The senators on Wednesday validated the principle of the insurability of the payment of cyber-ransoms, a provision introduced by the orientation and programming bill of the Ministry of the Interior. But the upper house has however reviewed the government’s project by adopting an amendment by Senator Rémi Cardon (socialist, environmentalist and republican group).
The principle of the complaint within 48 hours following the payment of a ransom conditioning a possible reimbursement by a cyber insurance is in fact replaced by the obligation of a report “within 24 hours of the attack and before any payment”. . A new obligation inspired by Germany, where insurers and policyholders have the obligation to inform the police in the event of a ransom demand.
“We have to go fast”
“Fortunately, 90% of attacks are quickly reported, which makes it easier to recover data or negotiate with attackers,” noted Rémi Cardon. But, added the senator in support of his amendment, “the hours are counted: you have to move quickly to inform the authorities”.
If he gave a favorable opinion on this rewrite, the Minister of the Interior also signaled his skepticism. “Put yourself in the place of the baker: he pays to avoid disaster and forgets to file a complaint immediately,” warned Gérald Darmanin. And to call for finding the right balance between filing a complaint as soon as possible and the situation of small and medium-sized businesses.
Changes in sight
We must therefore expect further changes in the wording of the provision during the parliamentary shuttle. After the Senate, where five suppression amendments had been tabled, the measure, decried by computer security professionals, should again be challenged by deputies.
“The proposed mechanism risks being counterproductive, had thus deplored Senator Guy Benarroche (ecologist group, solidarity and territories). The fact of being insured risks encouraging the attacked establishment to pay the ransom, and therefore encouraging hackers to continue their activity. »
“No provision currently prohibits insuring against the risk of payment of a ransom”, had then retorted the senator (LR) Marc-Philippe Daubresse. “It is because this cover is already possible that the Minister wishes to prevent companies from paying ransoms without our knowing it and refraining from filing a complaint which would provide the means to fight against this scourge. »