Global menu

Our global pages

Close
Is a cyber-attack ”Force Majeure”? Je ne crois pas!

Is a cyber-attack ”Force Majeure”? Je ne crois pas!

  • United Kingdom
  • USA
  • Commercial and IT
  • Privacy, data protection and cybersecurity
  • Technology, Media and Telecoms - General

12-12-2017

What?

Force majeure clauses are designed to address the risk of events which arise during the course of a contract and are beyond the control of the parties. These clauses can operate to suspend the performance of obligations for the duration of the force majeure and without liability, affording the affected party the opportunity to restore business-as-usual operations.  They are the contractual equivalent to “timeout” periods in sporting events. 

Traditionally force majeure clauses were drafted to address events beyond the reasonable control of the parties, including “Acts of God” such as fire, floods1, earthquakes, tsunamis2, volcanic ash clouds3 and plagues of locusts4. Increasingly however force majeure clauses are being used by Cloud service providers, software vendors and managed service providers to excuse them from the impact of cyber incidents. Would the CEO of your business accept that the disclosure of 100,000 customer credit card details or the theft of the blue-prints for a new product - after hackers exploited a vulnerability in your supplier’s IT infrastructure - was a force majeure?

Unwary customers often regard force majeure as “boiler plate” and rarely bother to read the clause (which possibly explains why “zombie apocalypse” and “alien invasion” started popping up in IT outsourcing agreements5).

So what?

Having adequate mechanisms in contracts to avoid or minimise liability during a force majeure event is key for suppliers. Customers, in turn, should ensure that they understand their exposure and options if a cyber security incident occurs in their supply chain. Imagine being a customer of Saudi Aramco in mid-2012, when most of its IT infrastructure was destroyed by the virus Shamoon6: would a customer regard such an attack as a major event absolving the supplier from performance or something that could have been reasonably prevented or otherwise mitigated by appropriate systems and controls?

If a cyber-attack is an Act of God or Force Majeure, we might all need to reconsider our approach to religion.

Standard force majeure clauses

Force majeure is not a term defined by legislation7. The events comprising force majeure should be agreed between the parties based upon the nature of the agreement, the products or services to be supplied under it, the location of the customer and supplier’s operations, the availability of insurance, and a sensible allocation of risk.

Where they are not specifically included, cyber incidents might be covered by certain common categories of force majeure events:

  • Theft: may cover certain intrusions and scams where the object or intent is to extract a financial benefit.
  • Malicious damage: this may include malicious code, tool or devices designed to disable or disrupt systems, infrastructure and operations.
  • Act or threat of terrorism: this will require the relying party to adduce conclusive evidence that the attack was perpetrated by or on behalf of a recognised terrorist group8.
  • Act of government/war: certain attacks (such as the 2014 attack on Sony Pictures Entertainment or the apparent Russian attack of the 2016 US elections) are generally attributed to “hostile” governments, but definitive nation-state attribution can be very difficult to prove, and many countries are increasingly blending state-sanctioned hacking with mere state-tolerated hacking. Furthermore, what is one day just a country turning a blind eye to a hack by its private citizens can the next day become state-sponsored or state-directed hacking.

In addition to a list of specific events, the affected party may seek to rely on the commonly used catch-all “any other event or circumstance beyond the reasonable control of the relevant party”. But that is not an automatic get-out-jail card:

  • What is control? The Courts will expect companies to have a significant measure of control over their own business9, including when it comes to technical and operational controls. Therefore, a party who has suffered from a cyber security incident is unlikely to be protected if the incident was brought about by its own failings, such as not adhering to its own IT security policies or industry standards, or its non-compliance with agreed IT security or business continuity/disaster recovery provisions in the contract itself.
  • There is no ‘one size fits all’. The purpose and context of the contract and the nature of the parties’ businesses are key to determining what is within “reasonable control”. As a rough guide, the more central technology is to the relevant party’s business, the less likely it is that an attack or accident on such infrastructure will be considered beyond its reasonable control (contrast a company whose main product is a Cloud-based CRM platform, and a customer who main business is manufacturing  of widgets).
  • Unpredictability and severity are no guarantees. Unforeseeable does not automatically put an event outside the control over a party10 and, as demonstrated by cases assessing the interpretation of force majeure clauses in the wake of the 2008 financial crisis11, the scale or severity of the incident (and associated impact to the victim) might not be relevant either.
  • There is no substitute for clarity. As stated above, it is of paramount importance to allocate risk and responsibility between contracting parties. Is it right that the supplier should determine “appropriate and technical organisational measures” or determine how frequently data should be backed-up? 

In our view, cyber incidents are unlikely to be adequately or conclusively covered by existing boilerplate force majeure clauses. You should consider whether boilerplate language should be amended to cater specifically for events impacting IT and other operational functions.
Furthermore, whilst a customer may have some sympathy for the actions of a third party where it can demonstrate reasonable precautions were taken, it would rarely regard it as acceptable for a supplier to exclude liability for the harmful or destructive acts of a rogue employee.

