Government green light to pay ransoms

The government is ready to allow ransomware coverage.

As part of the orientation and programming bill of the Ministry of the Interior, the government is opening up the possibility of covering the payment of ransomware by insurers.

The debate has been raging for several months. Should insurers be authorized to include the payment of ransoms in their insurance contract in the event of a cyber attack? The government has decided. Article 5 of the orientation and programming bill of the Ministry of the Interior, tabled on March 16 in the National Assembly, authorizes it under conditions. “The payment of a sum pursuant to an insurance clause intended to cover the payment of a ransom by the insured in the context of a planned extortion when it is committed by means of an attack on a system of automated processing of data of the same code, is subject to the justification of the filing of a complaint by the victim with the competent authorities no later than 48 hours after the payment of this ransom”we read in the text on which the government has initiated the accelerated procedure.

In line with the work of the HCJP

The government relies on the work of the High Legal Committee of the Paris Financial Center (HCJP) delivered last February. “Neither the Civil Code, nor the Insurance Code, nor even case law have ruled on the uninsurability of this type of guarantee, the payment of the ransom by the insured victim of the blackmail of hackers not constituting in itself unlawful activity”, the committee wrote in its report. According to the latter, prohibiting the payment of ransoms “would lead to the penalization of certain companies or local authorities that are victims of cybercriminals and who could thus find themselves in great financial difficulty because they are unable to charge all or part of their losses to insurance”.

A point of view that contrasts with the report submitted a few months earlier by MP Valeria Faure-Muntian. “It should be enshrined in law prohibiting insurers from guaranteeing, covering or compensating the ransom”, estimated the parliamentarian at the time. Same story for Johanna Brousse in charge of the fight against cybercrime. “France is today one of the most attacked countries in terms of ransomware (…) because we pay ransoms too easily”, she declared to the senators last April. Axa also decided to suspend the “cyber ransom” guarantee of its contracts a few days later.

“The clarification from the government is a good thing. Prohibiting the payment of ransoms within the framework of insurance contracts would have isolated France from other countries. We would have been the only country to practice it. Moreover, in the context of international insurance programs, its implementation would have been inoperable. There at least things are clear”points Grégoire Dupont, CEO of Agéa.

The government offers a blank check to insurers to put the payment of ransoms back in their contract. Provided that article 5 is not amended during the readings in Parliament.

Leave a Comment