What is changing for cyber-attack victims in France?
From 24 April, 2023, victims of cyber-attacks (as defined by the Criminal Code in italic text below) will have 72 hours to file a complaint with “competent authorities”[1] if they want to obtain reimbursement under their cybersecurity insurance policy. This new reporting obligation was introduced by article L12-10-1 of the French Insurance Code, which provides:
The payment of a sum pursuant to the clause of an insurance contract intended to compensate an insured for losses and damages caused by a breach of an automated data processing system mentioned in articles 323-1 to 323-3-1 of the penal code is subject to the filing of a complaint by the victim with the competent authorities no later than seventy-two hours after the victim's knowledge of the breach.
This obligation to file a complaint within a given time period applies in addition to other breach notification obligations, including (without limitation) in relation to personal data, health data, and incidents impacting operators of vital importance and/or operators of essential services (such as electronic communication providers, energy-related services, transports, etc.) We previously covered the expansion of cybersecurity obligations created by the newly adopted EU NIS 2 Directive in this update.
Who does the new rule apply to?
The new rule applies to any entity or individual:
- Covered by or negotiating an insurance policy subject to the provisions of the French Insurance Code; and
- Acting in the exercise of their professional activities.
What categories of incidents are covered?
The notification obligation covers those cyber-attacks considered offences under Articles 323-1 to 323-3-1 of the French Criminal Code, specifically:
- fraudulent access to an automated data processing system (whether or not involving the deletion or modification of data contained in the system)
- hindering or distorting the functioning of an automated data processing system
- fraudulent introduction of data into an automated processing system and extraction reproduction, transmission, or fraudulent modification of the data it contains
- importing, possessing, offering, transferring, or making available, without a legitimate reason, means to commit these offences
Reporting a cyber-attack:
The law is not specific regarding the identity of the “competent authorities” with whom a complaint should be filed, although the impact assessment of the draft law (now adopted) refers to the police and judicial authorities.
The law also does not specify whether there will be a specific mechanism for filing such complaints (for instance, France’s national information system security agency (ANSSI), regional health authority (ARS), and its data protection authority (the CNIL) each make breach notification forms available. However, the French General Directorate of Internal Security (DGSI) states on its website that cyber-attacks can be reported online via the website of the Ministry for the Interior, which has a general criminal complaints portal.
Finally, regarding the timing – according to the law, the 72-hour deadline starts to run from the moment the victim has knowledge of the breach. Whether this means knowledge of the criminal nature of the incident, or just that an incident has occurred, is not clear.
Steps to take now:
It is not possible to contractually derogate from rules applicable to insurance contracts contained under Title 2 of Chapter 1 of the Code, which includes the new notification obligation in article L12-10-1. However, parties should be particularly cautious when negotiating insurance contracts in order to avoid any provision that would extend the scope of the notification obligation. The policy should outline a clear process for notification to the relevant competent authority and address how such actions would materially impact cover under the policy.
A wider challenge is posed for international organisations with servers in multiple jurisdictions. Such organisations should be clear about whether the insurance policy is subject to the provisions of the French Insurance Code and address the wider implications of an international incident, especially regarding seeking an indemnity under the policy.
Organisations should also be aware that these regulations may not only apply to a cyber insurance policy but to all policies which may contain an element of affirmative or non-affirmative cyber cover, for example, professional indemnity and property policies.
You should include the filing of criminal complaints in your incident response policy and planning processes. This notification assessment can be made in parallel with other mandatory notification assessments.
[1] The report attached to the draft bill refers to the police or the judicial authority.