With the recent onslaught of ransomware attacks, it’s time to revisit force majeure clauses (again). Earlier in the pandemic, we reviewed how COVID-19 could impact force majeure provisions. Since then, there has been a flurry of analyzing, renegotiating, and testing contractual language, as parties work through, or anticipate, pandemic-related difficulties. While contracting parties focus on striking a balance of when, and to what extent, a party’s performance will be excused due to pandemic-related circumstances, a different threat could follow a similar trajectory.
A ransomware attack, like a pandemic, is not a brand new phenomenon. But the public and dramatic uptick in these types of cyberattacks could ignite a force majeure firestorm. In fact, as cyber criminals target critical infrastructure, companies need to worry not only about the security of an individual entity, but also about widespread disruption to the broader supply chain and economy as a whole.
When considering whether a party’s nonperformance, resulting from a cyberattack, should be excused, issues include:
- Is a cyberattack beyond the party’s reasonable control or could the party have avoided or mitigated the circumstances by exercising reasonable precautions? Did the cyberattack result from the party’s negligence or any breach of its obligations?
- Does the force majeure provision include failure of the party’s suppliers, subcontractors, data providers, or other third parties? What if the cyberattack started upstream? To what extent should a party be responsible for the acts or omissions of the third party?
- Should ransomware and other cyberrisks be specifically included in the list of force majeure events, or will the nonperforming party try to rely on the “beyond its reasonable control” catchall language? As we noted in a prior post, in some US jurisdictions, the specific inclusion of the event is important for applicability of a force majeure provision.
- Even if a cyberattack falls within the scope of a force majeure event, are there any particular obligations that should not be excused? For example, notwithstanding force majeure, a party could be required to properly (1) implement its disaster recovery and business continuity plans, and (2) protect confidential information (including personal data).
- If the excused party is required to resume performance as soon as possible, does this mean that the excused party must pay the ransom in order to minimize downtime and mitigate the impact?
- Note that force majeure concepts can creep into other parts of a contract beyond the “Force Majeure” section. A vendor might exclude certain circumstances from service level or warranty obligations. Such exceptions might not match the general force majeure provision, and qualifying language (like “not resulting from its fault or negligence”), which may have been carefully negotiated for force majeure, could be missing from those service level or warranty provisions.
As we’ve previously noted with respect to force majeure (and other contractual) provisions, there is no one-size-fits-all solution. For example, consider whether cybersecurity is an important aspect of the business relationship. Is the vendor providing hosting or other cybersecurity-related services? And, if it’s reasonably likely that a ransomware attack or other cyberincident would be a covered force majeure event, the parties can include some concepts that may lessen the adverse impact of excused performance. A customer might be entitled to a partial refund, or might have termination rights, if a vendor is unable to perform. The vendor’s payment obligation might include reimbursement for costs the customer incurs to procure and implement a replacement service.
In addition, the applicability of force majeure clauses is dependent on the precise language of the clause, the particular facts of the event and services and, in the United States, state contract law which varies between states. In addition, outside the United States, the applicable law and interpretation of force majeure provisions can vary widely. Don’t hesitate to reach out to your Morgan Lewis contact for assistance with a particular jurisdiction.
We will continue to monitor the cybersecurity landscape, and the corresponding trends in contract drafting, negotiation, and interpretation. As digital systems and assets increasingly fall prey to organized crime, soon force majeure provisions may, too, be under attack.