Cyberattacks: words as a shield

03 May 2017

Big corporations are no longer the main victims of cyber attacks as it now appears that any firm with more than 100 staff is at high risk. Nor are small businesses immune: the Federation of Small Businesses has reported two thirds of small firms suffered some form of attack in the two years to June 2016.

Enterprises need to put cyber security at the heart of their business. It is a company-wide risk, and the legal landscape is rapidly changing: the General Data Protection Regulation will become part of UK law next May; and, regardless of Brexit, the UK must implement the Network Information and Services Directive by July 2018. A successful cyberattack not only damages relationships and reputation but may result in a business’ devaluation.

It’s relatively straightforward, though not without cost, to introduce policies, procedures and IT infrastructure to reduce the risk of attack, but businesses do not always look to their contracts as a form of protection.

Whether a supplier or a customer, you need to consider your contracts to ensure cybersecurity is adequately addressed. Things to consider include:

  • Unforeseen events (also known as “force majeure”) clauses

Typically an unforeseen events clause includes an illustrative list such as fire, adverse weather or pandemic. It might also mention interruption or failure of utility service or communications systems but rarely will it specifically include cyberattacks. A supplier might find it helpful to include cyberattack within that illustrative list.

  • Business continuity and disaster recovery plans

Does the contract require the supplier to invoke a business continuity and/or disaster recovery plan following a cyberattack? If so, you, as a customer, should also look for the supplier to regularly test such plans and have approval rights over any changes to them.

  • Service standards

Is the supplier required to deliver services to an agreed service standard? Does the customer require the supplier to be certified to appropriate international standards for data security (ISO 27001/IS0 27002)?

  • Termination rights

Can the customer terminate for failure to maintain agreed service standards or does the termination for material breach clause make clear that such failure amounts to a material breach?

  • Indemnities

Does the contract allow you, the customer, to recover your losses under an indemnity if there is a cyberattack? If a supplier, you may want to think about imposing conditions on the customer’s exercise of such an indemnity – for example, prompt notice and the right to control and settle claims amongst other things.

  • Limitation of liability

If a supplier, have you sought to limit your liability? Is your limitation of liability clause appropriately drafted? For example, does it make clear that liability for loss or corruption of data is expressly excluded? Is such an exclusion reasonable? You will also want to ensure that your cap on other liabilities is reasonable so that it is enforceable. Clearly, a customer will take a different view: it may look to exclude any indemnity relating to a cyberattack from the excluded losses and those losses subject to a cap.

  • Data protection provisions

If the supplier is processing personal data on behalf of the customer, the customer will want to ensure the contract contains appropriate provisions relating to the security of that personal data. Only this week, a business was fined £55,000 for failing to protect its customers’ personal information from cyber-attack.

The customer and supplier should ensure that any data protection provisions are not only compliant with the Data Protection Act but also fit for purpose when the General Data Protection Regulation comes in to force as fines will increase and may be imposed on both the supplier and/or the customer.

  • Insurance

Often the insurance provisions will make reference to specific policies of insurance - for example, professional indemnity insurance - but does the contract provide for the supplier to maintain cyber liability insurance? If so, can you, as a customer, benefit from it?


A well drafted contract can certainly minimise risk or exposure should you suffer a cyberattack. For further information or advice regarding the services we offer in relation to your contracts, please get in touch with Anthony Lee or me.

Further reading

Remote working and home security

Blog, News & PR
With a large proportion of the workforce now working from home, security arrangements for home workers need to be addressed - Robert Ganpatsingh explains
Read more Read

Tenants take note: dilapidations damages to be subject to VAT

Blog, Legal Updates
Property expert Cheraine Williams explains why dilapidations could be about to get more expensive
Read more Read

Covid business interruption insurance payments due to small and medium companies

Blog, Legal Updates
Partner Jonathan Compton looks at the Supreme Court’s decision on business interruption insurance
Read more Read

DMH Stallard’s corporate team shortlisted for four awards

Blog, News & PR
Current Corporate Law Firm of the Year hoping to hold on to the title in 2021
Read more Read
  • Brighton Office

    1 Jubilee Street


    East Sussex

    BN1 1GE

  • Gatwick Office

    Griffin House

    135 High Street


    West Sussex

    RH10 1DQ

  • Guildford Office

    Wonersh House

    The Guildway

    Old Portsmouth Road



    GU3 1LR

  • Horsham Office

    Ridgeland House

    15 Carfax


    West Sussex

    RH12 1DY

  • London Office

    6 New Street Square

    New Fetter Lane


    EC4A 3BF

  • Get in touch