Cyber attacks represent a growing threat to individuals, businesses and institutions. Faced with this reality, many countries have introduced measures to strengthen online security and protect the victims of these attacks.
In France, it is the LOPMI law (Loi d'Orientation et de Programmation du Ministère de l'Intérieur) which defines the legal framework for cyber insurance, making _"payment of a sum in application of the clause in an insurance contract designed to compensate an insured party for loss or damage caused by a breach of an automated processing system [...] conditional on the victim lodging a complaint with the competent authorities no later than seventy-two hours after the victim becomes aware of the breach"_.
This provision is set out in a new article L. 12-10-1 of the Insurance Code, which will come into force three months after the promulgation of the law, i.e. on April 24, 2023.
But why was this law necessary in the first place?
The need for greater responsiveness to cyber attacks
The French authorities need to have a clear picture of all cyber-attacks suffered by companies, so they can better prepare for them and assess the risks. The obligation to lodge a complaint enables a complete census to be made, and a rapid response by law enforcement agencies in the event of a cyber-attack.
Preserving evidence and gathering information
By requiring professionals to file a complaint within 72 hours, victims have a better chance of preserving the evidence needed for the investigation and identification of the perpetrators. Traces can fade quickly, and the more time passes, the more difficult it becomes to trace the origin of the attack. By reporting the incident quickly, victims facilitate the work of investigators and increase the chances of prosecuting those responsible.
Access to redress and compensation
In many countries, the obligation to lodge a complaint within 72 hours gives victims access to reparation and compensation measures. Competent authorities, such as the police and insurance companies, can offer financial assistance or resources to help victims restore their safety and mitigate the consequences of the attack.
Who is affected by this obligation?
Both legal entities and individuals are concerned by this obligation, i.e. companies, associations and government agencies, as well as the self-employed, the professions, etc. The organization or professional must be registered in France, and must have a French cyber insurance policy.
Raising awareness and deterring cybercriminals
It is clear that the authorities are sending a message to cybercriminals with this obligation: attacks will not go unpunished. Collaboration between stakeholders shows the extent to which public authorities are involved in the fight against cybercrime. The government hopes that this measure will also help to reduce the number of attacks and strengthen online security.
What types of attack are concerned?
All types! The law encompasses all cyberattacks, so as to leave no possible loophole. Ransomware, phishing, data theft, denial-of-service attacks...
What to do in the event of a cyber attack...
- Disconnect the device from the Internet or computer network
- Stop using the compromised device
- Warn your staff
- Contact our Dattak teams, available 24/7, to limit the consequences of the attack.
If your company is the victim of a cyber-attack in France or abroad, it is necessary to file a complaint in France, or in the country where you are based, within 72 hours.
However, the obligation to file a complaint will only be respected if the cyber-attack is, in the same way as in France, an offence in that country.
The CNIL must also be notified within 72 hours.
Filing a complaint within 72 hours is not the only condition for compensation. It is compulsory, but other conditions set out in your insurance contract must also be respected.
What is the "Ma Sécurité" application?
An application has been created to enable you to lodge a pre-complaint quickly. However, this must be confirmed at a police station afterwards.
This obligation is there to try and deter cyber-attacks, but also to protect professionals. By having visibility of all possible cyber-attacks, the authorities have more material to investigate. File a complaint if it happens to you, but above all, protect yourself and adopt barrier measures!
The Dattak teams are at your disposal to answer any questions you may have!