The French Interior Ministry’s Orientation and Programming law (LOPMI)

Close-up Of Lock Symbol And Numbers On Device Screen

What are the implications for the French Insurance Code?

As of April 24, 2023, the French Interior Ministry’s Orientation and Programming law (LOPMI) imposes an obligation on companies that are victims of malicious computer attacks to file a complaint in order to preserve their right to compensation under their insurance policy.

This new obligation is now included in article L.12-10-1 of the Insurance Code as follows:

Art. L. 12-10-1 of the Insurance Code: "The payment of a sum pursuant to the clause of an insurance contract intended to compensate an insured for loss and damage caused by a breach of an automated data processing system mentioned in Articles 323-1 to 323-3-1 of the Criminal Code is subject to the filing of a complaint by the victim with the competent authorities no later than seventy-two hours after the victim's knowledge of the breach.

This article applies only to legal entities and to natural persons in the course of their professional activity."

The absolute practicalities of application are not defined by LOPMI, creating areas of vagueness for the companies concerned and their insurers, we are not aware at this stage that an implementation decree or circular is planned. In a cautious approach, Marsh can only advise its clients to adapt their procedures within a strict interpretation of the law.

In order to assist our clients in this process, we have compiled a list of Questions / Answers on the main issues when considering the impact of LOPMI on insurance matters.

What is the legal scope of the new article L.12-10-1 of the Insurance Code?

Article L.12-10-1 is a provision of public order. The insured and the insurer cannot therefore deviate from it, as failure to comply with this provision potentially exposes the insurer to a risk of sanction by the regulator. The obligation to file a complaint according to the LOPMI is therefore binding on the insured, whether or not it is written into the insurance contract.
However, in practice, Marsh recommends that a specific clause be inserted into contracts reminding of the obligation to file a complaint as a condition of coverage.

Does this obligation apply if my insurance contract is subject to a law other than French law?

The Insurance Code applies to contracts governed by French law.
However, given the LOPMI's stated objective of combating cybercrime, this article could constitute a "police law": A judge could apply it to victim entities domiciled in France, even if they are insured under a policy governed by foreign law, or even to foreign entities if the insurer of the contract is itself an insurer subject to the supervision of the ACPR.

Does the obligation to file a complaint apply only to malicious breaches?

Yes, it does. The obligation covers any malicious intrusion into an information system, whether or not accompanied by a ransom demand.
Accidental breaches of the information system are not within LOPMI’s scope.

If foreign subsidiaries are victims of a malicious attack, are they subject to the obligation to file a complaint?

Article L.12-10-1 does not specify anything about the nationality of the victims: Foreign entities that are victims of a breach and are insured under a French insurance contract are therefore, in theory, impacted. In the event of a breach, each victim entity will have to file a complaint with the competent authorities of its country in order to receive compensation.
We recommend that our clients issue instructions to this effect, before April 24, 2023, to their entities in France and abroad directly covered by a French insurance policy.
There is an area of uncertainty in cases where the claim would not be admissible in the country of the subsidiary.
The situation is also complex when the entity impacted by the breach is located in a country where "non-admitted" is not authorized and the insurance policy is triggered via a FINC clause. In such a case, the question arises as to who is responsible for filing a complaint: The policyholder in France (provided that the complaint is admissible)? or the local entity with its competent authorities?

Are people who do not have a cyber insurance policy concerned by LOPMI?

Potentially yes. Article L.12-10-1 covers any indemnity paid to an insured as compensation for loss and damage caused by a malicious breach: Cyber insurance policies, but also any other insurance policy that may intervene to compensate said loss and damage. In particular:
- Fraud policies
- Property Damage policies covering material damage following a cyberattack
- K&R policies
As far as third party liability insurance is concerned (General Liability / Professional Liability / third party cyber policies), there is a debate as to whether they are subject to the obligation to file a complaint. Damages paid to third parties following a liability claim originating from a cyber event may not be considered as subject to LOPMI, as they are not losses or damages suffered by the insured. Nevertheless, it seems preferable to proceed with the filing of a complaint, because :
- The argument of the defence costs incurred by the insured in responding to a claim is not relevant.
- In the event of a claim following a cyber event, it is seldom possible to determine with certainty that the breach has not caused other damage of which the insured is not yet aware.

If a company is the victim of a malicious attack without ransomware, should it file a complaint?

Yes. The requirement to file a complaint is necessary to obtain compensation for all "losses and damages" caused by a breach and suffered by an insured, not just reimbursement of the ransom. This includes, but is not limited to:
- Assistance costs.
- Costs (notification, remediation, advise, defence, and so forth).
- Business interruption.

Is there a specific complaint procedure?

We are awaiting further information on the possible introduction of a simplified complaint procedure. For the time being, a complaint can be physically filed with the police or the gendarmerie (the preferred methods to ensure that the 72-hour deadline is respected), or with the Public Prosecutor.
It should be noted that a pre-filing of a complaint within the 72-hour time limit does not satisfy the condition imposed by LOPMI. This was considered and then rejected in the parliamentary debates.
LOPMI does not comment on the content of the complaint either. Given the 72-hour time limit, the complaint must at least mention a malicious attack on the victim's Information System.

How is the 72-hour period determined?

The law provides for a 72-hour (calendar) period from the time the victim (and not the parent company) becomes aware of the impact of the computer breach.
The burden of proof is on the insured.
Since the term "knowledge" is not defined by LOPMI, Marsh considers that it is the moment when the entity has confirmation of the existence of a malicious attack. On the other hand, the observation of a malfunction for which the victim does not know the cause, or for which malicious nature is not demonstrated, would not trigger the 72-hour period.
It is important to separate the "filing of a complaint" from the "notification of the claim" to the insurer. The 72-hour period applies only to the filing of a complaint. It is necessary to file a complaint within the time limit, even if the insured does not yet know whether or not their claim will exceed their deductible, in order to protect their interests and avoid the risk of a denial of coverage for filing a complaint outside the legal time limit.

For any further information, you can send your inquiries to the following address : #MarshEURLOPMIFR@marsh.com