The report by Valéria Faure-Muntian (37-page / 1.4MB PDF) - deputy of the Loire and president of the Insurance Study Group of the National Assembly – makes a number of recommendations on cyber attack responses. The National Agency for the Security of Information Systems (ANSSI) said that the number of cyber-attacks has quadrupled since the beginning of the Covid-19 pandemic, and that 2020 saw a 225% increase in reports of ransomware attacks compared to 2019.
But technology expert Annabelle Richard has said that companies sometimes have little choice in how they respond, in particular to ransomware attacks.
"It is easy to understand the position of the authors of this report regarding the assumption of ransom payments by cyber insurance and the various risks that this generates,” she said. “Nevertheless, it should not be forgotten that for a number of organisations, non-payment of the ransom is not an option because it is the only way for them to recover their data.”
“Unfortunately in France many organisations are not mature enough in terms of preparing for a cyber incident. As a result, prohibiting the payment of ransoms by their insurers could cause serious issues. Before being able to consider this type of ban, it therefore seems necessary to start by helping and encouraging French companies to better prepare for this type of incident,” said Richard.
The report proposes clarifying and defining the law relating to cyber risks and cyber-attacks. It said that legislation is needed to establish rules on the payment of ransoms. It discusses requiring companies that work with the state or vital interest operators (OIVs) and essential services operators (OSEs) to have a cyber insurance policy.
In order to better take into account cyber risk, the European Insurance and Occupational Pensions Authority (EIOPA) intends to promote the development of a harmonised risk insurance system. Insurance companies have formalised their own classification of the damages covered as the cost of the invasion of privacy, or all necessary costs, expenses and fees incurred by the insured, or those necessary for the restoration of lost or compromised data and computer systems. In the field of cyber-attacks, the insurance industry has defined the notion of cyber business interruption as the period for which the insurer will reimburse the insured for the loss of revenue and operational expenses.
In 2020, cyber risk was the biggest threat to the French economy according to the annual risk barometer published by Allianz. The pandemic has introduced new security risks, particularly for companies whose employees work from home rather than from within company-controlled digital networks.
Insurers have been developing cyber insurance policies for several decades, first in the US and the UK, then in France. While large groups are aware of cyber risks, smaller companies and local authorities are often less well informed.
Jérôme Notin, director general of the Public Interest Group Action against Cyber-Malevolence said in the report: "To start protecting yourself, you must already become aware of the risks. And these risks are real: the news demonstrates it almost daily. This first step taken, it must be understood that a very large majority of cyber-attacks could be avoided if simple measures were respected such as good password management, if security updates were regularly applied, if all data was regularly and properly backed up.”
Director general of ANSSI Guillaume Poupard said in the report: "The prohibition or at least a strict framework of the coverage of the payment of ransoms in cyber insurance policies now seems essential to place all insurers on an equal footing, while considerably drying up the financial windfall of cybercriminals. On the other hand, insurance can play an essential role in the consideration of cyber risk by companies. They have an incentive power that pushes their policyholders to comply with good cybersecurity practices, or even to carry out regular audits to assess their level of maturity.”