Cyberattack on a company: compensation conditional on filing a complaint

From April 25, a company that has been the victim of a cyber attack will have to file a complaint within 72 hours in order to claim compensation from its insurer. At least, that's what the Ministry of the Interior's orientation and programming law of January 24, 2023 specifies.

One company in two is the victim of a cyber attack

In 2022, almost one French company in two was the victim of a cyber attack, according to the CESIN (Club des Experts de la Sécurité de l'Information et du Numérique) Barometer.

In its annual activity report, GIP ACYMA (Groupement d'Intérêt Public Action contre la Cybermalveillance) notes an increase in online assistance requests. In 2021, more than 173,000 requests were submitted to the cybermalveillance.gouv.fr platform, an increase of 65% on the previous year.

These online assistance requests mainly concern :

  • phishing (31%),
  • account hacking (19%),
  • false technical supports (13%).

For professionals, ransomware accounted for 22% of attacks.

Cyber attacks affect companies of all sizes and often have disastrous consequences:

  • systems paralysis,
  • theft or loss of sensitive data,
  • creating security breaches,
  • exposure to blackmail,
  • damage to reputation,
  • commercial prejudice...

To cope with these risks, more and more companies are taking out cyber insurance.

Filing a complaint is a prerequisite for compensation

Article 5 of the French Ministry of the Interior's orientation and programming law changes the framework for cyber insurance. As of April 25, 2023, companies wishing to claim compensation following a cyber attack will have to file a claim within 72 hours. It should be noted that this rule only applies to companies and individuals in the course of their professional activity.

Initially, this controversial provision would have made reimbursement of a cyber ransom conditional on the filing of a complaint. However, in view of the government's instruction not to pay ransoms and the concerns of the industry, this provision was not adopted.

Tougher penalties

Article 6 of the law of January 24, 2023 amends the Penal Code by increasing the prison sentences and fines incurred by the perpetrators of cyberattacks. For hackers who fraudulently gain access to a data processing system, the prison sentence is now increased from 2 to 3 years, and the fine from 60,000 to 100,000 euros. For offences involving the modification or deletion of data contained in the system, the fine will now be 150,000 euros (previously 100,000 euros) and the prison sentence 5 years (previously 3 years).

The French Ministry of the Interior's "Loi d'Orientation et de Programmation" (Orientation and Programming Act) therefore includes new measures aimed at better punishing the perpetrators of cyber-attacks. Its provisions will come into force 3 months after its promulgation, on April 25.