Cyber-attacks: how can IT providers limit liability?

Cyber-attacks on businesses are increasingly common, and IT providers can find themselves in a difficult legal position when these attacks disrupt contracted services. High‑profile UK incidents illustrate the growing scale and impact: in 2025, Marks & Spencer (M&S) had to suspend online orders and logistics operations following a ransomware attack, disrupting operations and exposing customer data. Retailers like the Co‑operative Group (Co‑op) and Harrods also faced cyber-intrusions that took systems offline and put millions of customer records at risk. Beyond retail, the Jaguar Land Rover cyber-attack temporarily halted production at UK facilities, demonstrating the potential for major operational and economic harm.

 

These events highlight the escalating threat landscape for both clients and the IT service providers they rely on. When attacks prevent providers from delivering contracted services, they must manage not only technical recovery but also complex legal questions about their contractual obligations and protections if they are to limit their liability at the same time as preserving commercial relationships with disrupted customers moving forward.

 

Companies will often look to the legal principles of force majeure and frustration to protect them from breach-of-contract claims. However, there are important differences between the two that IT providers need to understand, both in the conditions required to invoke them and in the remedies they offer. In UK law the concepts are mutually exclusive in practice: frustration applies only where an unforeseen event occurs that renders performance impossible or radically different from what the parties contemplated, (but not just more difficult or expensive for the provider). It cannot apply if the event was foreseeable, so not if the contract contains applicable contractual provision dealing with that event. By contrast, force majeure protection exists only if the contract contains a properly drafted force majeure clause. Whether a data breach qualifies will depend entirely on the specific wording agreed in advance, including whether cyber-security incidents or third-party failures are expressly listed or fall within a broader definition of “events beyond a party’s reasonable control”.

 

In terms of outcome, frustration automatically brings the contract to an end and the parties are released from future obligations, with limited restitutionary adjustments under the Law Reform (Frustrated Contracts) Act 1943. Very often this outcome is not what either party wants. IT contracts frequently go to the heart of a business’s operations, and clients are often just as reluctant as their providers to see the contract brought to an end, as continuity of service is critical. Equally, the provider will be keen to preserve its income stream and avoid the disruption and cost of replacing or re-negotiating long-term arrangements.

 

Force majeure, on the other hand, usually suspends the affected party’s obligations for the duration of the event, may extend time for performance, and only terminates the contract if the clause expressly provides for that remedy. In practical terms, frustration is harder to establish and offers an all-or-nothing remedy, whereas a well-drafted force majeure clause can give IT providers more predictable, tailored protection in the event of a data breach.

 

Both are narrower tools than many realise.

 

Many contracts do not explicitly mention cyber-attacks in force majeure clauses, although they may include the more traditional list of events, such as ‘acts of God’, war and terrorism, theft or malicious damage – and of course some of these may apply depending on the nature of the cyber-attack.  But general phrases such as “events beyond a party’s reasonable control” are unlikely to suffice. A good force majeure clause will, as a minimum, prescribe the steps a provider is expected to take before its contractual obligations will be deemed suspended, and also clarify how long the suspension can persist before the other party has the right to terminate the contract altogether. 

 

As explained above, frustration applies only when performance becomes impossible or fundamentally different, and it cannot apply if the event was foreseeable. In truth, cyber-attacks rarely render performance truly impossible; temporary disruption can often be addressed through remediation.  And in any event, as discussed, it will often suit providers and customers alike to find a way forward and continue the contractual relationships after the cyber-attack. So, the effect of frustration terminating the contract will rarely be commercially desirable. Providers should therefore expect that frustration is unlikely to excuse non-performance in most cyber-related situations in the first place, and does not provide the best outcome for the parties in any event.

 

 

Implications for IT Providers

The legal landscape creates a paradox: cyber-attacks are increasingly inevitable, so by definition are becoming foreseeable in law and providers will be held to a standard of reasonableness reflecting current threats and industry best practice.

 

There are some key takeaways to consider here: 

• A cyber-attack is not automatically a defence to non-performance.
• Liability depends on the provider’s preparation and mitigation efforts.
• Force majeure only helps if the event is clearly within the clause and procedural steps followed.
• Frustration is rarely applicable and commercially undesirable.
• Contracts should be regularly reviewed and updated to reflect foreseeable risks.

 

Preparation Is the Provider’s Defence

With the Network and Information Security Directive 2 (“NIS2”) applying to many organisations and the Cyber Security Resilience Bill currently going through parliament, cyber- and operational resilience is of paramount (and growing) importance to virtually all businesses.

 

If a cyber-attack does occur, it is important to remember that Courts evaluate the steps taken (or not taken) by IT service providers with reference to foreseeability, contractual obligations, and reasonableness. Providers cannot rely solely on the external nature of a cyber-attack. The safest legal position is to be proactive: ensuring contracts clearly address cyber-risks, following contractual procedures, and taking steps consistent with foreseeable risks.

 

---

 

Andrew Woolsey is an Associate at Cooke, Young & Keidan

 

Main image courtesy of iStockPhoto.com and SpiffyJ