Are Cyberattacks A Force Majeure Event?
Author: Rachel McCulloch
Cyberattacks are in the headlines once again. This year Ukraine has suffered a number of cyberattacks which its government says are on a completely different level to anything they have seen before. For example, the websites of several Ukrainian banks and government departments were hit by a distributed denial of service (DDoS) attack (which is designed to overwhelm a server or network until it crashes and goes offline) and at the same time, a new “wiper” attack (which destroys the data on infected machines) was discovered being used against Ukrainian organisations.
Many organisations across the world have also fallen victim to cyberattacks. Cyberattacks have the potential to cause huge disruption for organisations and may prevent them from carrying out their contractual obligations. In such circumstances, the affected party may seek to rely on force majeure provisions (if any) contained in their contract, to avoid any liability for non-performance of their obligations.
What is force majeure?
Force majeure is a clause often found within commercial contracts. If an event beyond the affected party’s reasonable control occurs, the affected party may be able to rely on force majeure to be excused from, or suspend performance of some or all of their obligations under the contract. Usually after a period of time, the other party will be permitted to terminate the contract if performance of the obligations have not resumed.
Force majeure clauses will usually describe a force majeure event as circumstances ‘beyond a party’s reasonable control’ and will usually include a list of events which can trigger force majeure. If the force majeure clause within your contract does not specifically include cyberattacks as a force majeure event, the affected party will have to show that it is outside their reasonable control. This is why force majeure clauses can be the cause of substantial commercial disputes.
A recent example of where the force majeure clause has been relied upon in the event of a cyberattack, is when two oil storage and trading companies, Oiltanking Deutschland GmbH and Mabanaft Group, were hit by cyberattacks on their IT systems earlier this year. The disruption was significant, and the attack shut down Oiltanking’s loading and unloading operations, which are reliant on computerised systems. Both companies declared force majeure for the majority of their inland supply activities in Germany.
Whether you will be able to rely on force majeure in the event of a cyberattack will depend on the precise wording of the clause, so the effect of the clause will need to be considered on a case by case basis, applying the relevant facts. Don’t assume that you can rely on force majeure in the event of a cyberattack (or any other event which may be considered a force majeure event).
Increasingly organisations need to take into account the risk of cyberattacks when negotiating commercial contracts. When negotiating a force majeure clause, you should ensure to include obligations for the affected party to mitigate their losses. For example, if your supplier wants to include a force majeure clause, make sure they have obligations to mitigate the effects of the force majeure event and bring it to an end as soon as possible.
We recommend organisations consider the scope of their force majeure clauses and if in any doubt, we would suggest seeking legal advice.
For further information and assistance, please contact our Commercial and Technology Team.