Authors: Luc Bigel and Hamza Akli 

On 24 January 2023, France’s Orientation and Programming Law (“LOPMI“) was enacted and published the next day in the Official Journal.

LOPMI introduces amendments to the insurability of losses and damages paid in response to cyber-attacks, including in relation to ransom payments – requiring that the payment of insurance compensation be conditional on the filing of a complaint, within a 72 hour time frame, to competent authorities. Article 5 of LOPMI inserts a new chapter, “Insurance against the risks of cyber-attacks“, into the Insurance Code, which provides that:

The payment of a sum pursuant to the clause of an insurance contract intended to compensate an insured for loss and damage caused by a breach of an automated data processing system mentioned in Articles 323-1 to 323-3-1 of the Criminal Code is subject to the filing of a complaint by the victim with the competent authorities no later than seventy-two hours after the victim’s knowledge of the breach.

This section applies only to legal entities and natural persons in the course of their business”

 The new chapter applies only to legal entities and natural persons, covered by French insurance, in the course of their “professional activity”. The compensation of private individuals remains possible but is not covered by this law and therefore, by implication, the requirement to file a complaint with competent authorities will not apply to private individuals.

In order to be compensated for loss and damage under cybersecurity insurance under the new chapter, cyber-attacks on an automated data processing system occurring in a professional context must be reported to the “competent authorities” within 72 hours of the victim’s knowledge of the attack. “Competent authorities” is not defined, but, according to reports accompanying the law, will include the police or the public prosecutor. The reporting requirements also apply to ransomware attacks and the new chapter allows for the insurability of “cyber-ransoms” demanded in cyber-attacks, only where the requirement to file a complaint is met.

Article 5 of LOPMI also requires policyholders to ensure that their IT security measures are adequate and comply with insurance conditions of coverage. In order to benefit from the insurance coverage in relation to a cyber-attack, the insureds must be able to demonstrate that they have taken the preventive measures required by their insurance policy. In addition, Article 5 of LOPMI requires insurers to play a more important role in defining cyber-risk management standards, as they have already done, for example, for fire safety regulations.

Recognising the continuing increase in cyber-attacks and ransom demands in France, the aim of the LOPMI, and in particular the new reporting requirements, is to assist authorities to access information and identify perpetrators, as well as allowing authorities to have a more comprehensive view of cyber-attacks affecting French organisations. Rather than promote the paying of ransoms as some critics of LOPMI have argued, it is hoped that the new requirements will encourage regular reporting of cyber-attacks, which will allow relevant authorities to assist with incident response, as the payment of  insurance compensation will only be available if reporting requirements are met.

Article 5 of the LOPMI will come into on 24 April 2023.