Firms hit by ransomware attacks might soon be allowed to claim back from insurers the money they pay to criminal hackers to protect their data.
In October, the French Senate approved proposals from the economy and home affairs ministries to open the road for such claims, which are currently in a legal grey area.
How will the new law work?
No timetable has been set to implement the changes – the law has to be passed again by the Assemblée nationale, the lower house of Parliament – but they could come into force within a year.
Attacks see hackers take over a firm’s computer system and threaten to destroy or release data unless they are paid.
Senators voted that insurers could pay out as long as victims make a formal complaint to police within 24 hours of the initial ransomware demand, and before any money has changed hands.
How big is the problem?
The average amount paid out in 2021 was €6,400, says the Economy Ministry. However, this figure is distorted by a few demands in the millions when large institutions were hit.
France has created special policing units to crack down on attacks, but they are continuing.
In August, a hospital in the south Paris suburbs had to partially shut after an attack and $10million ransom demand from Russian-speaking hackers Lockbit 3.0. It did not pay and some health data was published online, opening it up to potential fraudsters.
Protect small firms
The economy ministry said allowing businesses to claim from insurers “would protect small firms who face going out of business if they are hit”.
Insurance companies were previously ready to include cyber attack payouts in general policies – similar to the way they pay if firms have money stolen. However, they were forced to backtrack after the Agence nationale de la sécurité des systèmes d’information warned that paying ransoms would encourage criminality.
Specific cyber attack insurance is mainly taken out by large companies in France, but insurers might offer tailored protection for small firms and individuals if the law is passed.