The deputies of the Law Commission of the National Assembly have just rewritten in a more consensual way article 4 of the orientation and programming bill of the Ministry of the Interior, which initially conditioned the insurability of a cyber ransom to filing lawsuit after payment to cyber criminals.
Controversy over mention of cyber ransoms
After the Senate, which had already taken up the article, the Law Commission of the Palais-Bourbon, rewrote the provision so as not to explicitly mention the reimbursement of the payment of a ransom, the point which aroused the controversy. While the public authorities recommend never paying ransoms, “talking about cyber-ransoms was the worst thing to do”, summarized MP Philippe Latombe (Democrat) during the examination of the text by the commission. , this Wednesday, November 2.
The new wording of the article, proposed in three similar amendments by the deputies Anne Le Hénanff (Horizons), Philippe Latombe and Mounir Belhamiti (Renaissance), widened the scope of the text to all damage caused by a cyberattack. And therefore no longer “only at [seul] reimbursement of ransoms”, as stated in the explanatory memorandum to the amendments. The fact remains that if the controversial question of the reimbursement of the payment of a ransom is no longer mentioned explicitly, it therefore always seems to be covered.
Complaint to be filed after discovery of the attack
“By no longer simply targeting ransomware but all cyberattacks, we can imagine that insurance will cover the costs of remediation, guarantees on operating loss, and not simply on the cost of paying the ransom ”, thus supported the rapporteur of the text for the Law Commission, the deputy Florent Boudié (Renaissance). Benefits that seem to already be offered by insurance companies. The latter indeed wanted above all a clarification of the insurability of the reimbursement of a ransom.
Less controversial, the other change in the wording of the text is thus perhaps more significant. Compensation for damages is now conditional on a complaint and not a pre-complaint, to be filed within 48 hours after the discovery of the computer attack, and no longer after the mere mention of an attack. “What matters is when the victim saw the attack,” observes MP Florent Boudié. The bill must now be studied in public session from November 15.