0
0
Cyber Insurance , Governance & Risk Management , Incident & Breach Response
A French law requiring companies to report cyber incidents to authorities within 72 hours or lose their eligibility for cyber insurance reimbursement has practitioners scratching their heads.
See Also: OnDemand | Navigating the Difficulties of Patching OT
The new law, set to take effect on April 24, will cover a range of cyber incidents, such as illegal access to information systems and the deletion, theft or modification of data. The law also explicitly authorizes cyber insurers to cover ransomware payments.
The theory behind the statute is that the threat of losing insurance coverage will incentivize more companies to disclose cyber incidents, offering more data for law enforcement agencies and policymakers to collect and use to counter cyberthreats.
The question on many minds is: Report to whom? In France, two federal agencies handle cyber events: the national information system security agency, or ANSSI, and the French data protection authority, or CNIL – an independent agency regulatory body tasked with the oversight of national and European data protection laws.
The law tells companies to disclose the breach to “competent authorities” and file an impact assessment with police and judicial authorities, says analysis by law firm Orrick.
“The law also does not specify whether there will be a specific mechanism for filing such complaints,” Orrick attorneys write. “However, the French General Directorate of Internal Security states on its website that cyberattacks can be reported online via the website of the Ministry for the Interior, which has a general criminal complaints portal.” Neither ANSSI nor CNIL responded to Information Security Media Group’s request for clarification.
Another question is: Report within 72 hours of what, exactly? “Is this 72 hours after your log files show signs of unauthorized access or 72 hours after your staff was able to determine with certainty that it indeed was a security incident?” writes Pieter Arntz, a malware intelligence researcher at security firm Malwarebytes.
Global companies with headquarters in France will have the most uncertainty, experts say, since the law will add an extra layer of compliance to organizations with servers in multiple jurisdictions.
“The question in front of them, for instance, will be: Should a claim in the Malaysian subsidiary of a French group, covered by the local Malaysian policy, be reported to the French authorities under this law?” says Jean Bayon de La Tour, managing director and European head of cyber at Marsh McLennan.
She also says that the vast majority of small and medium-scale enterprises generally tend not to buy cyber insurance, meaning the law will not incentive them to report data breaches to the French government.
Senior Correspondent, ISMG
Asokan is a U.K.-based senior correspondent for Information Security Media Group’s global news desk. She previously worked with IDG and other publications, reporting on developments in technology, minority rights and education.
Covering topics in risk management, compliance, fraud, and information security.
By submitting this form you agree to our Privacy & GDPR Statement
whitepaper
whitepaper
whitepaper
Healthcare
Cyber Insurance
3rd Party Risk Management
Fraud Management & Cybercrime
Endpoint Protection Platforms (EPP)
Continue »
90 minutes · Premium OnDemand
Overview
From heightened risks to increased regulations, senior leaders at all levels are pressured to improve their organizations’ risk management capabilities. But no one is showing them how – until now.
Learn the fundamentals of developing a risk management program from the man who wrote the book on the topic: Ron Ross, computer scientist for the National Institute of Standards and Technology. In an exclusive presentation, Ross, lead author of NIST Special Publication 800-37 – the bible of risk assessment and management – will share his unique insights on how to:
Sr. Computer Scientist & Information Security Researcher, National Institute of Standards and Technology (NIST)
Was added to your briefcase
French Cyber Insurance Law Provokes Uncertainty
French Cyber Insurance Law Provokes Uncertainty
Sign in now
Need help registering?
Contact support
Complete your profile and stay up to date
Contact Support
Create an ISMG account now
Create an ISMG account now
Need help registering?
Contact support
Sign in now
Need help registering?
Contact support
Sign in now
Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing bankinfosecurity.com, you agree to our use of cookies.
source
