Major cyberattacks are becoming increasingly common with both major brands and European airports being targeted in recent months. Considering what performance relief is available should be an essential part of every business’s cyber response. Force majeure and frustration are two tools that affected customers could seek to rely on to limit or exclude liability.
Introduction
For customers subject to a cyberattack the damage can be devastating and wide-ranging. Affected customers could also face concurrent claims from its own clientsand/or third parties due to delays, caused by the cyberattack, in fulfilling their contractual obligations. In these situations, the affected customer could seek to argue that its own contractual performance was prevented by an event beyond its control. This is where the concepts of force majeure and frustration come into play.
Force Majeure vs Frustration
Force majeure and frustration operate as two halves of the same coin: if an event is one, it is typically not the other.
Force Majeure
There is no general English law principle of ‘force majeure’: rather, it is a ‘creature of contract’. How it applies therefore depends on the wording of the specific clause in question, which should at a minimum set out:
• the events, or types of events, which amount to force majeure;
• the consequences of a party being prevented from performing its contractual obligations due to a force majeure event and any steps that party must take to benefit from contractual reliefs in the event of a force majeure event; and
• the extent to which the affected party will be relieved from its contractual obligations – a ‘classic’ force majeure provision will suspend the obligation on that party to perform their contractual obligations, without liability for breach of contract.
Frustration
Frustration arises where an unforeseen event occurs after the formation of a contract, fundamentally altering the nature of the parties’ obligations such that performance becomes impossible or radically different. Such an event must not be due to any fault of either party. When frustration occurs, it discharges the parties from their contractual obligations without liability to each other, though generally speaking each party will bear its own losses.
A contract may be ‘frustrated’ if it provides for a method of performance which has become impossible; mere “impracticability” in performing the contract is not generally sufficient. This is an objective test and it does not involve a subjective inquiry into the actual or presumed intentions of the parties.
The parties to the contract may not have made express provision for the event which has occurred, but they may have foreseen it happening. In such a case, the fact that the parties have foreseen the event but not made any provision for it in their contract will usually, but not necessarily, prevent frustration from applying when the event occurs. While an unforeseen event will not necessarily lead to the frustration of a contract, a foreseen event will generally exclude the operation of the doctrine. If the event was both foreseen and not addressed in a force majeure clause, then the performing party is most likely out of luck.
How can affected customers rely on Force Majeure or Frustration?
Whether a cyberattack constitutes a force majeure event depends on the precise wording of the contract in question.
Many contracts will contain force majeure provisions that do not expressly refer to cyberattacks and will instead mention more “traditional” force majeure events such as acts of God, war and terrorism and theft or malicious damage, the latter of which may cover cyberattacks depending on the nature of the attack.
To avoid complex questions of contractual construction, customers should ensure that their contractual arrangements with clients and third parties include detailed force majeure provisions that specifically define, and name cyberattacks as a force majeure event. Such an approach can provide clarity and protection when a cyberattack occurs, by allowing the affected customer to invoke force majeure to avoid liability for breach of contract by suspending or excusing performance of its own contractual obligations while the attack is ongoing. This can be crucial in ensuring that automatic termination rights, in cases of material breach/default etc, do not arise.
If the contract does not contain force majeure provisions, then affected customersmay seek to rely on the doctrine of frustration to argue that the cyberattack has rendered their performance under the contract impossible, which would (if successful) result in the automatic termination of the contract. Whilst termination might, depending on the circumstances and nature of the attack, be necessary, it is unlikely to be commercially desirable for customers who want to preserve theircontractual relationships after the cyberattack is over.
A well-drafted force majeure clause therefore offers a more flexible contractualframework for dealing with cyberattacks, allowing for suspension, delayed performance, or termination on specific terms, rather than the automatic outcome of frustration.
Conclusion
Cyber risk is now a strategic issue, firmly embedded in the agendas of most corporate boards. Customers should ensure that their contractual arrangements with IT service providers address cyber risk through tailored provisions incorporating robust security obligations and clear allocation of liability and costs.
If a cyberattack does occur, causing the customer to default on its contractual obligations, then force majeure and frustration can offer limited, but much needed, relief.
