Contents
Introduction
A company receives an email from its long-standing supplier requesting that future payments be sent to a new bank account. The email arrives from the supplier’s usual address, references the correct invoice numbers, and is written in the same tone and format as every previous communication. The company then proceeds execute a payment to the new bank account. The money reaches a fraudulent account controlled by a criminal who had, weeks earlier, compromised the supplier’s email system. By the time either party discovers the fraud, the funds have been dispersed across intermediary accounts in multiple jurisdictions and are, for all practical purposes, irrecoverable.
This scenario, known in the cybersecurity literature as Business Email Compromise (“BEC”) or, more specifically, Vendor Email Compromise (“VEC”), is not hypothetical. It is one of the most financially significant categories of cybercrime in the world today, responsible for billions of dollars in losses annually and affecting organisations of every size, sector and geography. What makes it particularly insidious is that it exploits not a technological vulnerability of the victim, but the ordinary trust that exists between commercial partners. The attacker does not need to breach the buyer’s systems. It is sufficient to compromise the supplier’s email infrastructure and use it to send communications that the buyer has no immediate reason to question.
The legal question that follows is deceptively simple: when a company pays the wrong person because its supplier’s systems were compromised, which of the two bears the financial loss? The answer, as this article demonstrates, is far from straightforward. It depends on the jurisdiction, the terms of the contract between the parties, and the conduct of both organisations before and during the incident.
This article examines how courts in the United States, Canada, the Netherlands, Germany and France have addressed this question. These jurisdictions have been selected because they represent both common law and civil law traditions and because they have produced the most developed body of case law on the subject, permitting a structural comparison that extends beyond the particularities of any single legal system.
Section I defines the threat and its scale. Section II examines the contractual dimension, that is, the extent to which the contract between the parties may already determine the allocation of the loss. Section III surveys the case law across five jurisdictions and two legal traditions. Section IV draws out the convergences and divergences, identifying what might be described as an emerging dual-duty standard. Section V translates the legal analysis into practical recommendations for both buyers and suppliers. Readers already familiar with the mechanics of BEC attacks may wish to proceed directly to Section II; those primarily interested in the comparative case law analysis will find it in Section III.
Executive summary
No jurisdiction examined in this article grants the hacked supplier categorical immunity from liability, but the mechanisms for allocating the loss differ materially across legal traditions.
Common law jurisdictions tend toward a payor-liability default. In Ontario, the court in St. Lawrence Testing v. Lanark Leeds held that the buyer must pay the supplier a second time unless it demonstrates supplier negligence, misconduct or a contractual allocation of risk. In the United States, courts have developed competing frameworks, ranging from strict payor liability under the imposter rule to a comparative fault analysis that examines both parties’ conduct.
Civil law jurisdictions tend toward a proportional allocation. The Dutch Supreme Court in Devante v. Hascor held that the compromise of the supplier’s IT systems falls within the supplier’s “sphere of risk,” even where no individual employee was at fault. German law reaches a similar result through the doctrine of organisational fault (Organisationsverschulden), examining whether the supplier’s cybersecurity infrastructure met the standard of a reasonably organised enterprise. French law contributes the principle that cyberattacks cannot constitute force majeure, while placing the burden of proving serious negligence (négligence grave) on the party alleging it.
Across all jurisdictions, two findings are consistent. First, the contractual framework is determinative where it exists, yet the vast majority of commercial contracts remain silent on payment verification and cybersecurity obligations. Second, the buyer’s failure to verify altered payment instructions through an independent channel is treated as a significant, and often decisive factor in the allocation of liability. The most effective protection, for both parties, lies in addressing these matters contractually and operationally before the attack occurs.
I. The scale of the threat
The statistical evidence is unambiguous. The FBI’s IC3 2024 Annual Reportrecorded 21,442 BEC complaints in 2024, with losses of $2.77 billion, making BEC the second-highest cause of financial loss among all cybercrime types reported in the United States. The cumulative figure since tracking began in 2013 exceeds $55 billion globally. In Europe, ENISA’s 2025 Threat Landscape report documented 4,875 significant cyber incidents between July 2024 and June 2025, with supply chain attacks targeting IT providers, cloud integrators and managed service providers as a predominant vector. The Verizon 2025 Data Breach Investigations Report found that 30% of all data breaches now involve third-party suppliers, double the figure from one year earlier. These figures represent only reported incidents. The actual scale is likely considerably larger.
