Providers of IT services are advised not to rely on contractual limitation of liability clauses and to take out standalone cyber cover.  

Axa’s Brooklyn Underwriting says such clauses may be void under unfair contract terms legislation and are “not a safety net against negligence claims”.  

For IT professionals, whether they bear any liability when clients experience a cyber-attack remains “unsettled and ambiguous” in “unclear/untested legal territory,” Sydney-based Brooklyn Claims Manager Maya Lazarus says. 

General or professional liability insurance could exclude cyber-risk or have gaps – for example incident response costs and first party costs would not be covered, she says, recommending dedicated cyber cover. 

Cyber risk considerations must form an integral part of an IT professional’s risk management, Ms Lazarus says, as “duty of care” responsibilities for their clients aren’t currently clearly defined, and IT service providers find themselves at risk if clients experience a cyber-attack. 

“Claims associated with cyber-attacks have become an increasingly significant part of my caseload. Also on the rise are complex disputes about who is liable for damages,” Ms Lazarus said.  

As businesses outsource technical support to service providers that install and maintain IT infrastructure, manage user access accounts and safeguard client data, they become “tempting targets for hackers”. Should cyber-criminals successfully breach defences, they could potentially access the client details, including their data, operating systems, intellectual property and so on. 

Ms Lazarus advises ensuring responsibilities for cyber security are defined clearly, documenting the state of each client’s security measures and any agreed remediation, alerting clients to new threats and keeping records, and monitoring regulatory changes and trends. 

While service agreements include disclaimers, including excluding liability for cyber breaches, this is not “ironclad”. IT service providers are advised not to rely on limitation of liability clauses, which are potentially void under unfair contract terms legislation and are “not a safety net against negligence claims”. 

"Lawyers representing cyber-attack victims may argue that disclaimers don’t apply or aren’t valid and given the absence of set standards or legal precedents defining an MSP’s responsibilities, these arguments could prevail,” Ms Lazarus said. 

"It should not be assumed that these disclaimers provide failsafe protection against liability claims.”