Search

Quality and consistency through collaboration

All.FirmWide services.Cyber and Privacy

Force majeure clauses have gained renewed attention following the CloudStrike outage in 2024.  With a shift away from traditional on-premises software to cloud-based software-as-a-service (SaaS) solutions such as CloudStrike, organisations should consider the implications for force majeure clauses and make sure they are adequately protected.

In this article we set out some of the key issues to keep in mind.

What is SaaS?

Traditionally, software was installed and run on a company’s own hardware infrastructure, within the company’s physical premises (On-Prem). 

In recent times, On-Prem is being replaced with cloud-based SaaS solutions. In this model, the same software now sits in the cloud, allowing multiple customers to access the same core product simultaneously. The SaaS provider will typically provide unique configurations for its customers, making the core product compatible with their system. 

The economies of scale afforded by SaaS translate into costs savings for the customer, who does not need to maintain servers or as many in-house IT experts. However, SaaS can also come with a greater risk of service failures that are beyond the customer’s control.

Service failures can range from minor bugs to critical system outages. The CloudStrike incident was an example of both. A minor update intended to patch systemic bugs unintentionally blocked user access to entire operating systems—turning a routine patch into a sudden economic shutdown. Additionally, SaaS solutions are also vulnerable to malicious attacks targeting either the provider or the cloud host.

What is force majeure?

Force majeure is a concept derived from the French Civil Code, referring to extraordinary events or circumstances beyond a party’s reasonable control that prevent or delay performance of contractual obligations. Due to its origin, there is no equivalent concept in Australian common law. Accordingly, in the absence of an express force majeure clause, a party cannot rely on a parallel common law doctrine to excuse non-performance.

Why might force majeure pose particular concerns for SaaS customers?

Business continuity is an important concern for customers contracting with SaaS providers, especially for critical solutions. With On-Prem, businesses have control and access to the software in the event of a failure. In contrast, with SaaS customers must rely on the SaaS provider’s infrastructure and their ability to restore service in the event of an outage.

For this reason, SaaS agreements will typically include a service level agreement (SLA), which sets out service levels relating to the availability of the solution, along with response and resolution times where support is provided. These service levels should be backed up by the obligation on the SaaS provider to pay service credits and with appropriate termination rights. SLAs will usually have a list of specific exclusions, including force majeure events.

For customers regulated by APRA CPS 230 (Operational Risk Management), certain provisions must be included in agreements with material service providers.  These include a force majeure clause that indicates the parts of the agreement that will continue upon the occurrence of a force majeure event.

Important consideration when negotiating a force majeure clause

The following are important considerations when negotiating a force majeure clause:

1.       Definition of ‘force majeure event'

A ‘force majeure event’ is typically defined by a list of circumstances including acts of God, natural disasters, and war, followed by a catch-all phrase such as ‘all other events beyond the control of the parties’. In On-Prem scenarios, a force majeure event may extend to failures in the customer’s own infrastructure or network that prevent the customer’s ability to install, operate, and maintain the software. In SaaS contexts, force majeure events often include triggers related to the vendor’s infrastructure, network, operations, or third-party providers.

Parties should agree the boundaries of what falls within a force majeure event and when liability for service performance failures is excluded. Examples of issues include:

  • Cloud and data centre failures: SaaS platforms are hosted in virtual environments supported by cloud infrastructure, which rely on physical data centres. Failures in either layer, virtual or physical, can cause a full-service outage. On-Prem systems are less vulnerable since they operate on infrastructure under the customer’s control.
  • Cybersecurity attacks: SaaS applications, being internet-facing, are more exposed to threats like Distributed Denial of Service (DDoS) attacks. Even with robust security in place, such attacks can severely disrupt service availability. If the provider has taken all reasonable preventive measures, these incidents may be treated as force majeure events.
  • Third-Party integration failures: Many SaaS platforms integrate with external systems (e.g. banks, payment gateways, logistics platforms) to deliver real-time data and functionality. If one of these external services fails, it can impact the performance or usability of the SaaS solution. On-Prem software generally does not have this level of reliance.

Recently, we have observed organisations attempting to expressly exclude the failure of a service provider from the definition of a ‘force majeure event’.  Inevitably, however, SaaS providers will argue that they cannot ultimately control the actions of their service providers, and that this scenario is no different from any other event beyond their control. 

Depending on how force majeure events are defined, a circumstance that causes performance to become more burdensome or expensive is unlikely to qualify as a force majeure event, particularly where other alternative means of performance are available.

If there are specific circumstances a party is concerned about, it should look to articulate these in the agreement. 

2.       Ensuring a causal connection

A party should only be excused from non-performance to the extent caused by the force majeure event. Occasionally, the language in contracts is vague, which can lead to a party attempting to excuse any non-performance simply due to an occurrence of a force majeure event—rather than the non-performance being directly attributable to it. The wording should be reviewed to ensure the counterparty cannot use the occurrence of a force majeure event to avoid their obligations more broadly.

It is also advisable for the parties to specify certain obligations, such as the customer’s payment of the license fees that are intended to survive during force majeure events, removing any argument over causation.

3.       Requirement to mitigate

Ideally, an express obligation should be included for the parties to mitigate any loss or delay arising from a force majeure event and for the parties to continue to perform all other unaffected obligations. It may be possible to imply a mitigation obligation in certain circumstances, but it is preferable to point to an express obligation, especially in turbulent situations, where such clauses are often invoked.

4.       Right to terminate

Likewise, the parties should include an express right to terminate the agreement upon written notice if the force majeure event continues for a certain period of time, rather than relying on an implied right of termination.  Consideration should be given to whether this termination right should benefit both parties or just the party not invoking the force majeure event. 

Conclusion

With the growing popularity of SaaS, organisations should consider the associated risks, particularly the potential for service failures and the circumstances in which a SaaS provider may rely on force majeure provisions to excuse non-performance.  A well-crafted force majeure clause should reflect the nature of the agreement and provide balanced protection for both parties in the face of events beyond their control.

Return To Top
Related articles
Media room