What distinguishes supply chain BEC from conventional phishing is the element of trust. The attacker does not send a suspicious email from an unknown address. The communication originates from within the supplier’s own email infrastructure, in many cases from the precise address with which the buyer has been corresponding for years. The funds, once transferred, are typically dispersed across intermediary accounts in multiple jurisdictions, making recovery practically impossible. This combination of apparent legitimacy and irreversibility is what makes BEC one of the most financially damaging forms of cybercrime, and what makes the legal question of the allocation of the resulting loss both urgent and commercially significant.
II. The starting point: the contract
Before reaching for case law or general principles of civil liability, the analysis must begin with the contractual framework governing the relationship between the parties. The answer to the liability question may already be determined by the agreement.
A. Contracts that address payment procedures
Certain commercial agreements contain provisions governing the manner in which payment details are communicated and modified. A well-drafted clause may require that any change to bank account information be confirmed through a secondary channel, such as a telephone call to a pre-registered number, a signed letter on company letterhead, or a confirmation through an agreed electronic portal.
Where such a clause exists and the buyer followed the prescribed procedure but was nonetheless deceived, the buyer has a strong basis for arguing that it discharged its contractual obligations and should be treated as having validly performed its payment obligation. Conversely, where the buyer received an email requesting a change of bank details and processed the payment without following the agreed verification procedure, the analysis is straightforward: the buyer failed to comply with its contractual obligations. In most legal systems, this failure would be sufficient to place the loss on the buyer.
The practical reality, however, is that the vast majority of commercial contracts, particularly in ongoing supply relationships, contain no provisions of this kind. Payment clauses typically specify amounts, due dates and bank account details, but are silent on what occurs when those details are fraudulently altered by a third party.
B. Contracts that address cybersecurity obligations
A distinct but related question arises where the contract imposes cybersecurity obligations on the supplier. If Company has warranted contractually that it will maintain a specified standard of information security, such as compliance with ISO 27001, implementation of multi-factor authentication, or regular penetration testing, and the breach occurred because Company failed to meet those standards, the path to liability is direct. The supplier breached a contractual warranty, and that breach was causally connected to the buyer’s loss.
This analysis becomes particularly significant where the contract includes indemnification provisions. A cybersecurity indemnity requiring the supplier to hold the buyer harmless for losses arising from the supplier’s security failures would provide the buyer with a direct contractual remedy, subject, of course, to any limitation of liability clause that may cap the supplier’s exposure.
Limitation of liability clauses are therefore material to the analysis. If the contract caps the supplier’s total liability at, for instance, the annual value of the services, a BEC loss significantly exceeding that cap may leave the buyer only partially compensated. Whether a court would enforce such a cap in the context of a cybersecurity breach is a jurisdiction-specific question. In many civil law systems, limitations of liability are unenforceable in cases of intentional misconduct or gross negligence (faute lourde / grobe Fahrlässigkeit). A supplier’s failure to implement adequate cybersecurity, while potentially negligent, is unlikely to be characterised as intentional, leaving the limitation clause intact in most cases. This is an area where careful contractual drafting, particularly in the definition of carve-outs from the liability cap, becomes decisive.
C. Contracts that are silent
This is the scenario that nearly all reported case law addresses: the parties maintained a commercial relationship; the contract contained no provisions on payment verification or cybersecurity standards; the supplier’s systems were compromised; and the buyer paid the wrong person.
In this situation, the analysis must proceed beyond the four corners of the contract to the general principles of civil liability applicable in the relevant jurisdiction. It is here that the answers diverge materially.
III. The jurisprudence: a comparative view
The question of the allocation of liability in a supply chain BEC scenario has now been addressed by courts in several jurisdictions. No two have reached precisely the same conclusion, but certain patterns are discernible. The analysis that follows examines the approaches of the United States, Canada (both the common law province of Ontario and the civil law province of Quebec), the Netherlands, Germany and France. These jurisdictions have been selected because they have produced the most developed body of case law or legal analysis on the question, and because they represent both common law and civil law traditions, permitting a structural comparison that extends beyond the particularities of any single legal system.
A. The United States: three competing frameworks
The United States has produced the most extensive case law on BEC liability, but has not produced a uniform answer. Three distinct analytical frameworks have emerged, each associated with different circuits and courts.
