As Chanakya Pandit states in his Neeti Sūtras: utsāhavatāṁ śhatravopi vaśhībhavanti and Nirutvāhād daivaṁ patita– “With sufficient effort, even poor destiny can be transformed into good fortune, and without proper effort, even good destiny can be converted into misfortune.”
This ancient wisdom of Bhagavad Gita, Chapter 18 and verse 14 holds a modern lesson: the need for vigilance and action through robust risk allocation strategies in technology contracts to shield against potential harm. The rise of sophisticated cyber threats such as data breaches, ransomware, and cloud outages has reshaped the contractual landscape, demanding adequate action through a forward- looking approach.
Cybersecurity Failures: What We’ve Learned the Hard Way
As technology evolves, so do the risks, necessitating contractual flexibility, foresight and adequate action. Each cybersecurity incident brings critical learnings for all stakeholders in the digital ecosystem. For example, the Target Corporation breach in 20132, which was one of the classic security breaches, required Target to pay approximately USD 18Mn for settlement after hackers infiltrated systems through a third-party vendor. The aftermath of this attack wasn’t just a security disruption but customers losing faith.
While the attack focused on Target, the compromise started with a third-party vendor. Companies need to remember that all their third- party vendors must be just as secure as their own system and highlight the importance of third-party risk assessments for both customers and managed service providers. If Target had properly segregated its network and closed the gaps, a cyber-attack of this magnitude would have been much harder.
The decision in MOVEit Cyberattack (2023) where criminals exploited a vulnerability in Progress Software’s MOVEit file transfer app, used by thousands of organisations worldwide, further illustrates the growing need for clear cybersecurity clauses in technology contracts.
Contracts should focus on detailed risk allocation and liability clauses that address potential breaches clear frameworks for audit rights, breach notification procedures, regular updating and patching of software vulnerabilities and indemnification for breaches. Additionally, organisations should enforce strict compliance with global data protection standards to ensure their partners and service providers do the same.
SmartTech, Smarter Threats: What the Big Breaches Teach Us
As cybersecurity threats continue to advance, businesses must adopt a proactive, dynamic approach to crafting contracts that anticipate and mitigate risks. We can take notes from some legal precedents that shaped the understanding of risk allocation and accordingly implement best practices.
Equifax Data Breach (2017) is one of the most significant data breaches in history, where Equifax compromised the sensitive data of 147 million individuals due to unpatched software vulnerabilities. The company faced regulatory penalties and lawsuits, culminating in a $700 million settlement. The key lesson that can be learned from this case is that technology contracts must clearly assign responsibility for patch management, vulnerability monitoring, and compliance with cybersecurity standards. Comprehensive indemnity clauses should hold vendors accountable for breaches originating from their systems, ensuring the contracting party is protected from financial losses.
In addition to the above, there is another recent case that underscores the importance of ensuring proper data encryption and access control mechanisms by contractually implementing industry-standard security measures to prevent unauthorized data access and strict compliance with data privacy laws.
In the case of CoWin Data Leak (2023), a Telegram bot leaked personal data from India’s CoWIN vaccination portal, including Aadhaar and passport numbers. A similar lesson was learnt from another data leak case in the Middle East Bank, where a breach exposed Bank clients’ personal and financial details, including sensitive intelligence information. The primary takeaway from these cases is to include clauses to maintain confidentiality with severe penalties for breaches, regular security audits, data breach notification procedures in technology contracts, and end-to-end encryption.
Another pivotal lesson emerged from AWS Outages where an Amazon Web Services outage disrupted businesses globally, raising questions about the adequacy of the Service Level Agreements (“SLAs”). While AWS offered credits for downtime, many customers suffered significant indirect losses that were excluded under the limitation of liability clauses. The central lesson derived from this incident is that businesses must negotiate robust SLAs that include precise uptime guarantees, penalties for non-performance and broader coverage for consequential damages in critical use cases. Legal counsels should also push for balanced limitation of liability clauses, avoiding blanket exclusions of indirect losses.
Adding to the discussion on risk allocation, another important aspect is to ensure both parties to the contract carry adequate insurance policies, with clear terms for premium payment and claims management. In the case of Zurich American Insurance Co. v. Sony Corporation (2014), Sony sought insurance coverage for lawsuits resulting from a data breach but was denied its claim due to policy exclusions for “intentional acts” from CGL. An important learning is that companies across all areas of the industry should consider cyber insurance policies to ensure that they are adequately protected in the event of a data breach.
Similarly, in the Cosmos Bank Attack in 2018, a cyberattack siphoned INR94 crores from the Pune headquartered India Cosmos Bank via malware installed in its servers. An essential lesson from this incident is to ensure 24/7 threat detection and incident response mechanisms, along with ensuring clarity on the insurance coverage and insurance policy commitment being made.
Another critical dimension to consider in risk allocation is the growing threat of ransomware attacks and how they intersect with force majeure provisions in contracts. As these attacks become increasingly sophisticated and disruptive, both clients and service providers must ensure their agreements explicitly address whether ransomware events qualify as force majeure. The ambiguity in traditional clauses has led to significant disputes, as seen in Merck & Co. v. Ace American Insurance Co. (2022), where the court ruled that the ransomware attack did not fall under a war exclusion clause. Such cases underscore the importance of specifying responsibilities, liabilities, and performance obligations during cyber incidents. Tailored force majeure provisions, combined with robust cybersecurity protocols and clear incident response measures, are indispensable in navigating the evolving risk landscape effectively.
Merck v. Ace also serves as a warning to policyholders as Insurers are reviewing and scrutinizing policy language considering increased financial hits on claims related to cyberattacks. Organisations must evaluate policy language before binding to ensure that they fully understand the scope of what they are purchasing, and flag and consider any changes that may limit, restrict, or otherwise change their coverage.
Securing the Future – One Contract at a Time
The lessons derived from these cases serve as a guiding light and a clarion call for organisations to embrace a proactive, rather than reactive, approach to cybersecurity risks. In a rapidly evolving digital landscape, investing in preventive measures is far more prudent than grappling with the consequences of negligence. Organisations must prioritize implementing recognized cybersecurity certifications and standards such as ISO 27001 or SOC 2 as a baseline for cybersecurity, drafting tailored indemnities, securing comprehensive cyber insurance, and developing robust incident response plans. Periodic reviews of contracts, stringent employee training programs, limitation of liability clauses, and unwavering regulatory compliance should form the bedrock of their risk allocation strategies. Together, these measures will not only fortify contractual resilience but also safeguard the trust, reputation, and operational continuity of organisations in the face of ever-escalating cyber threats.
