Best practice

Increased protection

Do the authorities recommend additional cybersecurity protections beyond what is mandated by law?

The ANSSI and the CNIL recommend additional cybersecurity protections beyond those that are mandated by law. As such, 42 measures to protect data and IT systems from cyberthreats have been published. See question 6.

How does the government incentivise organisations to improve their cybersecurity?

The approach taken towards cybersecurity is clear in France: it must be taken seriously and appropriate measures must be set up. As such, the ANSSI and CNIL regularly publish guidelines and recommendations of good practice.

Identify and outline the main industry standards and codes of practice promoting cybersecurity. Where can these be accessed?

The 42 measures to protect data and IT systems from cyberthreats (which are very broad) can be accessed via the following: https://www.ssi.gouv.fr/guide/guide-dhygiene-informatique/.

Recently, a dedicated website has been set up to help small and medium-sized enterprises, which can be accessed via the following: www.cybermalveillance.gouv.fr.

The CNIL has also elaborated a detail guideline and checklist regarding the good safekeeping of personal data, available via:

  • www.cnil.fr/fr/principes-cles/guide-de-la-securite-des-donnees-personnelles; and
  • https://www.cnil.fr/fr/securite-des-donnees.

Are there generally recommended best practices and procedures for responding to breaches?

France has adopted best practices and procedures. As such, the ANSSI and the CNIL recommend that the first step is to have recourse to a host-based intrusion detection system and a network-based intrusion detection system to identify in real time and certify the extent of the intrusion (compulsory for organisations identified as of essential importance).

Should a breach be identified, it is recommended that the organisation should:

  • disconnect the affected IT system from the network;
  • inform the local Computer Emergency Response Team;
  • make a clone copy of the hard disk drive;
  • gather evidence and search for a digital footprint; and
  • file a complaint to the police.

For organisations of essential importance, notification shall be made to the ANSSI. For private and public data controllers and processors, notification shall be made to the CNIL.

After the attack, it is recommended that, to analyse the intrusion, organisations should:

  • search for any modifications made to the operating system and operating system files;
  • analyse if there has been any alteration or modification of data;
  • search for any data or tool that may have been introduced by the hacker;
  • analyse the logs;
  • look for any sniffer on the network; and
  • analyse the other devices and hardware connected to the affected network.
Information sharing

Describe practices and procedures for voluntary sharing of information about cyberthreats in your jurisdiction. Are there any legal or policy incentives?

Article L2321-4 of the Defence Code provides that, for the sole purpose of protecting an information system, someone acting on good faith may inform the ANSSI about a cyberthreat. Further, the whistle-blower’s identity is protected and several websites have been set up to encourage the sharing of information.

In this regard:

  • illegal internet content may be declared via: www.internet-signalement.gouv.fr/PortailWeb/planets/SignalerEtapeAccepter!load.action;
  • vulnerabilities may be declared via: www.ssi.gouv.fr/en-cas-dincident/vous-souhaitez-declarer-une-faille-de-securite-ou-une-vulnerabilite; and
  • cyberthreats and vulnerabilities are made available via: www.cert.ssi.gouv.fr.

How do the government and private sector cooperate to develop cybersecurity standards and procedures?

The government and the private sector cooperate through non-profit organisations. As such, the ANSSI (acting on behalf of the government), Thales Communications and Security SAS or Électricité de France (EDF) form part of the European Cyber Security Organisation (ESCO). The ESCO regroups public and private entities and aims to develop, promote and encourage European cybersecurity. Additionally, a public­-­private partnership on cybersecurity was signed on 5 July 2016 to better equip the Euroepan Union against cyberattacks and to strengthen the competitiveness of its cybersecurity sector. Naturally, these include, and will benefit, French industries and the government.

Insurance

Is insurance for cybersecurity breaches available in your jurisdiction and is such insurance common?

Europe represents 10 per cent of the cyber risk insurance market and it is a fast-emerging market in France, as it is shown looking at the increasing count of institutional reports (for instance, OECD’s or Club des Juristes). Insurers are proposing such services, and given the rise in awareness about the matter, the demand for such services will constantly grow. However, as cyberattacks are not easily predictable (regarding nature and consequence), these types of insurance may be expensive.