The introduction of Article L12-10-1 to the French Insurance Code will increase the burden on victims of cyber-attacks who wish to make a claim under their cyber policy.
Article L12-10-1 (the “Article”) will come into force on 24 April 2023. From this date, policyholders in France will be required to file a complaint with the “competent authorities”. They must do so within 72 hours of their knowledge of a breach in order to make a claim for reimbursement under an insurance policy.
Due to its compulsory nature, we expect that the data captured by the competent authorities will likely enable a better understanding of such attacks and will inform future resilience and better cyber security hygiene.
However, since some concepts within the Article are broad, an unintended consequence may be for policyholders to develop a propensity to over-report which may cause an administrative burden.
The Article reads:
The payment of a sum pursuant to the clause of an insurance contract intended to compensate an insured for losses and damages caused by a breach of an automated data processing system mentioned in Articles 323-1 to 323-3-1 of the Penal Code is subject to the filing of a complaint by the victim with the competent authorities no later than seventy-two hours after the victim's knowledge of the breach.
We observe the following:
- The Article may have a wider application to other insurance policies, not just in respect of cyber policies.
- The notification requirements set out in the Article is in addition to any other notification requirements.
- “Competent authorities” is not defined within the Article, nor does it refer to any external source for determination. We note that during the drafting stages, reference was made to the police and to the judicial authority.
- It is not clear when the time period to report commences.
- The Article does not set out the method in which a policyholder must make a notification.
- The Article contains the phrase “loss and damages caused by a breach”. The causative effect of a loss can be a thorny issue between insurers and policyholders.
- It is not clear what is meant by “the victim’s knowledge”. The policyholder is likely to be a partnership or a corporate entity. Could the definition of “victim” mean the controlling mind of the entity? Perhaps it means the knowledge of a single member of the board. In which case, what happens if a board member acquires knowledge of the breach, but does nothing with that knowledge?
- The phrase “[t]he payment of a sum pursuant to the clause of an insurance contract … is subject to…” requires some consideration. It is not clear whether non-compliance renders the policyholder’s claim for reimbursement unenforceable, or whether the insurer is barred from making any payment unless the policyholder has complied with the requirements of the Article.
In either situation, primary insurers will need to closely examine their reinsurance requirements.
- Although the Article appears to operate independently and in parallel to the policy wording, we may see an emergence of market clauses expressly incorporating the Article’s requirements. This could be achieved in a number of ways and so it will be interesting to see how policy wordings are adapted in response.
Insurers and policyholders in France will soon be required to grapple with the new regime. We suspect that introduction of the Article will cause some tension, at least during its infancy. Policyholders will, and do, press insurers to confirm cover soon into a cyber-attack. This is entirely understandable. Policyholders and Insurers will want to ensure compliance with the new regime.
It will be interesting to see if other jurisdictions follow suit.