Planning for cyber incidents

Set out below are a number of key considerations when reviewing or negotiating force majeure clauses. For this purpose, we approach the drafting from the perspective of the customer:

  • Assess the Risk consider how reliant you are on the supplier’s IT environment. It is good practice to conduct detailed supplier due diligence, including investigating the resilience of the supplier’s infrastructure (and that of its supply chain) and testing business continuity/disaster recovery plans against  range of scenarios. These tests should be repeated periodically and gaps plugged where identified. However, even the purchaser of widgets will feel the impact of a cyber incident at his supplier’s premises: the supplier might not be able to take or make orders, production or distribution might stop or slow down for days or weeks. Understanding where those cyber stress points are will help manage them.
  • Cyber insurance. In the same way as cover is taken out to protect against natural disasters, customers (with the help of their brokers) should assess the need for cyber-risks insurance.  Legal advice should be sought if there if there is any uncertainty in the scope of cover: whilst the customer may expect to carry the risk for fire, flood and lightning strikes on their own premises, a lightning strike or DDoS attack on a supplier data centre should not excuse the data centre provider from the obligation to switch to a secondary site or insure for the risk of loss or corruption to customer data.
  • Liability: what is the interplay between the force majeure clause and the liability provisions? Does the FM clause excuse the supplier of all liability or does it only serve to buy it time to deliver?
  • Internal v. external, malicious v. accidental: where do I draw the line? Suppliers will naturally push for the widest possible definitions. Only those types of cyber risks that are outside the reasonable control of your counterparty are appropriate for inclusion within a force majeure clause. Each contract will have its own balance and this is a matter for negotiation and leverage.
    • As a customer, you might take the view that ‘insider jobs’ (including malicious acts and recklessness) should never be categorised as force majeure. After all, the supplier (as employer) is best placed to manage that risk. Introducing conditionality is a good way of rebalancing the risk: the force majeure trigger might be made conditional to the supplier having enforced (and providing evidence of) robust internal IT security policies and/or having acted in line with industry best practice.
    • External cyberattacks are a more natural candidate, but what if the attacker was let in due to a failure to download a software patch within a month of its release (as was the case with WannaCry and Petya)
  • How long am I prepared to wait? Force majeure events usually mean liability to perform is suspended, but an express right to terminate should always be included if the event continues beyond a certain length of time. In practice, a duty to mitigate is an added incentive for the supplier to ensure that delays do not go on indefinitely.
  • What happens in the meantime? Consider who pays for the costs of workarounds, as well as rights to suspend payments and ‘step in’ provisions.
  • Mutuality. Keep in mind that cyber risk – and force majeure clauses – often go both ways, so expect a request for mutuality. However, a force majeure clause can be skewed to reflect the fact that the type of cyber risk and exposure are often not the same on both sides (although do keep in mind that there may be statutory controls on force majeure clauses in supplier standard-form contracts12).
  • Separate out? Although traditionally force majeure events are all listed in a single clause, this does not necessarily have to be the case. If cyber-related events are important and complex enough, consider whether it might fit better as a stand-alone provision or as part of the business continuity/disaster recovery provisions (particularly if force majeure protection is made conditional upon performance under those provision).
  • Interaction with other clauses. As will have become clear from the above, force majeure clauses are only one aspect of the cyber security solution and should be developed holistically with other provisions of the contract. In the context of cyber risk, IT security, data protection and business continuity/disaster recovery tend to pull in the opposite direction to force majeure clauses. Information sharing, liability, exclusion and termination provisions might need to be adapted.

References

  1. https://www.ft.com/content/6b20d192-0613-11e1-ad0e-00144feabdc0?mhq5j=e5
  2. http://fortune.com/2016/04/17/toyota-earthquake-disruptions/
  3. http://www.telegraph.co.uk/finance/personalfinance/insurance/travel/11047965/Just-one-in-four-insurers-covers-volcanic-ash-as-standard.html
  4. Exodus 10:12
  5. anon
  6. http://money.cnn.com/2015/08/05/technology/aramco-hack/index.html
  7. Force majeure is a pure creature of contract: it is up to the parties to define what it means in their contract. See e.g.: Tandrin Aviation Holdings Ltd v Aero Toy Store Llc & Anor [2010] EWHC 40 (Comm), at [43].
  8. Note that the definition of “terrorism” in section 1 of the UK Terrorism Act 2000 includes “interference with or disruption of an electronic system”.
  9. Great Elephant Corp v Trafigura Beheer BV (The Crudesky) [2013] EWCA Civ 905.
  10. Great Elephant Corp v Trafigura Beheer BV (The Crudesky) [2013] EWCA Civ 905.
  11. Tandrin Aviation Holdings Ltd v Aero Toy Store Llc & Anor [2010] EWHC 40 (Comm).
  12. Unfair Contract Terms Act, 1977

 

For more information contact

< Go back

Print Friendly and PDF
Subscribe to e-briefings