1. The imposter rule and ordinary care
In Arrow Truck Sales Inc. v. Top Quality Truck & Equipment Inc., Arrow Truck unknowingly paid approximately $570,000 to a hacker after receiving fraudulent wire instructions that appeared to come from its counterparty. The court applied the Uniform Commercial Code’s “imposter rule” (UCC §3–404), a provision originally developed in the context of the law governing cheques and payment instruments, and held Arrow liable on the ground that it had failed to exercise ordinary care. Arrow received conflicting payment instructions and did not undertake any verification, such as a telephone call to the counterparty, before executing the transfer. The court reasoned that this failure to exercise basic verification was the direct cause of the loss.
The principle establishes that where a party’s failure to exercise ordinary care substantially contributes to a loss caused by an impostor, that party is liable for the loss. Although the rule originates in the law of payment instruments, it has been applied by analogy to wire transfer disputes, and the Bloomberg Law analysis of the emerging BEC case law identifies this as one of the foundational approaches in US jurisprudence.
2. Comparative fault
The United States Court of Appeals for the Sixth Circuit adopted a different approach in Beau Townsend Ford Lincoln Inc. v. Don Hinds Ford Inc. (2018). The facts were as follows: Don Hinds Ford agreed to purchase approximately twenty Ford Explorers from Beau Townsend for $736,225. A threat actor compromised the email account of a Beau Townsend manager and sent Don Hinds fraudulent wiring instructions. Don Hinds transferred the full purchase price to the attacker’s account. Beau Townsend subsequently sued for the purchase price, contending that Don Hinds had not validly discharged its payment obligation.
The district court granted summary judgment for Beau Townsend, holding, in effect, that the buyer must pay twice. The Sixth Circuit reversed and introduced a comparative fault framework. The court stated that if there is a policy implicit in the UCC’s rules for the allocation of losses due to fraud, “it surely is that the loss be placed on the party in the best position to prevent it.” The court held that both parties’ failure to exercise ordinary care must be examined: Was Beau Townsend negligent in securing its email system? Was Don Hinds negligent in failing to verify the wire instructions? If both contributed to the loss, liability should be apportioned by comparative fault.
The case ultimately settled before the apportionment was determined at trial. The framework, however, was established. This approach, examining both parties’ conduct and allocating loss proportionally, is the most nuanced US approach and, as will be shown, the one most closely aligned with how civil law jurisdictions address the problem.
B. Canada: two provinces, two legal systems, two outcomes
Canada provides a particularly instructive comparison because it contains both common law and civil law jurisdictions within a single federation. Courts in each tradition have addressed BEC liability, and have reached materially different conclusions.
1. Ontario: the payor-liability standard
In St. Lawrence Testing & Inspection Co. Ltd. v. Lanark Leeds Distribution Ltd.(2019 CanLII 69697, ON SCSM), the Ontario Small Claims Court established what is perhaps the clearest analytical framework in any common law jurisdiction for the allocation of BEC losses.
The facts were as follows: a fraudster compromised the email account of St. Lawrence’s paralegal and sent Lanark Leeds fraudulent payment instructions directing settlement funds to a different bank account. Lanark complied with the fraudulent instructions and wired the funds to the attacker’s account. The funds were not recovered.
The Deputy Judge held that the payor (Lanark) assumes the risk of loss and must therefore pay the intended recipient a second time, unless one of three conditions is satisfied:
- the contract governs how payments are made and shifts liability for a loss resulting from fraudulent payment instructions;
- there is evidence of wilful misconduct or dishonesty by the other victim; or
- there is negligence on the part of the other victim.
The court found no evidence that St. Lawrence was negligent in maintaining its email security and no evidence of misconduct or dishonesty. Lanark had failed to follow the terms of the original settlement agreement and bore the loss in its entirety.
This decision is significant not only for its outcome but for its method. It provides a sequential analytical framework, a decision tree, that can be applied as a starting point in any jurisdiction: examine the contract first, then examine the conduct of the hacked party for bad faith, then examine that party’s conduct for negligence. Only if one of these three conditions is satisfied does the loss shift from the payor to the hacked party.
2. Quebec: proportional liability under civil law
Quebec operates under a civil law system derived from French law, making it a natural analytical bridge between the common law cases discussed above and the continental European approaches that follow.
