The subject of the insurability of ransoms paid following cyberattacks was not consensual. The report of the Directorate General of the Treasury on the development of cyber-insurance will not calm the debates. Just published, it is already strongly reacting to the landernau of cybersecurity, if only on social networks.
In its report, the Directorate General of the Treasury takes note of the still very limited development of the cyber insurance market. But she sees it as a “lever for strengthening the resilience of economic actors”. Therefore, it considers that « it is recommended to promote the development of the cyber risk insurance market to strengthen the resilience of our economy and make the Paris market a European center of expertise in this area ». And to formulate 18 proposals articulated around 4 axes.
The first aims to “clarify the legal framework for cyber risk insurance”. And it is he who leads the debates, because there is no question of prohibiting him from compensating for the payment of ransoms, as recommended in the parliamentary report by Valéria Faure-Muntian last fall: the proposal is to « condition the compensation of a cyber-ransom insurance to the filing of a complaint by the victim ». Objective: « to strengthen [l’]accompaniement [de la victime] and improve the investigative operations of the police, justice and gendarmerie authorities”.
For many, this approach contradicts the advice of the National Information Systems Security Agency (Anssi): “it is recommended never to pay the ransom. Its payment does not guarantee obtaining a means of decryption, encourages cybercriminals to continue their activities and therefore maintains this fraudulent system”.
However, the approach of the Treasury is in line with that of Beauvau, which seemed, in the spring, to seek to make the declaration of payment of ransom compulsory. On the other side of the Atlantic, a comparable provision applies to critical infrastructure operators: they must declare to the authorities any ransom payment following a cyberattack, within 24 hours.
The implicit message is simple: Avoid paying, but if it seems like the only option, do it in a way that allows the money to be tracked. Because tracking bitcoin payments isn’t necessarily trivial, but it’s far from impossible. This can lead to the seizure of extorted sums or even the arrest of criminals involved in the mafia economy of ransomware.
Beyond that, the Treasury puts forward proposals to “better understand and measure cyber risk”, “improve the sharing of risk between policyholders, insurers and reinsurers”, and “increase efforts to make companies aware of cyber risk”. Here, VSEs and SMEs are clearly targeted: the vast majority of them are not covered for cyber risk, they represent a significant potential for broadening the base of collected contributions likely to help solidify and make cyber insurance more sustainable.
The Treasury report returns, in its proposals, to the idea of creating a cyber threat observatory. This was one of the key ideas for the creation of the GIP Acyma, carrier of the cybermalveillance.gouv.fr portal.
Earlier this year, the Court of Auditors noted that the GIP began this work in 2018, before formalizing this work in 2019 « by producing indicators presenting the state of the threat based on the analysis of the research of assistance from different categories of public.
A working group was to produce, at the end of 2020, proposals « on the scope, organization and means necessary for the constitution of this future observatory ». What was not done. In its report, the Court of Auditors insisted: “this internal work at the GIP must quickly result in concrete proposals to be presented to the board of directors”.
But the GIP is not alone in this boat: Anssi as well as the Ministries of the Interior and Justice are also involved. The SGDSN considers for its part that Anssi should be responsible for this observation, to which Acyma would only be a contributor.