Cyberattacks: words as a shield

03 May 2017

Big corporations are no longer the main victims of cyber attacks as it now appears that any firm with more than 100 staff is at high risk. Nor are small businesses immune: the Federation of Small Businesses has reported two thirds of small firms suffered some form of attack in the two years to June 2016.

Enterprises need to put cyber security at the heart of their business. It is a company-wide risk, and the legal landscape is rapidly changing: the General Data Protection Regulation will become part of UK law next May; and, regardless of Brexit, the UK must implement the Network Information and Services Directive by July 2018. A successful cyberattack not only damages relationships and reputation but may result in a business’ devaluation.

It’s relatively straightforward, though not without cost, to introduce policies, procedures and IT infrastructure to reduce the risk of attack, but businesses do not always look to their contracts as a form of protection.

Whether a supplier or a customer, you need to consider your contracts to ensure cybersecurity is adequately addressed. Things to consider include:

  • Unforeseen events (also known as “force majeure”) clauses

Typically an unforeseen events clause includes an illustrative list such as fire, adverse weather or pandemic. It might also mention interruption or failure of utility service or communications systems but rarely will it specifically include cyberattacks. A supplier might find it helpful to include cyberattack within that illustrative list.

  • Business continuity and disaster recovery plans

Does the contract require the supplier to invoke a business continuity and/or disaster recovery plan following a cyberattack? If so, you, as a customer, should also look for the supplier to regularly test such plans and have approval rights over any changes to them.

  • Service standards

Is the supplier required to deliver services to an agreed service standard? Does the customer require the supplier to be certified to appropriate international standards for data security (ISO 27001/IS0 27002)?

  • Termination rights

Can the customer terminate for failure to maintain agreed service standards or does the termination for material breach clause make clear that such failure amounts to a material breach?

  • Indemnities

Does the contract allow you, the customer, to recover your losses under an indemnity if there is a cyberattack? If a supplier, you may want to think about imposing conditions on the customer’s exercise of such an indemnity – for example, prompt notice and the right to control and settle claims amongst other things.

  • Limitation of liability

If a supplier, have you sought to limit your liability? Is your limitation of liability clause appropriately drafted? For example, does it make clear that liability for loss or corruption of data is expressly excluded? Is such an exclusion reasonable? You will also want to ensure that your cap on other liabilities is reasonable so that it is enforceable. Clearly, a customer will take a different view: it may look to exclude any indemnity relating to a cyberattack from the excluded losses and those losses subject to a cap.

  • Data protection provisions

If the supplier is processing personal data on behalf of the customer, the customer will want to ensure the contract contains appropriate provisions relating to the security of that personal data. Only this week, a business was fined £55,000 for failing to protect its customers’ personal information from cyber-attack.

The customer and supplier should ensure that any data protection provisions are not only compliant with the Data Protection Act but also fit for purpose when the General Data Protection Regulation comes in to force as fines will increase and may be imposed on both the supplier and/or the customer.

  • Insurance

Often the insurance provisions will make reference to specific policies of insurance - for example, professional indemnity insurance - but does the contract provide for the supplier to maintain cyber liability insurance? If so, can you, as a customer, benefit from it?


A well drafted contract can certainly minimise risk or exposure should you suffer a cyberattack. For further information or advice regarding the services we offer in relation to your contracts, please get in touch with Anthony Lee or me.

Further reading

Employer's question: how to effectively deal with stress related sickness in lockdown

There are a variety of contributing factors caused by the pandemic that have seen a rise in stress related claims at work, but how can employers deal with this more effectively?
Read more Read

Use of statutory demand to make company insolvent suspended until June

Blog, Legal Updates
Cheraine Williams looks at more temporary Covid-driven measures that will protect businesses and tenants from possible legal action
Read more Read

New guidance issued for valuation of flats and investigating fire safety

Blog, Legal Updates
Cheraine Williams looks a the current situation facing leaseholders looking to sell or re-finance their property; will new guidance provide clarity?
Read more Read

Government sets new energy targets for domestic and commercial buildings

Blog, Legal Updates
UK law requires net zero greenhouse gas emissions by 2050; new rules and standards for heating and powering buildings will have a significant impact
Read more Read
  • Brighton Office

    1 Jubilee Street


    East Sussex

    BN1 1GE

  • Gatwick Office

    Griffin House

    135 High Street


    West Sussex

    RH10 1DQ

  • Guildford Office

    Wonersh House

    The Guildway

    Old Portsmouth Road



    GU3 1LR

  • Horsham Office

    Ridgeland House

    15 Carfax


    West Sussex

    RH12 1DY

  • London Office

    6 New Street Square

    New Fetter Lane


    EC4A 3BF

  • Get in touch