In Concessions Caravane 1986 Inc. v. Toronto Dominion Bank (2020 QCCS 3426), the Quebec Superior Court addressed a scenario involving fraudulent fund transfers following a phishing attack. The court applied a proportional liability approach, allocating the loss between the parties in proportion to each party’s contribution to the fraud.
A qualification is necessary. The facts of Concessions Caravane involved a phishing attack in which an employee contributed to the breach by providing credentials to the attacker. In that context, proportional liability is entirely logical, as both parties were, in a meaningful sense, at fault. The decision does not, however, directly address the more difficult scenario in which the supplier’s systems were compromised through a direct technical exploit, what might be termed “pure hacking,” without any human error on the supplier’s part. For that question, the Dutch and German jurisprudence is more instructive.
C. The Netherlands: the sphere of risk
The decision of the Hoge Raad (Supreme Court of the Netherlands) in Devante v. Hascor (28 May 2021, ECLI:NL:HR:2021:783) is, to the best of the author’s knowledge, the most significant civil law judgment on supply chain BEC liability rendered to date. Its facts closely mirror the scenario under analysis in this article.
Hascor B.V. (a Dutch buyer) maintained a long-standing commercial relationship with Yildirim Holding A.S. (a Turkish supplier). Yildirim appointed its subsidiary Devante Minerals Trading Ltd. to fulfil an order for ferrochrome. The Yildirim group’s IT systems were then compromised, not through employee error or a phishing attack, but through a direct technical compromise of the infrastructure. The attackers sent Hascor falsified invoices with altered bank account numbers. Hascor paid $363,394 to the fraudster’s account.
The Hoge Raad applied the Kamerman/Aro Lease doctrine. The starting point is that when a person falsely assumes another’s identity, the impersonated person can rely on the fact that the false statement was not theirs; they are not liable for a communication they did not make. However, and this is the critical exception, under “special circumstances” where the risk of the consequences should be attributed to the impersonated party, the deceived party may be discharged from its payment obligation.
The court held that the hack of Devante’s systems fell within Devante’s sphere of risk (risicospheer). The compromise occurred within Devante’s IT infrastructure, affected Devante’s email, and exploited Devante’s communication channel with its customer. Even though no Devante employee was personally at fault, the court concluded that liability could be attributed to Devante based on the circumstances, including whether Devante had maintained adequate cybersecurity protections within its sphere of responsibility.
The implications of this reasoning are considerable. Under Dutch law, the determinative question is not “who was at fault?” but rather “in whose sphere of risk did the event occur?” A compromise of a supplier’s email system falls inherently within the supplier’s sphere. The buyer relied on that communication channel in good faith. The supplier, even as a pure victim of hacking, may bear the consequences of the compromise of its own infrastructure.
This does not mean the supplier invariably loses. As Stibbe’s analysis of the judgment observes, the court weighs the circumstances: Was the supplier’s cybersecurity adequate? Were there indicators of fraud that the buyer should have detected? Was the buyer’s reliance on the email reasonable given the specific circumstances? In a companion case involving Bol.com and Brabantia, where Bol.com paid €750,493.09 to a fraudster’s account after receiving an email written in noticeably flawed Dutch, the court examined whether the buyer should have been alerted by the linguistic anomalies, suggesting that the buyer’s vigilance is also part of the equation.
The Dutch approach is, in essence, a sophisticated form of comparative analysis, but one that starts from the premise that the party whose infrastructure was compromised bears the initial burden of justification.
D. Germany: organisational fault
German law arrives at a substantively similar destination through a distinct doctrinal architecture.
The relevant statutory provisions are § 823 BGB (tortious liability for unlawful and culpable damage to another’s rights), § 280 BGB (contractual damages for breach of duty), and § 254 BGB (comparative negligence, reducing damages where the injured party contributed to the loss). The most distinctive German contribution, however, is the concept of Organisationsverschulden, or organisational fault.
Under this doctrine, a company may be held liable not because any specific employee acted negligently, but because the organisation as a whole failed to maintain adequate systems and controls.
In the BEC context, the Organisationsverschulden analysis proceeds as follows: Did the supplier implement multi-factor authentication? Email authentication protocols? Intrusion detection systems? An incident response plan? Regular security assessments? If the answer to several of these questions is negative, the company has organisational fault, irrespective of whether any individual employee acted negligently.
