From natural disasters to digital crises: Force majeure in the cyber age

Exeter MA grad Arianna Alonso Petracchi investigates if a centuries-old doctrine can protect businesses from modern cyber crises

When hackers bring a business to its knees, can a centuries-old French legal concept come to the rescue? The concept of force majeure — sometimes referred to as an ‘act of God’ — originates from French law. Translating as ‘superior force’, this contractual term is used to guard against unforeseen and unavoidable catastrophic events and can excuse a party from fulfilling its contractual obligations.

What counts as force majeure?

For a party to invoke force majeure, several conditions must be met. First, the clause must be explicitly included in the contract. Unlike in civil law systems, force majeure under English law is not implied by statute. It exists only where the parties have expressly included it.

Secondly, the event must be both unforeseeable and unavoidable. An event is unforeseeable if it could not reasonably have been anticipated at the time the contract was made, and unavoidable if the consequences could not be prevented or overcome through reasonable efforts.

The threshold here is ‘impossibility’, meaning that the contractual obligation is either impossible or extremely difficult to perform. It does not apply where performance is merely more expensive or inconvenient. Causation must be established: the event must directly cause the inability to perform. Finally, the affected party must have taken reasonable steps to mitigate the consequences caused by the force majeure event.

Historically, force majeure clauses protected parties from liability arising from unfulfilled contractual obligations caused by natural disasters, war or epidemics. This article explores whether it can now be used to protect clients from liability following modern disasters such as cyber-attacks.

The rise of digital disruption

Cyber-attacks have surged in recent years as hackers attempt to extort businesses through ransomware, threaten to release personal data for profit, or sow political chaos via state-sponsored operations.

Major UK retailers and manufacturers, including Marks & Spencer and Jaguar Land Rover have fallen victim to these attacks, suffering significant operational disruption. So, how can solicitors help clients guard against this growing threat?

The obvious answer lies in robust contractual drafting. Clients may want stronger pre-contractual representations, namely statements of fact intended to induce a party into entering a contract and warranties, which are contractual promises guaranteeing robust cyber security measures.

They might also seek specific clauses releasing them from contractual obligations in the event of a cyber-attack. However, what about those who have not included such measures? Not all hope is lost. This is where force majeure comes into play.

Can a cyber-attack qualify as force majeure?

A cyber-attack can amount to a force majeure event, but this depends on several factors: the contract’s specific wording, the nature of the attack, and whether it was beyond the affected party’s reasonable control.

The clause must cover the event either explicitly or through broader terms, like ‘malicious damage’ or ‘theft’, which may apply, depending on the nature of the circumstances. If the clause fails to do so, a catch-all provision such as ‘circumstances beyond [a party’s] reasonable control’, might still suffice, depending on the facts.

The party must also prove that the attack directly caused non-performance and that reasonable steps were taken to prevent or mitigate it. For example, a cyber-attack might cripple a supplier’s IT systems, disrupting the supply chain and preventing fulfilment of delivery obligations.

A real-world example

A notable example came in 2022, when Mabanaft, a German fuel distributor, and its related storing company Oiltanking Deutschland declared force majeure after a cyber-attack paralysed their operations.

The declaration allowed both companies to suspend certain obligations. They explained that force majeure had been invoked for specific operations of Oiltanking Deutschland’s German terminals business and Mabanaft’s inland supply activities within Germany.

In this case, the cyber-attack was clearly unforeseeable and unavoidable, constituting an event beyond their reasonable control. It made performance impossible or unsafe while systems were offline, and causation was clear: the attack directly caused the outage. The companies therefore met the criteria for force majeure and, as this was a German case, it was implied by statute under sections 275–278 of the German Civil Code (BGB).

Last resort, not first recourse

While force majeure can, in theory, protect against contractual liability following a cyber-attack, it remains notoriously difficult to invoke successfully. English courts construe such clauses narrowly. In Tandrin Aviation Holdings Ltd v Aero Toy Store LLC [2010], for instance, the court held that economic hardship did not amount to force majeure.

For that reason, force majeure is best viewed as a defence of last resort, not a first line of defence. Well-drafted representations, warranties and risk allocation clauses are more reliable safeguards.

Moreover, as cyber-attacks become increasingly common, they may no longer be regarded as ‘unforeseeable events’. Courts will expect businesses to adopt reasonable cybersecurity measures such as firewalls, backups and network segmentation. Failure to do so could weaken or invalidate a force majeure defence.

Looking ahead

As technology evolves, so too must the legal profession. Lawyers need to anticipate new threats to protect clients effectively. Using a concept that traces its roots back to the Napoleonic Code to defend against a cyber-attack illustrates both the adaptability of the law and the ingenuity modern solicitors must demonstrate to meet emerging challenges.

Listing ‘cyber-attack’, ‘ransomware’ or IT system failure’ among force majeure events is fast becoming best practice. Doing so not only clarifies the scope of protection but also signals a proactive approach to digital risk management.

However, as the frequency and sophistication of cyber-incidents increase, future disputes may well test how far force majeure can stretch to accommodate the digital age.

Ultimately, force majeure may never offer complete protection against cyber-attacks, but it remains a powerful reminder of how enduring legal principles can adapt to modern crises. In the battle between code and contract, the law’s capacity to evolve may be businesses’ strongest defence.

Arianna Alonso Petracchi holds a Master’s in Law from the University of Exeter. She has a strong interest in all areas of law, with particular enthusiasm for corporate and private client law.