In this article we consider the circumstances in which a company which suffers a cyber attack may seek to recover its losses from an IT services provider, and the factors which the company and its advisors should consider.
A typical scenario is where a company outsources the management of its IT systems to a managed service provider (MSP) and a cyber attack is perpetrated on the managed environment, resulting in unauthorised access to IT systems and data. Similar considerations may arise where a vulnerability in software is exploited by a threat actor or where security software fails to identity suspicious activity and raise alarms.
The financial implications of a cyber attack will depend on a range of factors such as the type of business conducted by the company, the nature of the attack and the intent of the threat actor. In extreme cases the costs and losses can be considerable. These could include direct costs such as fees of IT consultants, legal and PR advisors; regulatory fines; and the costs of replacing IT systems, recovering data and compensating impacted data subjects. There may also be significant indirect losses, such as lost revenues whilst IT systems are inoperative, preventing the company from providing services or fulfilling contractual commitments to its customers. Those customers may decide to take their business elsewhere, impacting future revenues.
Claims against IT service providers
In many cases, the company will have to accept these costs and move on, but increasingly victims of cyber attacks (and their insurers) are looking for ways to recover some of their losses, including by claims against MSPs. Key factors in determining the viability of a claim will be: (1) how the incident happened; (2) the contractual relationship between the company and the MSP, and the broader legal issues; and (3) the importance of the relationship between the parties.
(A) The facts
The circumstances surrounding the cyber attack will obviously be important in determining whether fault may lie with a MSP.
The cause of the incident should be investigated thoroughly with the assistance of an independent forensic IT consultant to establish how the threat actor gained access to the IT systems. There is often some complexity to the factual background with a number of factors contributing to the cyber attack, operating in combination. If any one of those factors was not present the incident may have been prevented. For example, the threat actor may have gained access to the IT systems through an employee account which uses a weak and easily-guessed password (the employee having failed to follow good IT security practice); it would have been prevented if multi-factor authentication (MFA) had been implemented; and it would have been detected and dealt with promptly if anti-virus software was up to date.
The investigation will need to consider all these factors and a view reached on where fault may lie. The MSP’s cooperation may be required in this investigation, and care should be taken in communications relating to the incident. In particular, the company’s representatives should avoid admitting any failings on the part of their employees which could be viewed as acceptance of liability.
If it appears that a claim against the MSP is a real possibility, that should be recognised at an early stage, and it may be possible to conduct the investigation in a manner which would enable the company to assert privilege over relevant communications and other documents if a dispute does develop.
(B) The legal position
Fault and liability are not the same thing. Even if the facts point towards culpability on the part of the MSP, the usual principles for a claim for breach of contract or negligence will apply*. It will be necessary to establish a breach of a contractual obligation or tortious duty of care and loss arising from the breach.
Breach of contract
The starting point will be to consider the contract to identify the obligations of the MSP which concern IT security or are otherwise relevant.
IT and outsourcing agreements often contain provisions concerning IT security, data security and confidentiality. Sometimes these provisions are extensive, but they tend to be non-prescriptive. There may be a requirement for a MSP to ensure it deploys “adequate” or “appropriate” levels of security but no stipulation of particular security standards, measures or anti-virus products. This can lead to contention about the scope of the MSP’s contractual obligations. If the contract sets out the responsibilities of the parties in detail, that may be of assistance, although again, that assistance may be limited depending on the detail concerning responsibility for security.
The next step will be to consider whether there has been a breach of a relevant contractual obligation. If the contract contains express obligations concerning security, that may be straightforward. For example, if the contract requires the MSP to deploy a certain security product or states that the MSP is responsible for implementing MFA and those obligations have not been met, it may be possible to quickly establish breach.
If the MSP’s obligations concerning IT security are not clearly defined, it may still be possible for the customer to argue that the MSP failed to perform its broader obligations under the contract. Most outsourcing agreements will require the MSP to provide services with reasonable care and skill and follow good industry practice. Good industry practice is often a defined term, but frequently the definition itself can give rise to contention. It may be defined by reference to the standard to be expected of a reasonably competent service provider engaged in the provision of similar services, or by reference to a service provider in the first quartile of providers of such services. In both cases the parties can genuinely hold different views on whether the MSP has exercised good industry practice as measured against the defined standard and is or is not in breach of its obligations. Expert evidence would most likely be required if that issue is to be determined at trial.
