Recently, the largest single ransomware attack to date occurred when ransomware known as WannaCry attacked companies around the world. These companies will likely not know the extent of the damage caused by this attack for months, if not years. WannaCry is just one of several ransomware threats that companies face.
Ransomware either prevents a user from accessing their computer or their files until a ransom is paid to the hackers. Ransomware can infect a system in various ways, and hackers are becoming more and more creative about ways to deceive an employee into unknowingly infecting a company’s network.
Contractors are not immune to ransomware (or other cyberattacks). A successful ransomware attack on a contractor’s network would likely shut down the contractor’s operations on its projects for a period of time.
No access to email or any documents until the contractor pays the ransom (which will likely have to be paid in bitcoin, which would probably present its own challenges). And even then, some hackers would not release the files back to the contractor even after the ransom was paid. Think of the impact that this would have on a contractor’s business operations. No bids could be submitted and every project would be delayed.
The business impact would be catastrophic. There are insurance professionals that can help address potential business interruption damages. But what about liability for project delays due to a ransomware attack? Would the delays be excusable under the contractor’s contracts? Most likely not.
Many contracts contain a force majeure clause that addresses various events that would be considered excusable delays, or in some contracts, these events give one or both parties the right to suspend the work or terminate the contract. Most force majeure clauses are not broad enough, however, to cover a ransomware attack.
This means that contractors would potentially be responsible for damages on every project that is delayed by a ransomware attack. Depending on the terms of the contract and the owner’s course of action, the contractor could be faced with significant liquidated damages, its work being supplemented, or its contract being terminated.
The Wannacry attack will like only embolden hackers who seek to use ransomware to extort money from companies. Contractors should make sure that the force majeure clauses in their future contracts include ransomware attacks and other cyberattacks in the list of events that are excusable delays. And then hope that you never need to rely on it in the future.