Insurers in driving seat for setting cyber standards in France

The progress of draft legislation making insurance pay-outs dependent on the filing of a complaint in the case of a ransomware attack, shows how insurers can play a role in defining better practices.

In France, draft legislation aimed at requiring the filing of a criminal complaint in the event of a ransomware attack in order to benefit from cyber insurance has moved a step closer to becoming law, as both the National Assembly and the Senate recently voted in favour of the bill.

The proposed law is a first step toward regulating the insurance of cyber losses due to ransomware attacks whilst ensuring that authorities have a better view of cyber attacks affecting French nationals. This is part of a broader stepping up of the response to this growing peril in France.

In this case, the authorities are seeking to use cyber coverage as leverage to promote good practice, namely the systematic reporting of offences.

Beyond this new law and as part of the shared response by the French government and the insurance sector to the ransomware threat, insurers will be expected to take a larger role in setting cyber risk management standards – similar to the role they have historically played in improving fire safety regulations.

While continued broadening of cyber coverage has brought the sustainability of the class into question, recent cyber attacks have highlighted the extent to which many insureds – including large sophisticated organisations – are not implementing the most basic safeguards, and have emphasised the role carriers can (and should) play in policing risk management standards.

However, this focus by both industry and regulators on improved cyber hygiene is also likely to increase the potential for recourse against some IT vendors whose service levels have fallen below expected standards, exposing insureds to attack. An increase in liability actions against cyber professionals and an accompanying uptick in subrogated claims is a likely consequence.

Again, if IT vendors are made accountable for failure to meet basic safety standards, this should improve resilience against cyber criminals.

View all our Insurance 2023 Predictions here