Do your technology and outsourcing contracts properly address liability for cyber incidents?

Most incidents handled by our Norton Rose Fulbright cyber team originate from the customer’s service provider. In many cases it is the service provider’s systems, infrastructure and environment which proves to be the most vulnerable to cyber breaches and security issues.

Technology and outsourcing contracts typically contain various provisions aimed at preventing and mitigating cyber risks presented by service providers, including:

• Security obligations, which require the service provider to adopt minimum security standards to protect systems and data and to prevent incidents from occurring.
• Audit and access rights, which enable the customer to verify whether the service provider has in fact implemented the required security measures, either proactively or as part of post-incident investigations.
• Incident notification and management procedures, which should result in customers being promptly informed of incidents affecting them and enabling them to take steps to contain and mitigate such incidents. 

These provisions are required by law in various jurisdictions, including under data protection regulations and outsourcing and technology risk requirements for regulated sectors, like financial services and healthcare.  This generally makes it easier for customers to insist on including such provisions in their contracts. 

Regulatory requirements

Some regulations also require that technology or outsourcing contracts address liability, but these requirements are not typically prescriptive. For example:

• The Central Bank of the UAE’s Outsourcing Standards for Banks require that outsourcing contracts “establish a degree of certainly with respect to … liability, indemnity and insurance”. 
• The Saudi Arabian Monetary Authority’s Rules on Outsourcing require banks in KSA to incorporate provisions relating to “liability and indemnity” in their outsourcing contracts. 
• The European Banking Authority stated in its report accompanying the Guidelines on Outsourcing Arrangements that “the liability of the service provider is part of the contractual arrangements that should be agreed between the service provider and the institution” (i.e. customer).
• The Monetary Authority of Singapore requires both banks and other financial institutions to specify in outsourcing agreements “the indemnities, remedies and recourse of the respective parties” and that these entities should “ensure that its contractual rights can be exercised in the event of a breach”.  

The Prudential Regulation Authority’s Supervisory Statement SS2/21 on Outsourcing and Third Party Risk Management (applicable to UK banks and insurers) does not specifically refer to contractual liability provisions. 

Allocating liability for losses

The allocation of liability for losses arising from a cyber incident is usually a matter for commercial negotiation as part of the overall liability profile of a deal. Business leaders making decisions on liability need to be properly advised when negotiating the allocation of such liability. Questions for them to be considering in this context include: 

• Does the contract place clear obligations on the service provider with respect to security and incident management? If not, it may be difficult for the customer to establish a cause of action (typically a breach of contract) against the service provider for losses arising from a cyber incident (e.g. a ransomware attack).   
• Does the service provider accept any liability for cyber and data related losses, or are these completely excluded? Wide exclusions like “loss or corruption of data” are common in technology contracts but are inappropriate where a service provider is responsible for handling and securing data and systems for the customer. 
• If the service provider does accept liability, is it clear what types of loss they are liable for? Exclusion of liability for indirect or consequential losses is market practice. However, it may be worth negotiating an “assumed losses” clause, which specifies that a party is liable for certain types of loss irrespective of whether they are direct or indirect/consequential. Examples include the costs of forensic investigation, engagement with regulators, breach notifications, actions taken to mitigate or remediate an incident (proactively or at the direction of a regulator), regulatory fines and penalties and claims from third parties impacted by the incident. 
• Is the financial cap adequate? Virtually no service provider will accept unlimited liability for losses arising from cyber incidents. In our experience, their standard opening position is that these losses form part of the overall cap on liability, which is typically linked to the equivalent of 12 months’ fees. Unless the fees are exorbitant, this amount is unlikely to come close to the potential losses resulting from a significant cyber incident. If the customer has some commercial leverage, they should be able to negotiate a higher cap for losses resulting from breach of legal and contractual data protection requirements. However, this does not always cover losses linked to non-personal data (which may nevertheless be commercially sensitive), or losses caused by compromised systems (for example, an inability to run payroll or make payments to third parties). When negotiating a separate cap or “super-cap”, it is therefore essential to consider the scope of losses covered in addition to the value of the cap. 
• Do both parties have adequate insurance? From the customer’s perspective, cyber insurance is an important measure to cover any risk gaps in the contract relating to types or amounts of loss that are potentially not recoverable from a service provider if an incident occurs. Verifying that the service provider is properly insured for losses that are recoverable from it is a key component of pre-contractual due diligence (which is also a regulatory requirement for many customers). For a service provider whose services involve potential vulnerability to significant cyber risks, a lack of adequate insurance coverage could put it out of business if it faces multiple claims from its customer base. 

These considerations should be equally central for a service provider seeking to manage its own liability for cyber incidents. 

Want more information?

For more information in relation to:

• Cyber security, see our website, Cybersecurity and data privacy, and our blog, Data Protection Report
• Liability in relation to technology and outsourcing contracts, see our knowledge hub, Outsourcing, technology and transitional services agreements: what you need to know about liability and indemnification