A big change is coming in France. From April 24th this year cyber attack victims will now have 72 hours to report the attack to the authorities if they want to claim under their cyber insurance policy. This new reporting requirement is in addition to existing breach notification obligations.
Who will this impact?
The new rule will apply to any entity that is covered by an insurance policy. If they wish to make a claim, they will have to report the attack to the “competent” authorities within 72 hours of having knowledge of the breach. It isn’t clear whether this is 72 hours from becoming aware that a criminal incident has occurred or whether it is 72 hours from realising you have had an incident full stop. It also unclear who the “competent” authorities are or how this reporting will be carried out – although cyber-attack reporting seems possible via the Ministry for the Interior’s general crime reporting portal. This new notification obligation will cover attacks that are considered offences under the French Criminal Code.
What does this all mean now?
If you operate in France and are impacted by this, you have some immediate concerns and questions. For instance, does this apply to insurance policies such as professional indemnity policies that may include an element of cyber cover? You will also need to update your playbooks to include the notification of the authorities within 72 hours. This will likely have an impact on your comms planning too.
Even if you don’t operate in France, it is worth being aware of this change. It’s a big move by a major player in the world economy and that should send a warning shot across all of our bows. Governments around the world are becoming more proactive when it comes to fighting cybercrime and that’s a good thing. It does mean that we all need to start thinking not just about defence of our organisation, but also resilience. Dust off those plans and playbooks and see if they are fit for purpose. Consider what this would mean for your organisation if your jurisdiction implemented a similar thing, what steps would you have to take? Who would have to be involved?
A bold move with a few caveats?
This is a bold move by the French authorities who are clearly seeking to gain more visibility into the cyber attack landscape. That’s something that is very much needed worldwide. Some may argue that all this is really doing is adding another tick box to a long list of tick boxes that don’t really effect lasting change. That may be true, but it does add another data point and give French authorities a clearer picture than most other countries of what is happening. What happens with that data remains to be seen. However, everything has to start with a first step.
It does raise two further interesting points of discussion. Firstly, will this impact the desire to pay a ransom? It could be argued that now, in France, you will be unable to hide the attack from the public eye. I am not so convinced this will be the case, but it will mean that “another pair of eyes” will be witness to the fact you negotiated and paid a ransom and perhaps that will be off putting for some.
The second point to discuss is whether or not this actually achieves anything. I run cyber crisis exercises for large organisations and help them prepare for the worst scenario. In all the exercises I have run they have either had the decision to notify already written into a playbook, or made the decision to notify during the exercise. This has been the case no matter the jurisdiction. Likewise in the real world, in the attacks we have seen play out over the last few years this has also been the case. True, it is largely done for the positive PR impact it has. Irrespective of the motivation, the French decison will potentially give us an interesting and reliable insight into cyber crime activity. The key question for me is what will the French authorities do with this data? What key changes can we expect to see in policing tactics? What level of disruption could this lead to of large scale organised cyber crime operations? We will have to wait and see.
Overall, I think this has the potential to be a brave, effective move by the French to combat cybercrime. Undoubtedly we need more visibility and more data on cybercrime, and by working with the insurance sector they have certainly found a way to improve this. As always implementation is key so let’s see how this plays out.
https://www.legifrance.gouv.fr/codes/article_lc/LEGIARTI000047048152/2023-02-09