This distinction is fundamental. Organisationsverschulden shifts the inquiry from individual conduct (“did an employee click a phishing link?”) to systemic adequacy (“did the organisation maintain the infrastructure necessary to prevent or detect compromise?”). A company may therefore be liable for a “pure hack,” a zero-day exploit, a sophisticated advanced persistent threat, if its overall cybersecurity posture was inadequate to meet the standard of a reasonably organised enterprise.
The Higher Regional Court of Karlsruhe (OLG Karlsruhe, MMR 2023, 761)addressed a related scenario involving invoice fraud conducted via unencrypted email. The court’s analysis focused on which party had the ability to secure the communication channel, reasoning that closely echoes the Dutch “sphere of risk” approach.
On the buyer’s side, § 254 BGB operates to reduce the supplier’s liability where the buyer contributed to the loss. If the buyer failed to verify unusual payment instructions, disregarded identifiable red flags, or lacked internal payment controls, the buyer’s claim is reduced proportionally. The outcome, in German law, is therefore a proportional allocation based on the relative organisational adequacy of both parties.
E. France: good faith, the burden of proof and the limits of force majeure
French law approaches the question through its foundational principle of good faith and its framework for both contractual and tortious liability.
Article 1104 of the French Civil Code provides that contracts must be negotiated, formed and performed in good faith. This obligation is of public policy (d’ordre public) and cannot be excluded by agreement. Articles 1240 and 1241 (formerly Articles 1382 and 1383) establish the general framework for tortious liability, imposing an obligation to compensate damage caused by one’s act, negligence or imprudence.
Two aspects of French law are of particular relevance to the BEC scenario.
First, the question of burden of proof and the standard of negligence. The Cour de Cassation (Commercial Chamber, 23 October 2024) addressed the related question of bank liability in spoofing fraud and established a principle with broader implications: the victim’s négligence grave (serious negligence) must be proven by the party alleging it; it is not presumed. Where the fraudster employed sophisticated impersonation techniques, such as spoofing telephone numbers or impersonating bank employees, the victim’s lowered vigilance does not automatically constitute gross negligence. This principle was extended to professional clients on 12 June 2025. In the BEC context, this means that the party alleging the other’s negligence, whether the buyer alleging inadequate supplier cybersecurity or the supplier alleging inadequate buyer verification, carries the burden of proving that the failure was sufficiently serious to constitute négligence grave.
Second, the question of force majeure. Can a supplier invoke force majeure to escape liability for a cyberattack? French courts have consistently answered in the negative. A Paris Court of Appeal held that cyberattacks, including sophisticated ransomware, do not satisfy the requirements of Article 1218 of the Civil Code, which demands that the event be irresistible, unforeseeable and external to the parties. Courts reason that cyberattacks are foreseeable risks in modern business environments. This is a categorical position: the class of risk (cyberattack) is foreseeable, even where the specific attack was not.
There is, however, a significant nuance. While force majeure cannot be invoked as a statutory defence against cyberattacks, parties are free to define force majeure contractually. A well-drafted clause that expressly includes cyberattacks meeting specified criteria, for example attacks exploiting zero-day vulnerabilities unknown to the industry at the time of the incident, could, in principle, provide a contractual defence. This creates a drafting opportunity that neither party should overlook.
The French approach, taken together, produces a balanced framework: the supplier owes a duty of good faith that encompasses an implied obligation to maintain reasonable security for its communications; the supplier cannot invoke force majeure for a cyberattack; but the party alleging the other’s negligence bears the burden of proving négligence grave, and the threshold for that proof is not trivial.
IV. What the cases reveal: convergence and divergence
Having surveyed the jurisprudence across five jurisdictions and two legal traditions, several structural observations emerge.
A. Points of convergence
**First, no jurisdiction grants the hacked supplier categorical immunity.**Whether under common law or civil law, the fact that a supplier was a “pure victim” of hacking does not, by itself, relieve it of responsibility. The analysis in every jurisdiction proceeds beyond the fact of victimhood to examine the adequacy of the supplier’s cybersecurity measures, the reasonableness of the buyer’s conduct, and the specific circumstances of the fraud.
Second, every jurisdiction considers the conduct of both parties. Even the Ontario decision in St. Lawrence, which comes closest to a bright-line payor-liability rule, includes express exceptions for supplier negligence and misconduct. The Sixth Circuit’s comparative fault framework, the Dutch sphere-of-risk analysis, the German comparative negligence under § 254 BGB and the French burden-of-proof approach all share a common analytical structure: examine what each party did and did not do, and allocate the loss accordingly.
