German fuel distributor Mabanaft and its related company Oiltanking Deutschland recently suffered a substantial cyber-attack causing significant disruption to their business operations. In response they declared force majeure on a number of their contracts.1
The attack gives rise to a number of topical issues:
- The increasing prevalence of cyber-attacks which bring the operations of a business to a halt;
- Whether force majeure provisions can protect businesses in that situation; and
- Given the recent warning that international tensions are likely to result in increased cyber-attacks, whether this can ever be considered acts of war or terrorism2.
Attacks affecting business operations
There is a steady increase in attacks which have a fundamental effect on the victim’s ability to trade. This is usually either because the attack is so widespread that it affects enterprise-wide systems or because the attacker has specifically targeted business critical applications such as control systems.
The attack comes a little under a year after a ransomware attack on Colonial Pipeline shut down a large oil pipeline and disrupted fuel supplies in the south-east of the United States. Closer to home a ransomware attack on KP Snacks recently brought their day to day operations to a halt.
Incidents of this degree of severity give rise to a much wider range of considerations compared to more common incidents which are often limited to a discrete part of the system. In addition to thinking about more common legal issues such as whether notifications to regulators and data subjects are necessary, they can give rise to substantial commercial disputes due to the victim’s inability carry on business as normal.
Accordingly, it is increasingly important that businesses take into account the risk of severe incidents of this sort in their incident response and business continuity planning. It is also important that the risk of such events is properly taken into account in areas such as negotiating commercial contracts and obtaining adequate cyber insurance.
The law of force majeure
Under English and Welsh law force majeure is often a difficult issue which gives rise to the potential for disputes. Whilst it is often talked about as a term of art it is better to think about force majeure clauses as a family of common contractual clauses, which allow one or both parties to suspend performance whilst the force majeure event is continuing (and potentially terminate if the matter is not resolved within a defined period).
Whether a cyber-attack constitutes a force majeure event therefore depends on the precise wording of the contract in question. Force majeure clauses will typically list circumstances that amount to force majeure as well as often including a catch-all provision for circumstances beyond a party’s reasonable control.
In some cases cyber-attacks are specifically named in which case it is likely that it will be possible to claim force majeure. However, many contracts with more traditional wordings will not refer to cyber-attacks but “acts of god”. It is not uncommon for theft or malicious damage to be included in this list of causes and those clauses may apply depending on the nature of the attack.
Attention may then turn to the catch-all provision for circumstances beyond a party’s reasonable control. Whether this will be applicable will depend on the specific facts in question. In particular, it is likely that most business (particularly those handling personal data and are subject to Art 5.(1)(f) UK GDPR3) should take reasonable steps to protect against cybercrime. This may engender disputes regarding whether or not the victim’s business has taken sufficient steps to protect itself.
A final area to give close attention to is whether the clause only applies when performance becomes impossible or whether it can be invoked simply when the contract is delayed. Whilst it is possible that a cyber incident may make performance impossible, in many cases performance will simply be delayed whilst the victim’s systems are restored.
War and terrorism
It is common for force majeure clauses to exclude losses arising from war and terrorism. However, whilst some attacks have in the past been linked to the security services of nations states the degree of association between hacker groups and nation states is often much more diffuse.
The burden will be on the party seeking to rely on the clause to prove both (a) who the hacker group responsible is (which can often be deduced from threat intelligence such as the ransom note, aliases and the tools used) and (b) that they are sufficiently linked to a nation state or and ideological movement. It is this second limb of the test which is most difficult to prove as the available threat intelligence if often insufficient to link hacker group to a nation state or recognised terrorist group. It is also not uncommon for cyber-criminal groups to split or pose as other well-known groups.
Force majeure clauses may apply in the event of a cyber-attack, but this will depend on the wording of the individual clause and the precise nature of the attack, both of which will require careful analysis. Many contracts also require force majeure to be declared promptly and it is important for affected businesses not to miss these deadlines amongst the many other tasks which need to be addressed following discovery of an incident.
Businesses also need to give careful consideration to whether to request or agree to force majeure clauses applying to cyber incidents in their contracts. For many ordinary businesses this will not be unreasonable and recognises what has unfortunately become a fact of life in modern business. However, in the case of suppliers of critical cloud services, or other services which market themselves on the basis that they are able to offer better cybersecurity than their customers, this might be unreasonable. In such circumstances, remedies such as liquidated damages or service credits might be more appropriate.