Cyber-attacks and other disruption events: Model provisions for syndicated loans in the bank and private credit markets

Cyber-attacks or similar unforeseen events can affect payment or communication systems in a manner that prevents a party to a commercial contract from fulfilling its obligations. While parties may be able to rely on force majeure provisions in many of their commercial agreements, North American credit agreements generally do not have force majeure or similar provisions that provide a framework for dealing with cyber-attacks or similar events.

With the increasing prevalence and sophistication of cyber-attacks, Norton Rose Fulbright's market-leading debt finance team has developed model provisions (the "Disruption Event Provisions") for syndicated credit agreements. The Disruption Event Provisions are intended to address adverse technical and systems-related events beyond the reasonable control of an applicable party to a credit agreement and that impede the ability of such party to make or process payments and/or communicate with other parties to the credit agreement.

The Disruption Event Provisions are relevant for both lenders and borrowers active in the bank and private credit markets.

For additional insights or inquiries about the Disruption Event Provisions, reach out to a member of our banking and finance team.

Disruption event provisions: Summary overview

The Disruption Event Provisions seek to mitigate certain risks posed by cyber-attacks affecting lenders and/or borrowers by:

• establishing architecture that allows for immediate action to obtain temporary and short-term relief from payment or reporting obligations where certain disruption events beyond the reasonable control of the affected party prevent compliance with such obligations;
• providing a streamlined amendment and waiver process that initially only involves the administrative agent and the borrower and the affected party (assuming neither the administrative agent nor the borrower is the affected party);
• establishing a lender veto mechanism that provides lenders not involved in the initial amendment and waiver process with a means to override such process; and
• seeking to establish a balance of risk that allows parties to deal with the consequences of cyber-attacks quickly and efficiently, while also ensuring the interests of all parties are reasonably protected.

The Disruption Event Provisions are gaining traction in the Canadian finance market and there are examples of analogous provisions in the European bank market such as the Loan Market Association (LMA) model form credit agreement. We also note that the 2002 ISDA Master Agreement contains provisions relating to the temporary deferral of certain obligations (including payment obligations) as a result of force majeure events.

Beyond credit agreements: General cyber-risk mitigation strategies

The best protection from the risks posed by cyber-attacks is prevention, and the Disruption Event Provisions are only intended to address contractual risk under credit agreements. Strong internal cyber-risk mitigation strategies and robust policies and procedures for dealing with cyber-attacks, if they do arise, are critical steps for protecting against the legal, commercial and reputational risks posed by cyber-attacks. Norton Rose Fulbright has a dedicated cybersecurity and data privacy practice that helps clients across all sectors in multiple jurisdictions manage these risks.