In April 2025 M&S stopped taking online orders for 6 weeks. In late August Jaguar Land Rover’s (JLR’s) production lines ground to a halt. Asahi’s production lines shut down in September and have yet to fully reopen. Each of these pauses were costly – M&S lost out on £300mn of business in the weeks spent fixing its website, JLR’s pause cost £50mn per week and required a £1.5bn loan backed by the British government to support JLR’s suppliers – and had a common culprit: cyber-attacks.
Cyber-attacks are an increasingly significant risk for businesses. Fears of reputational damage and extended disruption enable cyber-criminals to demand large ransoms, and AI has lowered the barriers to entry for potential cyber-criminals.
A key issue is the vulnerabilities created by outsourcing IT services. Reuters reported in May that the means of access in the M&S hack was Tata Consultancy Services (a company that M&S had subcontracted certain IT operations to). M&S has not pursued litigation, however with the increasing prevalence of cyber-attacks it is only a matter of time before a victim will consider action against their IT contractor (particularly where the contractor bears some responsibility for the attack).
Cyber breach
The starting point for any business considering legal action against an IT contractor will be the outsourcing contract. If the contract contains provisions aimed at preventing or mitigating cyber-security risk – such as security obligations which require the service provider to adopt minimum security standards – then the service provider’s compliance with those obligations will determine whether there is an actionable breach of contract.
If the contract is silent on the issue, however, all hope is not lost for the customer. S.13 of the Supply of Goods and Services Act 1982 (SGSA) implies a term in all services contracts that the supplier will carry out the services with reasonable care and skill. In the cyber-security context, there are two relevant questions:
- Is the term implied into the outsourcing contract? SGSA applies to IT service contracts, however customers must consider the exact services provided under the contract. Euroption Strategic Fund Ltd v Skandinaviska Enskilda Banken AB [2012] EWHC 584 (Comm) [111-113] makes clear that the obligation to take reasonable skill and care only applies to the services provided under the contract—not all rights and obligations owed by the parties. For example, an IT firm that provides customer assistance only owes the obligation to take reasonable care in the provision of customer service—it does not owe a general duty to provide high-quality cyber-security to its customers.
The implied term may also be excluded by an express term or the parties’ course of dealing (SGSA s.16(1)). Any express term must be inconsistent with the implied term (SGSA s.16(2)) and use clear wording to exclude SGSA (The Federal Republic of Nigeria v JP Morgan Chase Bank, N.A. [2019] EWHC 347 (Comm) [37]). - If the term is implied, did the service provider fail to meet the standard of reasonable care and skill? The service provider’s obligation is to “carry out the service with reasonable care and skill” (SGSA, s.13). For IT outsourcing contracts (as a contract to supply professional services), this obligation is to meet the standard of care “expected of a member of the profession in question (in the appropriate specialty, if specialist services are being provided) of ordinary competence and experience” (Grand Pier Ltd v System 2 Security Ltd (unreported, Bristol Mercantile Court 2012). Relevant industry standards to consider include:
- ISO/IEC 27001. This provides a comprehensive framework for information security management. As the primary ISO standard on cyber-security compliance, it is likely to carry significant weight in assessing whether the service-provider acted with reasonable skill and care.
- NIST 800-171. This demarcates a baseline of security requirements for Controlled Unclassified information for US companies. This will be particularly relevant where the cyber-attack involves the breach of sensitive customer information.
- The Prudential Regulation Authority’s Supervisory Statement SS2/21 on Outsourcing and Third Party Risk Management provides further guidance for banks and insurers.
Hack-on, Hack-off
Cyber-attacks are only going to increase in prominence. Though some firms will be targeted directly, IT service providers present a unique vulnerability for cyber-criminals to exploit. The SGSA is not a panacea: not every cyber-breach that originates from a contractor will be covered, service providers are not strictly liable, and it may be excluded by the original contract. However, where an attack is made possible through a service provider’s failure to take reasonable care, SGSA may provide some relief.