Causation, loss and limitation of liability
If a company is able to establish that the MSP has breached its contractual obligations, then in order to secure an entitlement to damages it will need to show that the losses claimed were a direct consequence of the breach and would not have been incurred but for the breach. This can be problematical if a number of factors contributed to the incident. For example a company may be able to establish that the MSP did not deploy best practice anti-virus software, but if the cyber attack resulted from an employee’s password being compromised, the MSP may be held not liable, or at best it may only be liable for a proportion of the company’s losses.
Also, not all losses caused by a breach will be recoverable. Most contracts exclude certain types of loss. These exclusions typically include lost revenues and profits, limiting the recovery to direct costs such as fees of advisors and costs of replacing IT systems. There will also be limitations on the total sum which can be recovered, often linked to the annual contract value or a similar metric. Where the costs and losses caused by the cyber attack are high, this limitation of liability can leave the claimant unable to recover a significant proportion of its losses, unless the limitation of liability can be challenged.
If the contract provides for liquidated damages or service credits to be paid if service levels are not met, this may provide some compensation for lost revenues whilst IT systems are shut down, but in most cases these damages will fall well short of the loss in fact suffered.
(C) Relationship between the parties
A third factor to be taken into account is the relationship between the parties and whether the company is dependent on the MSP for the provision of specialist services. In a long-term outsourcing arrangement the parties may be contractually bound to deal with each other for several years and they will want to avoid a strained relationship for the remainder of the term. If the company is satisfied that the MSP is capable of operating a secure environment in future, it may be beneficial for the parties to put the incident behind them and reach a compromise, perhaps in the form of reduced fees or service credits.
Conversely, the incident may lead to loss of confidence in the MSP, and the company may wish to terminate the relationship and bring services in house or appoint a different service provider. If so, the termination provisions in the contract should be reviewed carefully to determine whether the threshold for termination for material breach is met, and the consequences of termination should be considered. In the case of a serious breach there may also be a right to terminate for repudiatory breach at common law.
Termination of the contract should be approached with care and proper process followed. Whilst there is a close relationship between a breach of a contractual obligation and a right to terminate, it does not always follow that a breach which gives a right to an entitlement to damages will also give a right to terminate. If the company serves notice of termination when it does not have a right to do so, it may face a claim for damages for wrongful termination, or it may face resistance to the termination if the MSP elects to affirm the contract and continues to charge sums payable under the contract.
Insured losses
If the company has cyber insurance, it may recover under the policy, subject of course to the terms of the policy. If there are uninsured losses, it may seek to recover those from the MSP, subject to the limitations and exclusions outlined above.
The insurer may seek to recover from the MSP the losses which are met under the policy, by way of a subrogated claim. That claim will, in effect, be a claim by the insured company on behalf of the insurer, and will also be subject to the limitations and exclusions under the contract between the company and the MSP. There may therefore be a shortfall between the sums which the insurer pays to the company under the policy and the sums it can recover from the MSP. For example, the insurance policy may provide cover for business disruption, but those payments may be excluded from a subsequent claim against the MSP.
Conclusion
As with all contractual disputes, each case is dependent on its facts, the terms of the contract and the relationship between the parties. Additional factors will be the costs and time commitment of pursuing damages by way of legal proceedings, and both parties should keep in mind the benefits of reaching a commercial compromise, especially if that enables them to preserve the relationship.
Even in cases where all losses are recovered from a MSP, a cyber attack will still have significant consequences, including potentially adverse publicity. All businesses should focus on following good IT security and should expect the same from their service providers, to minimise the risk of a cyber attack.
* We focus in this article on claims for breach of contract, but there may also be a claim in negligence if the MSP was in breach of a tortious duty of care. Many of the same principles will apply.
Lee Gluyas, Partner, CMS Cameron McKenna Nabarro Olswang LLP
Jessica Maddox, Associate, CMS Cameron McKenna Nabarro Olswang LLP
