Cyber Attacks - Force Majeure

The Cyber Security Breaches Survey 2024 results were published by the UK Department for Science, Innovation & Technology. They estimated that UK businesses have experienced approximately 7.78 million cyber crimes of all types and approximately 116,000 non-phishing cyber crimes over the last 12 months. They estimate the average cost for business is approximately £1,120 per victim.

In contracts there is this clause that is commonly overlooked - the Force Majeure clause. With the growing demand for suppliers to have cyber insurance and the scrutiny on all security related contract provisions, there is a question of whether the Force Majeure clause is robust in tackling the demands.

RMOK has considered this and, in principle, most contracts leave it open to interpretation as to whether the FM provisions cover cyber attacks. To minimise the risk of being unable to rely on FM in the event of a cyber attack, cyber attacks should be explicitly included as a FM event.

What is Force Majeure?

FM clauses allow one (or both) parties to suspend performance of, or even terminate, an agreement because the impacted party is prevented from performing its obligations (eg, due to an act of God, earthquake, flood, war, terrorism, epidemic…). The catch-all phrase “beyond the reasonable control of the party”.

Isn’t a cyberattack be ‘beyond the reasonable control of a party’?

In theory, it could. For example, if the attack was linked to terrorism or war, This was considered in a US case where a Russian launched malware attack was raised to be an act of terrorism or war. However, the case highlighted how difficult it was to demonstrate that a national government dictated or issued the attack.

Also, we cannot ignore the GDPR obligations requiring businesses to take reasonable steps to protect against cybercrime. This would mean if you are going to reply on FM for a cyber attack on the grounds of it being beyond your reasonable control, you will have to have to demonstrate that you had taken the reasonable steps to prevent an attack.

Consider the UK case of 2 Entertain Video Ltd v Sony DADC Europe, (2021), where there was rioting in a warehouse that caused a fire, destroying the plaintiff’s property. FM was raised on the basis that riots were not foreseeable and outside reasonable control. The Court found that the risk of tresspassers were not. If the defendant had taken steps to provide adequate security measures, the impact of the attack would have been reduced (eg, delayed or even deterred entirely). The defendant was found to be in breach of contract.

What should you do?

Take a look at your FM clauses and see if you should add a reference to cyber attacks, ransomware attacks or related incidents or intrusions. It might not always be relevant but given the UK Government’s Survey results, it would be wise to take pause now.

————————————

Subscribe Now for more RMOK updates and news.

Previous
Previous

Tech Law Trends 2024

Next
Next

Commercial Contracts 101