Compensation for cyber-ransoms conditional on filing a complaint


Yes to the reimbursement by its insurance of the ransoms demanded by the ransomware gangs, but subject to the filing of a complaint. The government has just decided on this subject which agitated the world of insurance. In a report published on September 7, the Directorate General of the Treasury is in effect in favor of this new legislative framework unveiled by The echoes.

The measure should soon be adopted. It is already integrated into the new orientation and programming bill of the Ministry of the Interior, also presented this Wednesday in the Council of Ministers. This obligation brings France closer to Germany, where insurers and policyholders have the obligation to inform the police services in the event of a ransom demand.

Payment not prohibited

However, compensation for the payment of ransoms by his insurer was not prohibited in France until now. As the General Directorate of the Treasury reminds us, in the current state of French law, as for the other OECD States, does not explicitly prohibit compensation for ransoms paid, a payment which must remain the last resort, insist the authors of the report.

This had prompted former MP Valéria Faure-Muntian to request a formal ban on the payment of ransoms. But the High Legal Committee of the Paris financial center, seized by the general management of the Treasury, had stressed that a simple national ban would be legally fragile, preferring an uncertain European level.

Improve information sharing

For the Directorate General of the Treasury, the conditioning of compensation for the payment of the ransom to the filing of a complaint should make it possible to facilitate judicial investigations. “In the medium term, it could be possible to organize the sharing of anonymized data, in compliance with the framework for the protection of personal data and the secrecy of the investigation, with Anssi in order to refine knowledge of the cyber threat. “, suggest the authors of the report.

The Directorate General of the Treasury thus recommends a whole series of operational measures to make exchanges more fluid. Bercy cites the establishment of a single point of contact between insurers and security forces, the development of a standardized document to facilitate the sending of relevant information to the authorities and the extension of the Thésée reporting platform, intended individuals, professionals.

Legal clarification

But more broadly, the new measure, one of 18 proposals from Bercy officials, aims to clarify the legal framework for cyber risk insurance. This market is estimated at 219 million euros in turnover in 2021 by France Assureurs, the representative organization of this profession. The insurers did not know on which foot to dance. They had also called in April 2022 for a reform securing the legal framework for the compensation of ransoms paid, by suggesting to condition it on “close collaboration between insurers and judicial and police authorities”.

If seven out of ten insurance companies offering cyber insurance offer guarantees relating to the payment of a ransom, Axa France had indicated in May 2021 the suspension of its cyber-ransom option pending clarification from the legislator. An announcement which followed two remarked speeches, those of the cyberprocureure Johanna Brousse and the director general of Anssi, who had pointed out the troubled role of insurers in the criminal business of ransomware.

Critics shared in the United States or in Great Britain, where investigations had been published on the way in which intermediaries facilitated the payment of ransoms to cybercriminals. If there is undeniably a risk of increased financing of criminal organizations with this implicit validation of the payment of ransoms, it is for Bercy to compare it with the essential strengthening of the resilience of companies against this major risk.





Source link -97