are we going in France towards a form of legalization of the payment of ransoms?

are we going in France towards a form of legalization

The Ministry of the Economy wants companies to be able to benefit from the reimbursement by insurance companies of the amount of ransoms they have had to pay to cybercriminals to recover their data. This provision is now included in the bill of the Ministry of the Interior which was presented this Wednesday, September 7.

According to some cybersecurity experts, this text would endorse a form of legalization of the payment of ransoms, to the detriment of the means allocated to the prevention of cyberattacks. The Directorate General of the Treasury has issued a report recommending that insurance companies can reimburse companies for the ransoms demanded by hackers. However, companies that are victims of data extortion will have to file a complaint within 48 hours after payment of the ransom in order to be compensated.

This bill, which is based on the work of our working group, strikes a balance between the desire not to finance the ecosystem of cyberattackers and the desire to avoid the death of SMEs and VSEs affected by an attack “, argues the Ministry of the Economy. The provision is now included in the orientation and programming bill of the Ministry of the Interior, which was presented this Wednesday in the Council of Ministers.

Fear of fueling cybercrime

But some cybersecurity experts fear that this provision contributes to the financing of computer piracy. The National Information Systems Security Agency (Anssi), for example, is totally against it, advocating instead a ban on paying ransoms. Is equivalent to ” shoot themselves in the foot by fueling crime “, protests Jean-Noël DeGalzain, the boss of the European publisher of cybersecurity software Wallix and expert in securing access and identities for large accounts.

If the bill is to carry out permanent crisis management and to accept a negotiation which consists in systematically paying the cybercriminal – because it is covered by the insurer – then we will institutionalize cybercrime. Then, we launch a national cybersecurity strategy with an equipment plan for the most vulnerable, in particular, hospitals. Are we saying that these equipment plans will include public funding which will notably be used to pay for cybercrime? I don’t understand the coherence of this project. The rule for all is obviously not to pay systematically and to fuel cybercrime. It’s that simple. »

The new legislation will pass through Parliament next month. Bercy indicates in a press release that this is a clarification of the legal framework of the Insurance Code, recalling that so far, no law authorizes or prohibits the payment of a sum to a group of pirates in France. . The bill also includes the creation of a cyberthreat observatory specifically responsible for monitoring the practices of insurers. This new body will be set up by the end of September.

Listen: Are we doomed to be spied on?

rf-3-france