Cyberattacks, force majeure and contractual protection

Major cyberattacks have become common occurrences. The Co-op, Harrods and M&S are just three businesses that have been the subject of highly publicised attacks in recent months.

For customers subject to a cyberattack the damage can be devastating and can range from financial loss, loss of intellectual property, business disruption and reputational loss. Affected customers could also face concurrent claims from its own clients and/or third parties (suppliers etc) due to delays, caused by the cyberattack, in fulfilling their contractual obligations. In these situations, the affected customer could seek to argue that its own contractual performance was prevented by an event beyond its control. This is where the concepts of force majeure and frustration come into play. 

This article will explore how customers affected by a cyberattack might seek to rely on force majeure and frustration in the context of cyber risk, to limit or exclude liability, and will conclude by offering some guidance to manage cyber risk exposure within contracts.

Force Majeure vs Frustration – what’s the difference?

Force majeure and frustration operate as two halves of the same coin: if an event is one, it is typically not the other. Parties sometimes seek to rely on a force majeure clause as evidence that the parties have made express provision for the event in question which has occurred, and to argue that frustration is thereby excluded. However, the mere fact that a clause is included in the contract with the title “force majeure” does not always mean that frustration is thereby excluded.

There is no general English law principle of ‘force majeure’: rather, it is entirely a ‘creature of contract’. How it applies therefore depends on the wording of the specific clause in question, which should at a minimum set out:

• the events, or types of events, which amount to force majeure (this can be an exhaustive, or non-exhaustive list);
• the consequences of a party being prevented from performing its contractual obligations due to a force majeure event and any steps that party must take to benefit from contractual reliefs in the event of a force majeure event (such as giving a notice to the other party setting out the detail of the force majeure event, how it prevents their performance, and how long the event is expected to continue); and
• the extent to which the affected party will be relieved from its contractual obligations - a ‘classic’ force majeure provision will suspend the obligation on that party to perform their contractual obligations, without liability for breach of contract, and will allow the other party to terminate the contract if the force majeure event persists for a prolonged period of time.

Meanwhile, frustration arises where an unforeseen event occurs after the formation of a contract, fundamentally altering the nature of the parties’ obligations such that performance becomes impossible or radically different. Such an event must not be due to any fault of either party. When frustration occurs, it discharges the parties from their contractual obligations without liability to each other in respect of the non-performance, though generally speaking each party will bear its own losses.

In general, a contract may be ‘frustrated’ if it provides for a method of performance which has become impossible; mere “impracticability” in performing the contract is not generally sufficient. This is an objective test and it does not involve a subjective inquiry into the actual or presumed intentions of the parties. An example of where a contract would not be deemed frustrated is where a supervening event makes performance more expensive for one party (for example, where the imposition of trade tariffs add costs which a party had not factored in at the time the contract was formed). 

The parties to the contract may not have made express provision for the event which has occurred, but they may have foreseen it happening. In such a case, the fact that the parties have foreseen the event but not made any provision for it in their contract will usually, but not necessarily, prevent frustration from applying when the event occurs. While an unforeseen event will not necessarily lead to the frustration of a contract, a foreseen event will generally exclude the operation of the doctrine. If the event was both foreseen and not addressed in a force majeure clause, then the performing party is most likely out of luck. 

The Law Reform (Frustrated Contracts) Act 1943 now governs the legal consequences once a contract is frustrated and lays down three important rules (in its section 1(2)):

• all sums payable under the contract before the time of discharge cease to be payable on frustration;
• sums actually paid are presumed to be recoverable: all sums actually paid in accordance with the contract (by any party) before the time of discharge are recoverable by the party which paid. As this subsection of the Act does not refer to “total failure of consideration”, this statutory right arises even where the failure is only partial; and
• the party to which money was paid may retain or recover a sum on account of expenses: if that party (to whom funds were paid) had before the time of discharge incurred expenses for the purpose of the performance of the contract, the Court may allow that party to retain or recover in whole or in part the sums paid to it. The burden of proving those incurred expenses falls on the party which was paid.

How can affected customers rely on Force Majeure or Frustration?

Whether a cyberattack constitutes a force majeure event depends on the precise wording of the contract in question.

Many contracts will contain force majeure provisions that do not expressly refer to cyberattacks and will instead mention more “traditional” force majeure events such as acts of God, war and terrorism and theft or malicious damage, the latter of which may cover cyberattacks depending on the nature of the attack. Some clauses may also contain catch-all wording that covers circumstances “beyond a party’s reasonable control”. 

To avoid complex questions of contractual construction and scrutiny of the underlying facts underpinning the party’s contractual relationship from arising, customers should ensure that their contractual arrangements with clients and third parties include detailed force majeure provisions that specifically define, and name cyberattacks as a force majeure event. Such an approach can provide clarity and protection when a cyberattack occurs, by allowing the affected customer to invoke force majeure to avoid liability for breach of contract by suspending or excusing performance of its own contractual obligations while the attack is ongoing. This can be crucial in ensuring that automatic termination rights, in cases of material breach/default etc, do not arise thereby preserving the contractual relationships between the affected customer and its clients/third-party suppliers. 

What about frustration? Initially, it bears noting the point made above, namely that force majeure and the doctrine of frustration operate as two halves of the same coin. The doctrine of frustration may therefore have limited application where a force majeure regime has been negotiated and agreed, which in most situations will be preferable due to the greater certainty over the outcome and consequences for the contracting parties.

If the contract does not contain force majeure provisions, then affected customers may seek to rely on the doctrine of frustration to argue that the cyberattack has rendered their performance under the contract impossible, which would (if successful) result in the automatic termination of the contract. Whilst termination might, depending on the circumstances and nature of the attack, be necessary in order to limit the customer’s liability (as noted above, frustration discharges the parties from their contractual obligations without liability to each other in respect of the non-performance), it is unlikely to be commercially desirable for customers who want to preserve their contractual relationships after the cyberattack is over.

While frustration could, as a last resort, provide a much needed “way out” for affected customers it is unlikely to be a commercially viable solution – especially if a breach could be resolved by offering to re-negotiate/re-scope the contract, or make a goodwill payment, rather than terminate the contract entirely (although these options could also have downsides for the customer). A well-drafted force majeure clause offers a more flexible contractual framework for dealing with cyberattacks, allowing for suspension, delayed performance, or termination on specific terms, rather than the automatic outcome of frustration.