Governance & Risk Management
Incident & Breach Response
Should French Multinationals Report Breaches Outside France? To Whom? By When?
A French law requiring companies to report cyber incidents to authorities within 72 hours or lose their eligibility for cyber insurance reimbursement has practitioners scratching their heads.
See Also: OnDemand | Navigating the Difficulties of Patching OT
The new law, set to take effect on April 24, will cover a range of cyber incidents, such as illegal access to information systems and the deletion, theft or modification of data. The law also explicitly authorizes cyber insurers to cover ransomware payments.
The theory behind the statute is that the threat of losing insurance coverage will incentivize more companies to disclose cyber incidents, offering more data for law enforcement agencies and policymakers to collect and use to counter cyberthreats.
The question on many minds is: Report to whom? In France, two federal agencies handle cyber events: the national information system security agency, or ANSSI, and the French data protection authority, or CNIL – an independent agency regulatory body tasked with the oversight of national and European data protection laws.
The law tells companies to disclose the breach to “competent authorities” and file an impact assessment with police and judicial authorities, says analysis by law firm Orrick.
“The law also does not specify whether there will be a specific mechanism for filing such complaints,” Orrick attorneys write. “However, the French General Directorate of Internal Security states on its website that cyberattacks can be reported online via the website of the Ministry for the Interior, which has a general criminal complaints portal.” Neither ANSSI nor CNIL responded to Information Security Media Group’s request for clarification.
Another question is: Report within 72 hours of what, exactly? “Is this 72 hours after your log files show signs of unauthorized access or 72 hours after your staff was able to determine with certainty that it indeed was a security incident?” writes Pieter Arntz, a malware intelligence researcher at security firm Malwarebytes.
Global companies with headquarters in France will have the most uncertainty, experts say, since the law will add an extra layer of compliance to organizations with servers in multiple jurisdictions.
“The question in front of them, for instance, will be: Should a claim in the Malaysian subsidiary of a French group, covered by the local Malaysian policy, be reported to the French authorities under this law?” says Jean Bayon de La Tour, managing director and European head of cyber at Marsh McLennan.
She also says that the vast majority of small and medium-scale enterprises generally tend not to buy cyber insurance, meaning the law will not incentive them to report data breaches to the French government.