##Everything you need to know about the LOPMI
The Loi d'Orientation et de Programmation du Ministère de l'Intérieur - LOPMI (French law on the orientation and programming of the Ministry of the Interior), sets the objectives and programs the Ministry's human, legal, budgetary and material resources from 2023 to 2027. Nearly half of the law's budget is devoted to the Ministry's "digital revolution" and to modernizing its resources for combating cybercrime.
Among the projects announced, the payment of ransom in the event of a cyber attack is now authorized for insurers. This ransom payment is subject to a number of conditions. The aim is to provide the police and legal authorities with more information on these attacks.
Reimbursement is now conditional on the victim lodging a complaint within 72 hours of learning of the offence. Parliamentarians have decided that the obligation will be limited to professionals, and will apply 3 months after the law's promulgation, i.e. April 24, 2023.
LOPMI timetable:
🔵 December 14, 2022: final adoption of the LOPMI and the obligation for the insured to file a complaint within 72 hours in the event of a cyber-attack.
🟡 January 19, 2023: the Constitutional Council ruled that the law was partially non-compliant, following a referral by more than 60 deputies, but without touching the provisions relating to cyber insurance
🟢 January 24, 2023: LOI n° 2023-22 d'orientation et de programmation du ministère de l'intérieur was promulgated by the President of the Republic, and published in the Journal Officiel the following day.
🟠 April 24, 2023: Entry into force of the LOPMI
I. - A new chapter X is added to Title II of Book I of the French Insurance Code:
Chapter X - Insurance against the risk of cyber attacks _" Art. L. 12-10-1. - The payment of a sum pursuant to the clause in an insurance contract designed to compensate an insured party for loss or damage caused by a breach of an automated data processing system referred to in articles 323-1 to 323-3-1 of the French Criminal Code is subject to the victim's filing a complaint with the competent authorities no later than seventy-two hours after the victim becomes aware of the breach. This article applies only to legal entities and to natural persons in the course of their professional activity."_
1. Prior assertion: LOPMI authorizes payment for ransomware
Unlike the initial version of the bill tabled by the Government, which was solely dedicated to covering the payment of a cyber ransom, the current article has removed all reference to ransomware. The LOPMI bill now covers insurance against loss or damage caused by a cyber-attack. Ransomware is part of the cyber-attack category, and is therefore implicitly covered by this text. However, parliamentarians chose not to explicitly authorize or prohibit ransomware payments and insurance.
In any case, in France today, there is no major legal obstacle to the payment of ransoms (cyber or otherwise) and to their insurance, within the limits of cases involving the financing of terrorism.
2. Under what conditions will insurers be able to develop this type of coverage?
Insurance against the risks of cyber-attacks already exists in France, notably with cyber-extortion cover, the purpose of which is to reimburse the insured for the amount of a cyber-ransom that he or she would have been forced to pay. Under LOPMI, insurers will have to require policyholders who are victims of a cyber-attack to file a complaint within 72 hours of learning of the attack. If no complaint is filed within this timeframe, the insurer will be prohibited from compensating the insured for any loss or damage suffered as a result of the cyber-attack. This requirement does not apply to consumers, i.e. individuals acting outside their professional capacity. The compulsory complaint rule will come into force on April 24, 2023. Although already provided for in most cyber insurance policies in France. 3. What changes to the insurance code would this measure entail? With what consequences?
This measure entails the creation of a new chapter in the French Insurance Code, entitled "L'assurance des risques de cyber-attaques", with a single article (L. 12-10-1).
This is the first chapter and article in the Insurance Code to deal with the subject, even though cyber insurance policies have existed in France for several years. This is legal recognition of the existence and importance of these new insurance coverages, which help to strengthen and protect companies against the occurrence and consequences of computer attacks.
4. What measures are European governments taking in response to cyber-crime? Have any already resorted to compensation for cyber-breaches?
None of our European neighbors prohibit the payment of cyber-ransomware, nor the insurance of such payment, but some set conditions. The impact study attached to the bill even specifies that none of the OECD countries has taken measures to prohibit the payment of ransoms, nor prohibited the principle of insuring them.
🇩🇪 Germany: cyber ransom insurance is expressly authorized under certain conditions: - Cyber ransom insurance cover may not be offered on its own, and must be part of a broader cyber risk contract, including a guarantee of assistance in the event of an attack, so that ransom payments are only made as a last resort; - Obligation of confidentiality regarding the existence of the insurance contract and the ransom payment (except with regard to the authorities); - Obligation to inform and cooperate with the authorities in the event of a ransom demand. - Obligation to inform and cooperate with the authorities in the event of a ransom demand.
🇦🇹 Austria: the same principles apply as in Germany.
🇧🇪 Belgium: there is no prohibition on insuring cyber ransomware, subject to compliance with the measures of the international sanctions regime and the prohibition on financing terrorism.
🇪🇸 Spain: there is no ban on cyber-risk insurance: - Most insurers offer cyber policies including ransom reimbursement subject to the application of international sanctions and the risk of terrorist financing. - Most insurers offer cyber policies including ransom reimbursement, subject to the application of international sanctions and the risk of terrorist financing.
🇬🇷 Greece: there is no ban on cyber ransom insurance: - This is a small, developing market that is not currently being discussed at political level.
🇮🇪 Ireland: there is no ban on cyber insurance: - The Irish government emphasizes above all the cyber resilience of players and the role of insurers in developing best practices to combat cyber-attacks and their consequences.
🇮🇹 Italy: there is no ban on cyber-ransom insurance, subject to compliance with international sanctions and the fight against terrorism: - Insurers offer cyber insurance policies for data recovery costs, business interruption and ransom payments, which can only be made with the insurer's agreement and under certain conditions (prior notification of the police authorities, confidentiality obligation regarding the existence of the insurance contract, etc.).).
🇱🇺 Luxembourg: there is no ban on cyber-ransom insurance, and no recommendations have been issued on this subject by the Luxembourg supervisory authority: - kidnap & ransom insurance policies have existed for a long time, and are also available for cyber-attacks; - there is, however, some debate as to whether ransom reimbursement by the insurer should in itself be treated as requiring a suspicious transaction report as part of anti-terrorism/anti-money laundering measures.
🇳🇱 Netherlands: Ransom payments and insurance cover are not prohibited, but discouraged by the Dutch government. - Insurers offering such cover clearly stipulate that ransom payments should only be made as a last resort, and that cover is only granted if the insured has taken the required preventive measures, particularly in terms of cyber security; - Members of parliament and the Minister of Justice have recently raised the issue of the insurability of ransom payments.
🇸🇪🇳🇴🇫🇮 Scandinavian countries: there is no prohibition on insuring cyber ransomware, but the subject is being debated with regard to the application of rules to combat the financing of terrorism and money laundering.
🇵🇹 Portugal: there is no ban on cyber ransom insurance: - Reimbursement of ransom payments and compensation for financial losses following a cyber-attack are generally covered under "Fraud" policies.
🇬🇧 United Kingdom : cyber-ransom insurance is legal, except in cases of terrorist financing: - According to the official government position, paying ransom demands should be avoided as far as possible; - The British Insurers' Association defends the insurability of ransom payments within cyber insurance policies, but insurers encourage or make cover conditional on the implementation of preventive measures to avoid cyber-attacks and limit their effects.
Cyber risk is the number 1 risk for any company, whatever its size.