Cyber risk and project contracts

In the context of increasing digitization, highly publicized cyber incidents¹ and a growing awareness that many projects can offer a range of potential access points through which to launch such an attack, cyber risk in projects has been rising up on the boardroom agenda. The challenge for project owners, and other stakeholders, is to understand and keep pace with the threat. In this note, we explore some of the principal risk allocation issues that can arise in project contracts in the context of cyber risk, how those contracts might be used to help mitigate the risk, and some further strategies to manage cyber risk exposure.

Cyber risks are the risks that emanate from the use of electronic data and its transmission, including technology tools such as the internet and telecommunications networks. This includes physical damage, fraud committed by the misuse of data, liability arising from data storage, and the availability, integrity and confidentiality of electronic information whether related to individuals, companies or governments. With the world being increasingly digitized, the risks of a cyber intrusion or event increases dramatically. Today, these risks may originate from companies seeking to cause disruption to a rival’s operations in the hope of gaining a competitive advantage, from cyber criminals intending to benefit from the disruption they manage to cause, or from a government as part of cyber warfare campaigns to damage or disable critical infrastructure.

The potential loss that could occur in the event of a cyber intrusion or event might encompass significant economic losses and reputational harm, which is why it is important for parties to a project contract to be aware of the risks arising from cyber-attacks and how best to manage those risks. Project risks are often allocated to the party perceived to be best-placed to manage them, or the party that agrees to bear them upon certain conditions, commonly a price premium. When it comes to cyber risk however, identifying a single party to whom the risk can be channelled presents a challenge. Responsibilities may sit with a number of project participants involved in the design, engineering, construction, operation and maintenance of the project.

Liability will be apportioned under a number of contracts and may involve analysis of different provisions within those agreements, including those related to the supply and operation of control systems, force majeure, insurance, compliance with applicable data law, and data transfer, storage and segregation.

Force majeure clauses typically permit the parties to suspend performance of their obligations under the contract while the force majeure event subsists, but only where events occur that are beyond the affected party’s reasonable control. Termination rights may be triggered if the impact of the force majeure event continues over a prolonged period. Nonetheless, force majeure is not a panacea. Force majeure is not defined under English law and, where it is provided for under a contract, it will generally be interpreted in the context of what the parties can reasonably control, having regard to their business activities and operational profile. It is possible that a cyber incident may not trigger a force majeure clause unless the cyber incident is a specified force majeure event, especially if the incident is considered to have been reasonably preventable.

Cyber incidents can be of differing scale and may not have as devastating an impact as more traditional supervening events such as natural disasters. Arguably, they may not be worthy of express reference in a force majeure clause. However, if there is a desire for greater certainty in the contracts, consideration should be given to dealing with this risk expressly, by referring to specific mitigating measures in order to set out the parties’ intentions, after careful consideration of what sensitivities there may be around revealing to the counterparty what level of preventive measures actually exist. Force majeure clauses are typically mutual and, consequently, it is important to consider who the counterparty to the particular contract is. Under operation and maintenance agreements for instance, the owner may not wish to allow immediate suspension of performance; on the other hand, under offtake contracts, the owner may want easier access to force majeure relief as against the offtaker. A balance will need to be struck.

On major projects, the owner and its counterparties will be required to take out insurance policies against a number of different risks and third party exposures, but amongst other things, commonly the owner will be required to take out construction and operation all risks cover, primary third party liability insurance, delay in start-up and business interruption insurance as well as its own employer’s liability and other statutory insurances. Contractors will often be named as joint insured on the owner’s policy or take out their own all risk cover. The supply chain will also typically maintain general third party liability and product liability insurance, employer’s liability and professional indemnity insurance for their own businesses.

Whether or not taken out by the owner, insurance policies will almost inevitably contain exclusions and often have some gaps or shortcomings in coverage. Some of the exclusions are particularly relevant when considered in the context of a cyber incident.

Realistically, can owners expect to shift the risk of cyber responsibility to their counterparties under project contracts? Although a certain amount of risk transfer is clearly achievable, the supply chain is unlikely to be able to bear a wholesale transfer of cyber risk. This is because the potential loss that could occur in the event of a cyber incident might encompass significant economic losses and reputational harm, as well as physical damage. Ideally, owners should try to achieve indemnification by their counterparties of loss of profit/revenue and indirect loss (as well as the costs of notifying cyber incidents) where their counterparties are at fault. However, the owner’s counterparties and their sub supply chain will be keenly aware of the importance of negotiating liability exclusions (not least because what is agreed by the main contractors with the owner impacts on what is agreed further down the supply chain) and will generally seek a liability position that is commensurate with their role. Commonly, they will seek to exclude liability for loss of profit, indirect loss and loss of data.

By engaging the services of a single cybersecurity provider, owners may be able to benefit from the advantage of having a single point of responsibility to look to if things go wrong. The provider could also commission business-wide impact assessments and produce an action plan, and the owner might benefit from the same relationship across its projects. However, the advantages will very much depend on the financial health of the cybersecurity provider, the scope of their engagement and any limitations in their appointment. It is therefore important to have a full suite of advisors in place and briefed for incident response, not just on the technology and security side, but also the legal and PR side.

Cyber risk is now firmly on the agenda for those that own, operate, develop and finance projects. The types of losses that can result from a cyber incident on a large-scale project, ranging from physical damage through to economic loss and reputational harm, can seem bewildering. However, although this is a rapidly developing area, and the level of threat is often perceived to be unknown, with a combination of careful due diligence, risk assessment, contractual risk allocation and ongoing active management and maintenance, there is no reason why cyber-resilience cannot be successfully fostered and the potential consequences mitigated against.