this discreet legislative text which opens the door to compensation by insurers

In the discreet ecosystem of French cyber-insurance, not many people saw this bill coming concerning the terms of payment of cyber-ransoms. The effect of surprise is almost total among the actors concerned. For more than a year, the debate on the payment of a financial sum to groups of hackers to unlock the computer systems of hacked companies has been agitating the political and insurance sector and even the highest spheres of the national gendarmerie. With this nagging question: should we or should we not authorize the payment and reimbursement by insurers of the sums paid to hackers?

The orientation and programming text of the Ministry of the Interior, published on March 16, opens a breach in the institutionalization of the payment of these cyber-ransoms. This is at least the analysis of LREM MP Valéria Faure-Muntian, cyber-insurance expert and author of a remarkable parliamentary report on the subject. Concretely, the draft article wants to condition the reimbursement by the insurers of the sums committed by the company to the filing of a complaint within 48 hours after the payment of the loot.

“This text endorses a form of legalization of the payment of cyber-ransoms”

“This article of law endorses the payment of cyber-ransoms. By wanting to black out in the insurance code the terms and conditions for triggering the guarantee, and therefore a payment that will benefit these criminal groups , we endorse, by extension, a form of legalization”, castigates the elected member of the National Assembly. On the side of France Assureurs, the professional federation of insurers, we seem to be satisfied with this project. “France Insurers have been asking for several years for clarification by the public authorities of the legal framework for the reimbursement, by an insurer, of the payment, by its insured, of ransomware. We are pleased that the bill is in line with the proposals we are making”, indicates the association.

Until now, no law authorizes or prohibits the payment of a sum to a group of hackers who would have blocked the computer system of a company. These malefactors demand money to unlock it, usually paid in cryptocurrencies.

Each insurer can decide whether or not to offer its policyholders coverage for this risk. For MP Valéria Faure-Muntian, it is appropriate to enshrine in law the prohibition for insurers to guarantee, cover or indemnify the ransom” , she reaffirms. Indeed, the elected official believes that “the payment of ransoms creates a draft and encourages crime”, in particular warning the authorities in a context of hybrid warfare taking place in Ukraine, and whose cyberattacks are one of the – indirect – levers of the Kremlin to respond to Western sanctions.

Opinion shared by Marc Bothorel, of the CPME: “the companies that pay the ransoms appear to be solvent by the hackers with a real risk of a new attack”.

Last May, the National Information Systems Security Agency (Anssi) accused certain insurers of encouraging cyberattacks by sometimes paying ransoms.

A cyber threat that is becoming systemic for businesses

This subject is crucial in view of the threat that cyber risk poses to companies. In France, the National Gendarmerie opened 101,000 procedures in 2020 due to ransomware attacks – one of the components of cyberattacks, an increase of 21% in one year.

In 2021, it anticipated more than 120,000 complaints. 46% of victims are SMEs, 21% VSEs, 14% administrations, 9% large companies and 7% individuals. And according to a Thales study published in March 2022, one in five companies (21%) has been the subject of a ransomware attack in the last year and a fifth (22%) of companies acknowledge having paid or say they are ready. to pay a ransom for their data.

Faced with this upsurge, the authorities want to multiply the means of prevention, but above all of investigation. Companies do not communicate or communicate very little about the intrusion into their computer system, for fear of a bad image or of losing the trust of their partners or customers. According to Marc Boget, Major General, commander of the gendarmerie in cyberspace, victims of cyber attacks only file a complaint in one out of 270 cases, he explained at the congress of general agents of New Aquitaine, September 13, 2021 .

An effective text?

However, to fight against this scourge, the authorities believe they need to increase the volume of data to understand which group of hackers operates and how the attacks take place. It is in this context in particular that the national gendarmerie and the insurers forged an unprecedented partnership at the end of last September.

Filing a complaint is thus an effective way, according to the authorities, to obtain information. Hence the legislative project conditioning the payment of guarantees to proof of complaint. But, for several people contacted, this project is “above ground and counterproductive” and question its effectiveness.

“While the posture of the competent services has always been to recommend the non-payment of ransoms, the rapid deterioration of the situation calls for more determined public action to ensure that, in cases where a ransom has been paid, the competent authorities have the information necessary to prosecute the perpetrators of the offence”reads the report annexed to the draft guidance.

The draft of the Ministry of the Interior therefore imposes a declaration a posteriori. The company pays the money, files a complaint within 48 hours and can then seek compensation from its insurer, if it is covered. “In this scheme, the company fends for itself for 48 hours, the intervention of the authorities is limited, the cybercrime scene is not preserved. There may be a loss of information. I have the impression that this article aims only to collect data and not to solve the investigation”considers, for example, Valéria Faure-Muntian.

Questions about the complaint filing process

Several actors contacted do not also understand the timing nor the progress of the legislative copy. This project is led by the Ministry of the Interior, while it is that of the Economy, in particular the Treasury and the sub-directorate of insurance which, traditionally, deal with insurance issues. The Minister of the Interior, however, specifies that the bill “was produced in close collaboration with Bercy” and that he”account has been taken of all the interministerial work in progress”.

We must add to this the calendar: the legislature is over, and we will therefore have to wait for the next government to possibly adopt this text. And a manager of the national federation of general agents (Agea) wonders: “The filing of a complaint in the context of a classic theft is not legal but contractual. Why, in the context of a ransomware attack, would we go through the legal route and not contractual?”

This measure, which would pave the way for legal authorization of the payment of cyber-ransoms, also appears to reverse the market. In recent months, several insurance companies have announced that they are waiving cyber-ransom guarantees. According to a study by Agea, the federation of general agents, five out of 12 insurance companies with a network offered this cover. But since Axa backtracked last May.

An emerging and deficit cyber market

Could the bill, if passed, change the position of the insurance giant? Contacted, the group did not wish to comment on the text. “This provision would not close the market, quite the contrary”, says an industry expert. Especially since the Haut Comité Juridique de la Place Financière de Paris, in a report of January 2022, considers that “prohibiting the insurability of ransom repayment in the event of a cyberattack is not recommended.”

“No doubt that some have realized that public speaking and the pressure put on French companies left the free market to Anglo-Saxon firms”, continues the expert in the sector. “We no longer offer this warranty to our customers. But one thing is certain: if tomorrow the competition on this type of cyber contract is played out in particular on the ransom guarantee, it seems difficult not to go there again”, explains a general agent of Axa.

A statement corroborated by the report of the High Committee, which considers that“Such a ban would necessarily make the cyber insurance contracts offered to companies on the market less attractive”. If the subscription conditions are too complex and the coverage reduced, SMEs will not subscribe.

But the equation is complex for insurers. France Assureurs estimates the French cyber insurance market at 135 million euros in premiums in 2020 compared to an overall damage insurance market of nearly 60 billion euros in France.

It emerges from the AMRAE study that only 8% of medium-sized companies have taken out cyber insurance. The difficult balance between supply and demand is felt on the combined ratio (claims on premiums). While the volume of premiums increased by 49% in 2020, the amount of compensation paid was multiplied by 3 (to 217 million euros in 2020), i.e. a combined ratio which rose from 84% in 2019 to 167% in 2020. In summary, insurers are losing money on this type of contract.

In addition, according to several testimonies, the amount of guarantees offered by insurers on this type of contract has dropped significantly over the past six months. It remains to be seen whether with the new text, insurers and French companies could make the payment of the cyber-ransom a lever to boost the market.