Cyberattacks have become more frequent, problematic and complex over the years – so much so that they now represent a real threat to economic activities. The French Information and Digital Security Experts Club (CESIN) has estimated that 54% of French companies were subject to cyberattacks in 2021, while France Assureurs has put cyberattack risks on top of all other risks for the sixth year in a row.
In this context, the Directorate General of the French Treasury has put forward a plan of action with a view to clarifying the cyber-insurance legal framework, better gauging cyber-risks, and enhancing companies’ awareness as regards cyber-risks.
Law n°2023-22 of 24 January 2023 (the “Law”)aims to fulfil those objectives by, inter alia, inserting Article L.12-10-1 into the French Insurance code. This new legal provision, entering into force from 24 April 2023, makes indemnification pursuant to an insurance contract for damage caused by breach of an automated data processing system (“ADPS”, i.e any IT system) contingent upon the prior filing of a criminal complaint within 72 hours.
While filing a criminal complaint in such circumstances was formerly just a right for the victim, it will now become an obligation, with major consequences in case of non-compliance.
1. An obligation neither limited to payments of cyber ransoms…nor to data breaches
The legislative report preceding the enactment of the Law states that it originally aimed to “thwart cybercriminals’ economic model” in demanding payments of cyber ransoms by making the payment of insurance indemnities conditional upon the filing of a criminal complaint. However, in the end, Article L.12-10-1 ended up having a much broader scope, as it is now to apply to all forms of cyberattacks and to many cyber-security incidents.
The new Article targets compensation, under an insurance contract concluded by the insured party in a professional capacity, for any “damage and losses” caused by a breach of an ADPS.
As such, cyber ransom payments are not specifically targeted, and the obligation to file a complaint covers all breaches of information systems in general, including in particular those listed in Articles 323-1 to 323-3-1 of the French penal code:
- Fraudulently accessing and remaining inside an ADPS or any part of it.
- Hindering or disrupting the operation of an ADPS.
- Fraudulently entering data into an ADPS, or fraudulently extracting, replicating, transmitting, erasing or modifying data contained in an ADPS.
- Fraudulently importing, detaining, tendering, assigning, making available – without legitimate reasons (including research or cybersecurity purposes) – an instrument, computer program, or any data created or specifically modified to commit any of the aforementioned criminal offences.
In addition, a complaint must be filed regardless of whether or not the breach of an ADPS has also caused a data breach.
In practice, this means that the obligation is likely to apply in very diverse situations, such as:
- A ransomware attack with data encryption and potential data theft, whether or not payment of a cyber ransom is demanded or made.
- A denial of service attack (i.e. DDoS attack aiming at flooding a service with connections).
- An employee or external consultant who replicates data without authorisation (e.g. with the intention to then leave the company).
2. A 72-hour strict cut-off deadline following knowledge of the cyberattack
A complaint must be filed with the competent authorities (the police, gendarmerie, or the Public Prosecutor) within 72 hours following the victim’s knowledge of a breach of an ADPS.
In practice, the time limit is short because cybersecurity incidents are most often complex, and may require thorough investigations to determine accurately their nature, scope and consequences. Victims of cybersecurity incidents often only have access to limited information on becoming aware of an incident or even 72 hours thereafter, while IT, business, legal and communication teams are usually very busy managing the incident.
Cybersecurity incidents may appear to be limited or under control within the first few hours, or occur at a time when they have little consequences for the company’s activities. As such, they may not constitute an immediate and substantive risk in terms of operating losses, data losses and the like, so that the question of compensation by way of a cyber-insurance may not immediately come to mind at this stage. However, the cyberattack may later appear more important following identification of new indicators of compromise, or it may reshape into other types of breaches.
The starting point of the time limit may be subject to interpretation. If the insured victim does not have information that confirms with certainty an intrusion in its system or data extraction, but reasonably suspects that there has been a breach, should the insured file a complaint as a precautionary measure to avoid having its indemnification claim potentially rejected by its insurer? By doing so, the risk is that complaints could be filed systematically for minor incidents which could potentially overload the competent authorities in having to deal with such complaints.
It is sometimes difficult to know with certainty whether a cyberattack has actually occurred or not. Endpoint Detection and Response (EDR) tools can detect suspicious activity, triggering forensic investigations of different logs, but it is not always possible to confirm with certainty whether a system intrusion or data extraction has actually occurred.
For these reasons, the 72 hour time limit raises significant practical and technical challenges in terms of the timing to file a complaint. From our experience, this type of action is usually dealt with at a later stage, once the incident is under control.
3. Do not mistake the time limit to file a complaint with the one to notify data breaches
Companies should by now be acquainted with Article 33 of regulation 2016/679/UE (“GDPR”), under which a data controller is under an obligation to notify any personal data breach to the competent authorities within 72 hours after becoming aware of it (unless such breach is not likely to result in a risk for the data subjects).
Article 34 of the GDPR compels data controllers to communicate any personal data breach to the data subjects without undue delay where the breach is likely to result in a high risk for them.
Under the GDPR, the 72 hour time limit starts from the knowledge of a personal data breach, which may be identified days after compromise of the system. Conversely, under Article L.12-10-1 of the French insurance code, the time limit runs from the knowledge of a breach of the ADPS, regardless of any personal data breach.
In practice, complaints under Article L.12-10-1 of the French insurance code are likely to be filed earlier than notifications under the GDPR. The new obligation may require companies to reassess the adequacy of their internal processes in cases of cyber security incidents or attacks, as well as to involve their legal, insurance departments, etc earlier in their current processes (and in minor situations where they would not usually be involved).
4. What are the consequences for companies?
Since non-compliance with the new provision would deprive the insured party of its right to damages and loss indemnification, companies must incorporate the new obligation in their crisis management processes:
- Companies will have to incorporate the obligation in their security incident management processes, by focusing on: (1) the broad concept of ADPS; (2) the starting point of the 72 hour period running from the knowledge of the breach; and (3) the fact that their insurance cover will be lost for a failure to file a complaint within this period.
- Companies should raise awareness of their internal incident response teams about the new obligation, and should set up a decision-making process (e.g. who decides to file a complaint, signs off its content, who files it and how, etc.).
- A template complaint letter should be drafted, with a description and qualification of all the different types of ADPS breaches covered by the new obligation. In the event of a cyberattack requiring filing a complaint, a mere description of the facts will then need to be added, thereby accelerating and making the filing easier.
The obligation to file a complaint at an early stage may lead to a significant increase of notifications made as a “precautionary measure” to the competent authorities in cases of more routine/less serious cybersecurity incidents (which may not be personal data breaches at this stage).
Where a complaint has been filed, a decision not to notify the competent data protection authority (on the basis that no data breach has been confirmed) will have to be documented in a company’s internal record of cyber incidents in order that it can be justified should a competent authority subsequently decide to question why such decision was made.
 Club des experts de la sécurité de l’information et du numérique, Annual report regarding companies’ cybersecurity, OpinionWay Survey for the CESIN conducted online in December 2021 on 282 CESIN’s members, January 2022.
 France Assureurs, Cartography for 2023 of risks present within the insurance and reinsurance industry, January 2023.