Insurers will be able to reimburse the ransoms paid by their customers, Bercy decided.
A decision which puts an end to a gray zone but which risks encouraging cybercrime, denounces a former parliamentarian, author of a report on the subject.
The Directorate General of the Treasury thus proposes to "condition the insurability of cyber-ransoms to the filing of a complaint by the victim", a measure present in the orientation and programming bill of the Ministry of the Interior (LOPMI) presented this Wednesday in the Council of Ministers, specifies the Ministry of the Economy in a press release.
And “a task force dedicated to cyber risk insurance, involving the players concerned, will be set up by the end of September”, also indicates Bercy.
Until now, a gray area remained on this subject.
If indemnification by insurers of ransoms was not illegal, a parliamentary report had proposed a year ago to ban it.
Data recovered but not reliable
The obligation to file a complaint to be compensated “is a good thing”, reacted Valeria Faure-Muntian, former LREM deputy and author of the report.
But according to her, the payment of ransoms is “counterproductive”.
"I stand by what I said in my report: through this, we are fueling crime and some companies may see this as disempowering and not investing enough in prevention," she explains.
In addition, there is no guarantee that the recovered data is usable or does not contain a new virus, once the ransom has been paid, notes Valeria Faure-Muntian.
All the companies "who were kind enough to testify about the recovery of the data (after having paid the ransom) declared that these were not in a condition to be exploited immediately" and took time to regain their situation of before the crisis, she underlines.
A point of view also shared by Stoik, a company offering cybersecurity insurance and software to companies, and which claims not to pay ransoms.
A risk that is poorly covered
For Florence Lustman, president of France Assureur, the federation of the sector, “any imprecision in a contract, in any case, is bad for the insured and for the insurer.
So everything that goes in the direction of clarification goes in the right direction, ”she said to reporters on Wednesday.
In May 2021, Axa France had suspended the marketing of the "cyber ransom" option, until the insurance intervention framework was specified, and had been followed by Generali France in early 2022. In its report, the Treasury points out that in order to develop cyber insurance, which represents only 3% of damage insurance contributions for professionals, it is necessary, among other things, to better measure damage and therefore cyber risk, by sharing data between the public and the private sector , and to "increase business awareness efforts".
Small businesses at risk
According to Mickaël Robart, director in charge of development at the broker Diot-Siaci, the majority of uninsured companies are VSEs and SMEs, which until recently had little understanding of this risk.
Today, it is they "that must be ensured as a priority" in the face of the threat of ransomware, he believes.
They are the ones who are tempted to pay the ransom when "in 99% of cases, the large groups refuse", he adds.
For Alain Assouline, digital president of the Confederation of Small and Medium-Sized Enterprises (CPME), this is “an important step forward”, but it remains to be seen whether insurers will take up the recommendations made to develop the offer.
Because on the side of the latter, "it's a risk that we still have a little trouble understanding", explained a few days ago Bertrand Romagné, president of the Association of reinsurance professionals in France (Apref) , to justify the reluctance of the sector in this regard.
10 million dollars claimed from the Corbeil-Essonnes hospital
He cited the example of the NotPetya virus, which had targeted a number of companies a few years ago and which would have cost 10 billion dollars.
And on August 21, the South Francilien Hospital Center (CHSF) in Corbeil-Essonnes was the victim of a computer attack which considerably affected its activity.
A ransom demand of $10 million was demanded by the hacker(s).
high tech
Samsung victim of a cyberattack, personal customer data stolen
high tech
Damart: The servers of the clothing brand targeted by a cyberattack
Economy
Cybersecurity
cyberattack
Personal data
Insurance