This page has been automatically translated. Please refer to the page in French if needed.
Prevention
Cyberattack in the course of the professional activity: compensation subject to a complaint within 72 hours
Publié le 03 mai 2023 - Directorate for Legal and Administrative Information (Prime Minister)
As of April 24, 2023, any natural or legal person who is the victim of loss or damage caused by a cyber-attack in the course of their professional activity will have to file a complaint within 72 hours of knowledge of this breach in order to be able to be compensated by their insurer.
Under the Ministry of Interior’s Guidance and Programming Act of 24 January 2023 (LOPMI), compensation for loss and damage caused by a cyber-attack is now subject to the filing of a complaint in the 72 hours after knowledge of the breach (Article 5 of that Law).
Scope of this measure
This provision only applies to cyber-attacks in the framework of professional activity.
It applies to natural persons (self-employed persons, individual contractors, etc.) as well as legal persons (companies, associations, public administrations, etc.).
An individual who is the victim of a cyber-attack in a private context is not obliged to lodge a complaint in order to benefit from insurance cover, as long as such cover is provided for in his insurance contract.
Please note
This new provision shall apply immediately to all insurance contracts in progress in view of its objectives of combating cybercrime.
72 hours to file a complaint
A natural or legal person who is the victim of loss or damage as a result of a cyber-attack in the course of his business shall have a 72-hour period to lodge a complaint if she wishes to be compensated by her insurer.
This period shall start from discovery by the victim of loss and damage caused by the cyber attack, not from the date of the cyber attack itself. In other words, it is possible to file a complaint if the victim has recently become aware of a cyber attack, which is old.
Warning
However, the requirement to file a complaint within 72 hours is not sufficient to be compensated. It is necessary, in fact, that the victim's insurance contract provides cover against cyber risk. It is advisable to get in touch with your insurer as soon as possible.
In any event, a trader insured against cyber risk but who does not file a complaint within 72 hours of becoming aware of a breach caused by a cyber attack will not be able to be compensated by his insurer for the losses and damages he has suffered as a result of that attack.
The targeted cases of cyber-attacks
All cyber-attacks are affected by this new measure.
These include:
- malware attacks (including ransomware);
- phishing (attempting to retrieve confidential information by impersonating a known entity);
- data theft;
- system removal (unsolicited modification of a website);
- Denial of Service attacks (denial of service attacks)
- intercepts of communication, for example on a public wifi network;
- vulnerability exploitation, previously uncorrected, present in software.
What should I do in case of a cyber attack abroad?
Firstly, when the insurance contract is not not subject to the french insurance code, the obligation to filing within 72 hours does not apply.
On the other hand, a French company is provided by a contract governed by the french insurance code and a victim of a cyber attack abroad can:
- lodge a complaint in France, within the 72-hour time limit set by law;
- file a complaint in the country where the cyberattack took place, provided that the cyber-attack in question also constitutes an offense in that country. In this case, the filing of a complaint with the competent authorities of that country within 72 hours of the knowledge of the breach makes it possible to fulfill the obligations to lodge a complaint.
In any event, the time limit for lodging a complaint shall never be extended.
Additional topics
Service-Public.fr
Ministry of Economy