Cyber attacks… a force majeure event?

Saatvika Reddy SathiLaw

Cyber attacks... a force majeure event?

Amidst the digital world, navigating transactional relationships enforces newer boundaries for parties. From investing in IT to using tech to facilitate seamless business, technology shifts how parties engage in transactions in many ways. However, it commonly provides a forward-looking approach for parties engaging in business. For lawyers, protecting their clients by employing thorough foresight is a principle much ingrained in successful lawyering. Therefore, this article calls upon lawyers and business owners to explore the realm of a “greater force” pervading modern transactions—cyber security incidents!

Cyber attacks: An unpredictable force for reckoning

The murky world of cyber crime is instead tinted. In general, the existing literature classifies cyber crimes into four primary taxonomies:

  1. Crimes against persons: Such crimes manifest through cyber bullying and harassment of users in cyber space, or through other crimes such as transmitting child pornography.
  2. Crimes against property: This category includes cyber trespassing, corporate data theft, unauthorised possession of confidential information, intellectual property-related crimes and so on.
  3. Crimes against organisations: These crimes usually target organisations, ranging from cyber terrorism to denial of service (DoS) attacks. Their motivating factors include sabotaging business operations or conducting espionage between companies or nations.
  4. Crimes against society: These crimes sometimes take the form of forgery of currency notes, mark sheets, sale of illegal articles and financial fraud. The perpetrators’ motive is to pollute society’s common thoughts or rebel against society.

Notably, not all cyber crimes fall within these categories. Some may even overlap with each other. However, for the sake of this article, we will focus on cyber crimes against organisations. This category covers a broad range of cyber attacks. A prevalent form of such attack is a malware attack. Although it may seem easy to prevent a malware attack, they are inherently notorious. Malware can seep through the smallest vulnerability in your computer’s defence system or even existing software or computing architecture. New malware variants may even be difficult to detect at the right time. Subsequently, other common attacks include ransomware attacks, distributed denial of service (DDoS) attacks, and even data breaches. These attacks are often unpredictable, posing a threat to sustaining business operations for companies. The resulting damage is not only limited to halted business operations; companies also suffer financial and reputational damages.

The sad state of organisational cyber security

When parties such as investors or companies transact for business, they often do not consider the effect of such cyber attacks on their business. By depriving their services to their consumers, companies lose millions in just a day to remedy such attacks or face severe reputational damage, indirectly affecting their revenue. These attacks essentially form a part of the indirect costs affecting the company’s revenue. Needless to say, such costs are rather fatal to the company. Hence, they try to avoid anticipating the possibility of a successful cyber attack.

Many companies even try to avoid acknowledging the possibility of a cyber attack on their business. Regrettably, they believe that by conducting a data protection impact assessment (DPIA) or by updating their systems and installing anti-virus/anti-malware solutions, they are absolutely secure. Truth be told, absolute security is a myth. As companies continue to grapple with these attacks, they must learn how to legally navigate around them.

Subsequently, lawyers should also learn to set a legal ground to protect their clients against such attacks. Hence, the question arises, can cyber attacks be considered force majeure events?

 The force majeure clause

Before the COVID-19 pandemic, many natural disasters and unforeseeable events, such as the Indian Ocean Tsunami in 2004, the Great Recession in 2008-09, or the September 11 attacks, have always reinforced the need to include a force majeure clause in commercial contracts. In common parlance, these disastrous events are often called “acts of god.”

Force Majeure is a French term meaning “greater (or superior) force.” Historically, only French civil law allowed adding a clause to remove or mitigate a party’s liability in the event of an “external, unforeseen, and unavoidable catastrophic event.” However, many other jurisdictions around the world have now adopted this concept of adding such a contractual clause.

In contract law, parties become liable for any breach or non-performance of the terms they agreed to in a contract. However, adding a force majeure clause can allow parties to easily escape contractual liability without accountability. Hence, courts usually prefer to narrow the interpretation of this clause by limiting it to certain specific events, known as “force majeure events.”

Considering a cyber attack as a force majeure event

Contracting parties and lawyers must thoroughly consider different types of cyber attacks and how they can impact their side of the deliverables in a contractual relationship. Since cyber attacks are ever-evolving, there are a few things they must keep in mind. These include:

  1. Foreseeability: This test helps understand if parties can foresee the possibility of a cyber attack happening during their contractual relationship. If the parties to a contract cannot reasonably predict or foresee the event, they can invoice the force majeure clause.
  2. Causation and consequence: There has to be a causal link between a cyber attack and a party’s inability to discharge their contractual obligations. A cyber attack should essentially render the party to act as per the contractual terms.
  3. Mitigation and compliance: The party must be affected by the incident despite taking all measures and efforts to comply with relevant existing laws, mitigate the possibility of such incidents, and prevent such events from occurring.

While the above factors are essential, they can also act as double-edged swords and may not allow parties to invoke the force majeure clause. This can happen in the following manner:

  1. Foreseeability: If the parties can reasonably predict or foresee the event, the cyber attack cannot be a force majeure event since this defeats the essence of force majeure.
  2. Causation and consequence: If a cyber attack is directly attributable to an employee or the organisation’s negligence, the party is responsible for the resulting impact of the incident.
  3. Mitigation and compliance: If any of the parties do not comply with the existing laws or standards to mitigate and prevent cyber attacks, they should bear the resulting consequences, including proceedings for non-performance of the contract.

Lastly, it is crucial for the parties to carefully read the force majeure clauses of the contracts they review or enter into. Some force majeure clauses, by their language, can explicitly remove any possibility of including cyber attacks as force majeure events. They may simply state that these incidents, for the purpose of the agreement, are not force majeure events. This cannot help the other party from absolving their liability under the contract in light of such incidents. It is thus better to attentively review such clauses and negotiate clearly to prevent liability.

Contractual remedy: The way forward

Nowadays, the shadowy cyber crime world forces companies to use a legal lens for smooth commercial transactions. One way of navigating through these detriments is through well-defined contacts. Moreover, classifying cyber attacks as force majeure events may be the apt contractual protection companies may seek. However, drafting a proper force majeure clause to include these events requires careful consideration. A good force majeure clause can help parties avoid liability towards their performance under the contract. Nonetheless, drafting this clause may sometimes tip the scales of power balance between transacting parties. Therefore, companies are now overlooking legal protection and looking beyond the contract.

Enter Cyber Insurance—where you can seek monetary protection to cover the cost of your liability for cyber attacks. It is helpful when a force majeure clause may not help you cover your company’s liability. It has received significant traction in the past few years as companies seek comprehensive risk coverage. However, insurance is again a contractual relationship between an insurer and an insuree. Indeed, there will be a force majeure clause. The world is such a small place, isn’t it?