Force Majeure Clauses And Cyber Incidents.
1. Introduction
With increasing reliance on digital infrastructure, cyber incidents—such as ransomware attacks, system outages, and data breaches—have become a major risk in corporate contracts. A key legal question is whether such incidents can trigger force majeure clauses, excusing non-performance.
Under English law, force majeure is purely contractual, interpreted strictly according to the wording of the agreement.
2. Can Cyber Incidents Qualify as Force Majeure?
(a) Depends on Clause Wording
A cyber incident may qualify if the clause includes:
“Acts beyond reasonable control”
“Failure of IT systems”
“Cyber attack,” “malicious attack,” or “network failure”
⚖️ If not expressly included, courts may be reluctant to treat cyber incidents as force majeure.
(b) Types of Cyber Incidents Potentially Covered
Ransomware attacks
Distributed Denial of Service (DDoS) attacks
System-wide IT failures
Third-party cloud outages
3. Legal Requirements for Invocation
To rely on force majeure in cyber incidents, a party must prove:
(1) Trigger Event Falls Within Clause
Cyberattack must be covered explicitly or by broad wording
(2) Causation
The cyber incident must prevent or significantly hinder performance
Mere inconvenience or slowdown is insufficient
(3) Beyond Reasonable Control
If caused by poor cybersecurity practices, the clause may fail
(4) Mitigation
Company must show:
Adequate cybersecurity measures
Disaster recovery plans
Prompt response actions
(5) Notice Compliance
Most clauses require timely notice to the counterparty
4. Key Legal Issues in Cyber Force Majeure Claims
(a) Foreseeability
Cyber risks are now foreseeable
Courts may expect:
Preventive safeguards
Risk allocation in contracts
(b) Fault and Negligence
If the incident arises from:
Weak security systems
Failure to patch vulnerabilities
→ Force majeure likely unavailable
(c) Third-Party Failures
Cloud provider or IT vendor failure raises:
Supply chain responsibility issues
Whether third-party failures qualify as force majeure
(d) Overlap with Frustration
If no clause exists, parties may argue frustration
However, courts apply frustration narrowly
Relevant statute:
Law Reform (Frustrated Contracts) Act 1943
5. Key Case Laws
(While UK courts have limited direct cyber-specific force majeure cases, general principles apply and are illustrated below.)
1. Seadrill Ghana Operations Ltd v Tullow Ghana Ltd
Force majeure claim failed due to lack of causation.
Shows that clear link between event and non-performance is essential.
2. Channel Island Ferries Ltd v Sealink UK Ltd
Strike did not qualify as force majeure.
Emphasizes strict interpretation of clause wording.
3. Tennants (Lancashire) Ltd v CS Wilson & Co Ltd
Government restrictions did not excuse performance.
Demonstrates that external disruption alone is insufficient.
4. Davis Contractors Ltd v Fareham UDC
Increased difficulty or cost is not enough.
Applies to cyber incidents that merely delay operations.
5. Lebeaupin v Crispin
Defined force majeure as events beyond control.
Supports inclusion of cyber events if properly drafted.
6. Metropolitan Water Board v Dick Kerr & Co Ltd
Government intervention frustrated contract.
Analogous to state-imposed cyber shutdowns.
7. Taylor v Caldwell
Established doctrine of frustration.
Relevant fallback where no force majeure clause applies.
6. Practical Corporate Implications
(a) Cybersecurity as a Legal Obligation
4
Companies must implement:
Firewalls and encryption
Incident response plans
Regular system audits
Failure may defeat force majeure claims.
(b) Contract Drafting Considerations
Include explicit references to:
Cyber attacks
IT system failures
Third-party service outages
Also define:
Threshold (prevent vs hinder)
Notification requirements
Recovery obligations
(c) Insurance and Risk Allocation
Cyber insurance plays a key role
Contracts should align:
Insurance coverage
Liability clauses
7. Challenges in Cyber Force Majeure Claims
Attribution (who caused the attack?)
Proving inevitability
Distinguishing:
Preventable breach vs unavoidable event
Rapidly evolving technology standards
8. Key Takeaways
Cyber incidents can qualify as force majeure, but only if the clause allows it.
Courts apply strict contractual interpretation.
Companies must prove:
Causation
Lack of control
Adequate mitigation
Poor cybersecurity can invalidate claims.
Drafting modern contracts to include cyber risks is essential.
Case law emphasizes impossibility, not inconvenience.
RELATED Blog
comments