In concrete terms, victims will only be entitled to compensation if they agree to lodge a complaint within 48 hours of payment of the ransom.
The LOPMI tackles another issue on which insurers have been waiting for clarification, refusing to prohibit ransom payments. On this point, the government is thus aligning itself with the proposal made by the Haut Comité Juridique de la Place Financière de Paris (HCJP) which, in a report entitled "The insurability of cyber risks" published at the end of January, recommended leaving some leeway to victims hoping to regain access to their data, and to their insurers.
However, the decision is far from unanimous. Valéria Faure-Muntian, a member of the French parliament (LREM), argues that"if there is legal uncertainty surrounding the payment of ransoms, adopting the bill as it stands would be tantamount to de facto authorizing the payment of ransoms".
For its part, the French Ministry of the Interior, questioned on the subject, points out that "whatcounts is rapid information for the investigating services, so that they can effectively combat those who commit ransomware".
For the moment, the bill is not before Parliament. Its future will depend on the outcome of the vote, and its provisions should therefore be kept in perspective.