Third, the buyer’s failure to verify payment instructions is consistently treated as a significant, and often decisive, factor. Across all jurisdictions surveyed, courts examine whether the buyer had reason to be suspicious and whether it took reasonable steps to confirm the legitimacy of the payment instructions. A telephone call to a known contact number, a costless and immediate measure, appears in case after case as the step that would have prevented the loss.
Fourth, the contractual framework is the starting point in every jurisdiction. Where the contract addresses payment verification or cybersecurity obligations, courts apply those provisions. The reported case law arises almost entirely in the gap, where the contract is silent on these matters. This is itself a finding of considerable practical significance.
B. Points of divergence
The principal divergence lies in the default allocation of risk when the contract is silent.
Common law jurisdictions lean toward payor liability. The Ontario court in St. Lawrence placed the loss squarely on the payor absent negligence by the payee. The US Arrow Truck decision similarly held the payor liable for failure to exercise ordinary care. The rationale is that the payor is the party that actually executed the transfer and was therefore in the best position to implement verification controls at the moment of payment.
Civil law jurisdictions lean toward a more balanced, proportional allocation. The Dutch sphere of risk doctrine starts from the position that the compromise occurred within the supplier’s IT environment and therefore falls within the supplier’s sphere of responsibility, but permits discharge of the buyer’s obligation based on the specific circumstances. The German Organisationsverschulden doctrine examines the supplier’s cybersecurity infrastructure at the organisational level but reduces the buyer’s recovery based on any contributory negligence. The French approach places the burden of proving négligence grave on the party alleging it, creating a more symmetrical analysis.
The practical consequence is that identical facts, supplier hacked, buyer pays fraudster, contract silent, could produce materially different outcomes depending on the applicable law:
- In Ontario, the buyer would likely be required to pay the supplier a second time, unless it demonstrates that the supplier was negligent in maintaining its systems or engaged in misconduct.
- In the United States (Sixth Circuit), the loss would be allocated between the parties based on a comparative assessment of each party’s failure to exercise ordinary care.
- In the Netherlands, the court would examine whose sphere of risk the compromise falls into, whether the supplier’s cybersecurity infrastructure was adequate, and whether the buyer’s reliance on the compromised communication was reasonable.
- In Germany, the court would assess the supplier’s organisational cybersecurity measures against the standard of a reasonably organised enterprise and reduce the buyer’s claim by any contributory negligence attributable to inadequate payment verification.
- In France, the party alleging the other’s negligence would bear the burden of proving négligence grave, and the supplier would not be permitted to invoke force majeure.
This divergence is not merely academic. In cross-border supply relationships, which constitute the majority of the scenarios in which these attacks occur, the choice-of-law and jurisdiction clause in the contract may determine the outcome of the dispute as much as, or more than, the underlying facts.
C. The emerging standard
Despite these differences, the jurisprudence is converging toward what might be described as a dual-duty standard: both the supplier and the buyer owe duties of care, and the loss is allocated based on which party’s failure was more causally connected to the fraud.
For the supplier, the duty is one of organisational cybersecurity, that is, maintaining the IT infrastructure through which it communicates with its business partners to a standard that is reasonable in the circumstances. This is not a duty of perfection; it is a duty of reasonable care, measured against industry standards and, increasingly, as will be discussed in the second article, against specific regulatory requirements.
For the buyer, the duty is one of verification, that is, not blindly trusting every communication received through a previously reliable channel, particularly where the communication involves changes to payment information. The sophistication of the fraud is relevant: courts will be more sympathetic to a buyer deceived by a communication sent from the supplier’s actual email address with no detectable anomalies than to one that ignored identifiable warning signs.
The convergence on this dual-duty standard suggests that the law, across both legal traditions, is moving toward a regime of shared responsibility, one in which the allocation of loss depends on the specific conduct and organisational posture of the parties rather than on categorical rules.
V. Practical implications: protecting the company before the attack
The jurisprudence surveyed in this article sends a consistent message to businesses on both sides of the supply relationship: the time to address this risk is before the attack, not after. The following measures are derived directly from the factors that courts across jurisdictions have considered decisive.
A. For companies making payments
The single most effective measure, confirmed by virtually every reported case, is out-of-band verification of payment changes. Any request to alter bank account details, payment addresses or wire instructions must be confirmed through a channel independent of the one through which the request was received. A telephone call to a number already in the company’s records, not the number provided in the suspect email, is the paradigmatic example. This measure costs nothing and, had it been applied, would have prevented the loss in every case discussed in this article.
