Claims against suppliers following a cyber attack

As well as business disruption and reputational damage, a cyber attack can result in significant costs and losses for businesses. For example, if the incident involves encryption of data, a forensic IT expert will be required to contain the incident, restore systems and recover data. Legal support may also be needed to make a report to data protection authorities and other regulators, especially if an investigation has been launched. If data subjects are affected, they may seek redress in the form of credit monitoring or financial compensation. There may also be significant indirect losses, such as lost revenues while IT systems are inoperative or customers taking their business elsewhere.

In some cases, the business (and its insurer) will have to accept these costs and losses and move on.  But what if the business followed its IT security measures with care and diligence but the supplier did not follow good practice? In this article, we consider circumstances in which a business or its insurer may seek to recover some of its costs and losses from another entity.

Claims against IT service providers

A business that outsources its IT services to a managed service provider (MSP) may suffer the consequences of a cyber attack perpetrated on the managed environment. In these circumstances, the threat actor may access and encrypt the business’s servers in the managed environment and demand payment of a ransom for provision of the decryption key. The threat actor may also copy personal data of the business’s customers and threaten to make that data available to other criminals if the ransom is not paid. The business will have expected the MSP to implement a suitable IT security system and to follow good practice so that its applications and data were kept secure, and it may therefore seek to recover its losses from the MSP. What steps should be taken to establish whether the business can hold the MSP responsible and what factors will determine whether a claim is possible?

The circumstances surrounding the cyber attack will inevitably be a key factor. The cause of the incident should be investigated thoroughly with the assistance of an independent forensic IT expert to establish how the threat actor gained access to the IT systems. It will be necessary to establish whether the incident resulted from actions taken by the MSP (e.g. malware contained in a phishing email opened by an employee of the MSP), or actions the MSP failed to take (e.g. inadequate IT security or failure to encrypt data). The MSP’s cooperation may be required for this investigation, and care will be needed in communications with the MSP, especially in relation to the sharing of information.

Alongside the investigation, the contract between the business and the MSP should be considered to determine whether there may be liability on the part of the MSP and whether there may be restrictions or limitations on any liability. The starting point will be to consider whether the MSP is in breach of its contractual obligations, and then to establish that the cyber attack would not have happened but for that breach. Establishing a breach may be straightforward if the contract provides for the MSP to implement a particular IT security product and it has failed to do so. However, most contracts do not specify particular products but will contain more general obligations such as the MSP implementing appropriate security or complying with good industry practice. 

If the MSP is in breach of its obligations, the business will need to consider whether it can credibly assert that the cyber attack would not have happened but for that breach. This will be largely fact driven and will depend on the nature and cause of the incident.

If liability can be established, the next step will be to determine the extent to which losses can be recovered. The contract may specify a liability cap, limiting the total sum that the business can claim from the MSP. If the losses resulting from the cyber attack exceed that cap, the remaining balance is not likely to be recoverable.

In addition, there may be exclusions of liability for certain categories of loss, such as loss of profit. In those circumstances, the business may recover its direct losses such as the costs of restoring systems, but it may not recover losses resulting from business interruption. In some jurisdictions, it may be difficult to recover internal costs for the involvement of employees to detect, deal with and resolve the incident since it is argued that the salaries for the employees involved would have to be paid in any event. However, there are exceptions to that rule and a clear legal strategy is needed if the business wants to retain the possibility of recovering such costs, which can often be a significant proportion of the damage suffered.

A claim against an MSP following a cyber attack is rarely straightforward. The question of whether the MSP complied with its contractual obligations may have both objective and subjective elements, which may include allegations that the MSP did not comply with good industry practice. In such circumstances, the business and the MSP (and their respective advisors) may reach different views on whether the MSP was compliant.  There may also be other relevant factors such as identifying the party responsible for encrypting the data or implementing multi-factor authentication. The conduct of the business, as well as the MSP, may be relevant.

Commercial factors may also be important, such as the strength of the relationship between the parties and whether the business is dependent on the MSP for the provision of specialist services. In a long-term outsourcing arrangement the parties may be contractually bound to deal with each other for several years and they will want to avoid a strained relationship for the remainder of the term. If the business is satisfied that the MSP is capable of operating a secure environment in the future, it may be beneficial for the parties to put the incident behind them and reach a compromise, perhaps in the form of reduced fees or service credits.

Insured losses

If the business affected by the cyber attack has cyber insurance, it may seek recovery of its costs and losses under the policy rather than from its supplier. In those circumstances it may still seek to recover its uninsured losses from the MSP, subject to the limitations and exclusions outlined above.

In addition, the insurer may seek to recover from the MSP the costs it has met under the policy, by way of a subrogated claim. That claim will, in effect, be a claim by the insured business on behalf of the insurer, and will also be subject to the limitations and exclusions under the contract with the MSP. There may therefore be a shortfall between the sums, which the insurer pays to the business under the policy and the sums it can recover from the MSP. For example, the insurance policy may include payments for loss of business while IT systems are inoperative, but those payments may be excluded from a subsequent claim against the MSP.

Other forms of claim following a cyber attack

Claims against IT suppliers are only one type of claim that may be brought following a cyber attack, although it is one of the most prevalent. We are also seeing an increasing number of claims following invoice fraud. This occurs when a threat actor gains unauthorised access to an IT system of a business and changes banking details for payment of an invoice by one of the business’ customers. Disputes can arise if, as a result of these fraudulent changes, no payment is received by the business or the customer has paid twice.

Whenever an organisation incurs losses due to criminal cyber activity, it is worth considering whether the losses may be recoverable from any entity, which aided the criminal activity by not implementing appropriate security or good practice.

Protection against the impact of a cyber attack

While there may be opportunities to recover costs and losses arising from a cyber attack, minimising the risk of being affected by a cyber attack should be the priority. Even if some costs may be recoverable, there will always be negative consequences of a cyber attack, such as damage to reputation.

The risk of a cyber attack can never be reduced to zero, but businesses can take steps to minimise the risk.  For example, businesses that outsource services or data management to a supplier should request details of the supplier’s approach to IT security and request regular updates.

In a recent survey of over 500 corporate counsel and risk managers from businesses around the world, 64% said they had procedures for assessing data security standards of suppliers¹. While it is encouraging to see that a large proportion of businesses have adopted these procedures, the remaining 34% should consider putting such processes in place as soon as possible.

In addition, organisations should have well-rehearsed processes in place for reacting to a cyber attack. A quick and considered response may result in the attack being contained and damage minimised. In our survey, 54% of respondents said they have an incident response plan to manage a cyber attack. We strongly recommend the remaining 46% put such a plan in place as soon as possible.

¹ Technology Transformation: Managing Risks in a Changing Landscape (cms.law)
https://cms.law/en/gbr/publication/technology-transformation-managing-risks-in-a-changing-landscape