A new French law mandating companies to report cyber incidents to authorities within 72 hours or lose their eligibility for cyber insurance reimbursement has left industry experts confused.
The law, which comes into effect on April 24, aims to cover various cyber incidents, including illegal access to information systems and data deletion, theft, or modification.
Additionally, the law authorizes cyber insurers to cover ransomware payments, with the idea being that the threat of losing insurance coverage will encourage more companies to disclose cyber incidents, thus providing more data for law enforcement and policymakers to counter cyber threats. However, the question remains: report to whom?
French companies have two federal agencies to approach for cyber events: the national information system security agency, or ANSSI, and the French data protection authority, or CNIL.
The law requires companies to report the breach to “competent authorities” and file an impact assessment with police and judicial authorities, according to legal analysis by law firm Orrick.
However, the law doesn’t specify whether there will be a specific mechanism for filing such complaints. Global companies with headquarters in France will have the most uncertainty, as the law will add an extra layer of compliance to organizations with servers in multiple jurisdictions.
Another question raised by the law is the deadline for reporting incidents – within 72 hours of what? Companies are uncertain if they should report 72 hours after their log files show signs of unauthorized access or 72 hours after staff determines it is a security incident.
Jean Bayon de La Tour, managing director and European head of cyber at Marsh McLennan, points out that the vast majority of small and medium-scale enterprises tend not to buy cyber insurance, meaning the law will not incentivize them to report data breaches to the French government.
