If you are a tech provider, one of the most important parts of your service contract is the section on cybersecurity. This is where the agreement says who will be responsible if there is a breach or system failure caused by a cyberattack. Typically, this is in the force majeure or liability limitation clauses.
In many contracts today, this risk is placed entirely on the provider. The contract might say that the provider must prevent all security breach, or is responsible for any damage if a breach occurs.
In some cases, the contract even says that a cyberattack is not a force majeure event, which means the provider cannot claim that the attack was beyond their control.
At first glance, this might seem reasonable. After all, tech providers are expected to keep systems secure. But what if the source of the attack is not a regular cybercriminal, but a foreign government or a state-sponsored actor?
Most commercial cybersecurity tools are designed to stop ordinary threats. These might include phishing scams, malware infections, or hacking attempts by criminal groups. But when the attacker is a foreign government or a state-sponsored actor, it’s a completely different ball game.
Foreign governments and state-sponsored actors can launch attacks that are carefully planned, well-funded, and extremely difficult to detect. These attackers might use methods that have never been seen before. They might spend months or years quietly studying a system before making a move.
In many cases, the breach is discovered only after sensitive data has already been stolen or systems have already been compromised.
Commercial security tools are not built to handle this level of threat. Even if the provider follows best practices, uses the latest software, and trains its staff, it is still possible for a foreign government or state-sponsored actor to break through. No product or service in the market today can offer a real guarantee of protection against this kind of attack.
This is why contract terms must reflect the limits of what is possible. If a tech provider is forced to take full responsibility for every cyberattack, regardless of where it came from, that provider could face legal and financial consequences for something that was completely outside their control. This is not just unfair. It creates the wrong kind of pressure, where tech companies feel forced to overpromise or hide the true nature of the risks.
In service contracts where the government is the customer, the government itself is usually the main target of the foreign attack. It makes sense for the government as contractual party to take responsibility for threats coming from other states. Government agencies have access to national security tools, intelligence networks, and broader support systems that private companies do not.
In contracts between two private companies, the answer is less clear. But even then, it is important to separate ordinary cybersecurity risks from those that involve foreign governments and state-sponsored actors. Contracts should include special language for these cases.
The parties may classify state-sponsored cyberattacks as force majeure events, relieving either side of liability, or they may impose a liability cap that limits exposure if attribution points to a foreign state.
We live in a world where cyberattacks are part of international conflict. They are not always about money. Sometimes, they are about geopolitical tensions. If contracts pretend that all cyberattacks are the same, they create expectations that no company can meet. That is bad for business.
The better approach is equitable risk-sharing. Contracts should reflect what can be controlled and what cannot. They should protect both sides from impossible promises.
The author is a lawyer and founder of the law firm Geronimo Law and financial advisory firm Strago. He is a professor of law and finance, author, and athlete.