Dual authorisation for wire transfers, requiring two separate individuals to approve any payment above a specified threshold, has been documented to reduce unauthorised transfers by approximately 85%. Combined with three-way matching, comparing the invoice against the purchase order and a delivery receipt before payment, these procedural controls create multiple checkpoints that a fraudster must overcome.
Within the European Union, the Verification of Payee (“VoP”) mechanism, mandatory for Eurozone payment service providers since October 2025 under the Instant Payments Regulation (EU 2024/886), automatically checks whether the payee’s name matches the IBAN before a payment is executed. A mismatch generates a warning to the payer. Companies should ensure that their payment channels support VoP and should treat a VoP mismatch as a red flag requiring immediate investigation. From a litigation perspective, proceeding with a payment despite a VoP warning may constitute the kind of negligence that shifts liability to the buyer.
B. For suppliers
The case law establishes that maintaining adequate cybersecurity is not merely good practice but a factor that courts will examine when allocating BEC losses, and its absence may ground a finding of liability even where no individual employee was negligent. At a minimum, suppliers should implement multi-factor authentication, email authentication protocols (DMARC, SPF, DKIM), intrusion detection systems and regular security assessments. In the language of German jurisprudence, these are the organisational measures whose absence constitutes Organisationsverschulden.
Equally important is the obligation to notify. Several courts have considered whether the hacked party notified its counterparty promptly after discovering the compromise. A supplier that discovers its email system has been breached and fails to immediately warn its customers, thereby permitting further fraudulent communications, is in a materially weaker legal position than one that acted with urgency.
C. For both parties: the contract
The most reliable form of protection remains a well-drafted contract. Based on the case law surveyed in this article, the contract between a buyer and its supplier should, at minimum, address the following matters:
Payment verification procedures. The contract should specify the manner in which changes to bank details are communicated and confirmed, including the identification of a secondary verification channel. The absence of such provisions is the single most common factual predicate in BEC litigation.
Cybersecurity warranties. The supplier should warrant that it will maintain specified security standards, with reference to recognised frameworks such as ISO 27001, the NIST Cybersecurity Framework, or, where applicable, the measures required under the NIS2 Directive.
Breach notification obligations. The contract should require each party to notify the other within a specified period (24 to 48 hours) of discovering any compromise of its communication systems.
Indemnification. The contract should allocate financial responsibility for losses arising from security failures, with express carve-outs from any general limitation of liability clause to ensure that the indemnity is not rendered ineffective by a low liability cap.
Force majeure. Where the parties wish to address sophisticated cyberattacks, such as zero-day exploits or state-sponsored threats, as a potential defence, the force majeure clause must say so expressly. As demonstrated by French jurisprudence, courts will not imply such a defence.
VI. Conclusion
The question of on whom the loss falls in a supply chain BEC attack does not admit of a single, universal answer. The outcome is shaped by the legal tradition of the jurisdiction, the terms of the contract, the cybersecurity practices of both organisations, and the specific circumstances of the fraud.
What is clear from the comparative analysis is that the law, across jurisdictions, is developing a coherent set of expectations. Suppliers are expected to maintain adequate cybersecurity within their sphere of responsibility, and the threshold of what constitutes “adequate” is being shaped not only by industry practice but by regulatory standards of increasing specificity. Buyers are expected to exercise reasonable verification before processing payments, particularly where the instructions involve changes to previously established payment details. Neither party is entitled to categorical immunity or automatic liability; the allocation depends on who did what, and what they failed to do.
For businesses, the most important conclusion is a practical one. The measures that courts across all jurisdictions have treated as relevant, out-of-band verification, dual authorisation, email security protocols, prompt notification, are neither expensive nor technically complex. Their implementation prior to an attack is the most effective means of both preventing the loss and, should litigation ensue, establishing that the company exercised the standard of care that courts have consistently identified as the benchmark.
The attacks are increasing in frequency, in sophistication, and in financial impact. The legal frameworks are developing in response, sometimes gradually, sometimes through landmark decisions that reshape the landscape. The question for every business is not whether it will encounter a supply chain BEC attempt. It is whether, when that attempt comes, it will be positioned to demonstrate that it did everything a reasonable organisation should.