Big corporations are no longer the main victims of cyber attacks as it now appears that any firm with more than 100 staff is at high risk. Nor are small businesses immune: the Federation of Small Businesses has reported two thirds of small firms suffered some form of attack in the two years to June 2016.
Enterprises need to put cyber security at the heart of their business. It is a company-wide risk, and the legal landscape is rapidly changing: the General Data Protection Regulation will become part of UK law next May; and, regardless of Brexit, the UK must implement the Network Information and Services Directive by July 2018. A successful cyberattack not only damages relationships and reputation but may result in a business’ devaluation.
It’s relatively straightforward, though not without cost, to introduce policies, procedures and IT infrastructure to reduce the risk of attack, but businesses do not always look to their contracts as a form of protection.
Whether a supplier or a customer, you need to consider your contracts to ensure cybersecurity is adequately addressed. Things to consider include:
- Unforeseen events (also known as “force majeure”) clauses
Typically an unforeseen events clause includes an illustrative list such as fire, adverse weather or pandemic. It might also mention interruption or failure of utility service or communications systems but rarely will it specifically include cyberattacks. A supplier might find it helpful to include cyberattack within that illustrative list.
- Business continuity and disaster recovery plans
Does the contract require the supplier to invoke a business continuity and/or disaster recovery plan following a cyberattack? If so, you, as a customer, should also look for the supplier to regularly test such plans and have approval rights over any changes to them.
Is the supplier required to deliver services to an agreed service standard? Does the customer require the supplier to be certified to appropriate international standards for data security (ISO 27001/IS0 27002)?
Can the customer terminate for failure to maintain agreed service standards or does the termination for material breach clause make clear that such failure amounts to a material breach?
Does the contract allow you, the customer, to recover your losses under an indemnity if there is a cyberattack? If a supplier, you may want to think about imposing conditions on the customer’s exercise of such an indemnity – for example, prompt notice and the right to control and settle claims amongst other things.
If a supplier, have you sought to limit your liability? Is your limitation of liability clause appropriately drafted? For example, does it make clear that liability for loss or corruption of data is expressly excluded? Is such an exclusion reasonable? You will also want to ensure that your cap on other liabilities is reasonable so that it is enforceable. Clearly, a customer will take a different view: it may look to exclude any indemnity relating to a cyberattack from the excluded losses and those losses subject to a cap.
- Data protection provisions
If the supplier is processing personal data on behalf of the customer, the customer will want to ensure the contract contains appropriate provisions relating to the security of that personal data. Only this week, a business was fined £55,000 for failing to protect its customers’ personal information from cyber-attack.
The customer and supplier should ensure that any data protection provisions are not only compliant with the Data Protection Act but also fit for purpose when the General Data Protection Regulation comes in to force as fines will increase and may be imposed on both the supplier and/or the customer.
Often the insurance provisions will make reference to specific policies of insurance - for example, professional indemnity insurance - but does the contract provide for the supplier to maintain cyber liability insurance? If so, can you, as a customer, benefit from it?
A well drafted contract can certainly minimise risk or exposure should you suffer a cyberattack. For further information or advice regarding the services we offer in relation to your contracts, please get in touch with Anthony Lee or me.