Insurers will be able to reimburse the ransoms paid by their clients, Bercy decided. A decision that puts an end to a gray area but that runs the risk of promoting cybercrime, denounces a former parliamentarian, author of a report on the subject.
The General Directorate of the Treasury thus proposes “conditioning the insurability of cyber-rescue to the filing of a complaint by the victim”, a measure present in the draft law on orientation and programming of the Ministry of the Interior (LOPMI) presented this Wednesday in the Council of Ministers, specifies the Ministry of Economy in a press release.
Until now, a gray area remained on this issue. If compensation by bailout insurers was not illegal, a parliamentary report had proposed a year ago to ban it.
A “counterproductive” ransom payment according to an expert on the subject
The obligation to file a complaint to be compensated “is a good thing,” Valeria Faure-Muntian, a former LREM deputy and author of the report, reacted to AFP. But according to her, the payment of ransoms is “counterproductive”.
Furthermore, there is no guarantee that the recovered data will be usable or free of a new virus, once the ransom has been paid, says Ms. Faure-Muntian. All the companies “that were kind enough to testify about the recovery of the data (after paying the ransom) declared that the data was not immediately exploitable” and were slow to recover to their pre-crisis status, she stresses. .
A welcome clarification for insurance companies
For Florence Lustman, president of France Assureur, the federation of the sector, “any inaccuracy in a contract, in any case, is bad for the insured and for the insurer.” way”, he estimated in front of journalists on Wednesday. In May 2021, Axa France had suspended the marketing of the “cyber rescue” option, until the insurance intervention framework was specified, and was followed by Generali France at the beginning of 2022.
In its report, the Treasury highlights that in order to develop cyber insurance, which represents only 3% of professional damage insurance contributions, it is necessary, among other things, to better measure damage and, therefore, cyber risk, sharing data between the citizens and the private sector, and “intensify efforts to raise awareness among companies”.
Particularly vulnerable SMEs and microenterprises
According to Mickaël Robart, director in charge of development at brokerage Diot-Siaci, most of the uninsured companies are VSEs and SMEs, which until recently had little understanding of this risk. Today, they are “the ones who need to be secured as a priority” against the threat of ransomware, he believes. They are the ones who are tempted to pay the ransom when “in 99% of cases, the big groups refuse,” he adds.
On the insurers’ side, “it is a risk that is still a bit difficult for us to understand,” Bertrand Romagné, president of the Association of Reinsurance Professionals in France (Apref), explained a few days ago to justify the sector’s reticence in this regard. . He cited the example of the NotPetya virus, which had targeted several companies a few years ago and reportedly cost $10 billion.
And on August 21, the South Francilien Hospital Center (CHSF) in Corbeil-Essonnes was the victim of a computer attack that significantly affected its activity. At the beginning of September, the emergencies were still operating at half speed and diverted patients “who required complex care” to other establishments in the Ile-de-France region. The hackers demanded a ransom demand of $10 million.
Source: BFM TV
