Cyberattacks: words as a shield

03 May 2017

Big corporations are no longer the main victims of cyber attacks as it now appears that any firm with more than 100 staff is at high risk. Nor are small businesses immune: the Federation of Small Businesses has reported two thirds of small firms suffered some form of attack in the two years to June 2016.

Enterprises need to put cyber security at the heart of their business. It is a company-wide risk, and the legal landscape is rapidly changing: the General Data Protection Regulation will become part of UK law next May; and, regardless of Brexit, the UK must implement the Network Information and Services Directive by July 2018. A successful cyberattack not only damages relationships and reputation but may result in a business’ devaluation.

It’s relatively straightforward, though not without cost, to introduce policies, procedures and IT infrastructure to reduce the risk of attack, but businesses do not always look to their contracts as a form of protection.

Whether a supplier or a customer, you need to consider your contracts to ensure cybersecurity is adequately addressed. Things to consider include:

  • Unforeseen events (also known as “force majeure”) clauses

Typically an unforeseen events clause includes an illustrative list such as fire, adverse weather or pandemic. It might also mention interruption or failure of utility service or communications systems but rarely will it specifically include cyberattacks. A supplier might find it helpful to include cyberattack within that illustrative list.

  • Business continuity and disaster recovery plans

Does the contract require the supplier to invoke a business continuity and/or disaster recovery plan following a cyberattack? If so, you, as a customer, should also look for the supplier to regularly test such plans and have approval rights over any changes to them.

  • Service standards

Is the supplier required to deliver services to an agreed service standard? Does the customer require the supplier to be certified to appropriate international standards for data security (ISO 27001/IS0 27002)?

  • Termination rights

Can the customer terminate for failure to maintain agreed service standards or does the termination for material breach clause make clear that such failure amounts to a material breach?

  • Indemnities

Does the contract allow you, the customer, to recover your losses under an indemnity if there is a cyberattack? If a supplier, you may want to think about imposing conditions on the customer’s exercise of such an indemnity – for example, prompt notice and the right to control and settle claims amongst other things.

  • Limitation of liability

If a supplier, have you sought to limit your liability? Is your limitation of liability clause appropriately drafted? For example, does it make clear that liability for loss or corruption of data is expressly excluded? Is such an exclusion reasonable? You will also want to ensure that your cap on other liabilities is reasonable so that it is enforceable. Clearly, a customer will take a different view: it may look to exclude any indemnity relating to a cyberattack from the excluded losses and those losses subject to a cap.

  • Data protection provisions

If the supplier is processing personal data on behalf of the customer, the customer will want to ensure the contract contains appropriate provisions relating to the security of that personal data. Only this week, a business was fined £55,000 for failing to protect its customers’ personal information from cyber-attack.

The customer and supplier should ensure that any data protection provisions are not only compliant with the Data Protection Act but also fit for purpose when the General Data Protection Regulation comes in to force as fines will increase and may be imposed on both the supplier and/or the customer.

  • Insurance

Often the insurance provisions will make reference to specific policies of insurance - for example, professional indemnity insurance - but does the contract provide for the supplier to maintain cyber liability insurance? If so, can you, as a customer, benefit from it?


A well drafted contract can certainly minimise risk or exposure should you suffer a cyberattack. For further information or advice regarding the services we offer in relation to your contracts, please get in touch with Anthony Lee or me.

Further reading

CMA fines pharmaceutical company more than £100m

Drug pricing policies under scrutiny as CMA comes down hard on inflated prices and supernormal profits
Read more Read

5 data protection changes to be aware of

Commercial law specialist Liz Gillingham provides a summary of recent developments in data protection law
Read more Read

Destination: office?

Blog, News & PR
Emily Wood considers the results of our recent survey and the implications for the future of the post-pandemic workplace
Read more Read

Commercial lease renewals and pandemic clauses

Will commercial reality trump the law when leases are up for renewal? Property expert James Picknell takes a look
Read more Read
  • Brighton Office

    1 Jubilee Street


    East Sussex

    BN1 1GE

  • Gatwick Office

    Griffin House

    135 High Street


    West Sussex

    RH10 1DQ

  • Guildford Office

    Wonersh House

    The Guildway

    Old Portsmouth Road



    GU3 1LR

  • Horsham Office

    Ridgeland House

    15 Carfax


    West Sussex

    RH12 1DY

  • London Office

    6 New Street Square

    New Fetter Lane


    EC4A 3BF

  • Get in touch