Cybersecurity Protocol for International Arbitration: Three international organisations—ICCA, the New York City Bar Association and CPR—are introducing best practice in protecting against cyber threats.
Cybersecurity is a particularly important element of the legal sector, including international arbitration. Digital exchange of information in arbitration proceedings involves, among other things, sensitive data of the participants in the proceedings, including the parties, arbitrators and arbitration institutions.
Failure to protect the exchange of information in cyberspace may result in leaking of sensitive information and abuse of confidential data by third parties. This can result in economic loss, damage to the reputation of the participants, as well as violation of the principle of fairness of the proceedings and the independence of arbitrators.
A new Cybersecurity Protocol for International Arbitration
In response to these risks, the arbitration community recently released a Draft Cybersecurity Protocol for International Arbitration. It was developed by a working group established by the International Council for Commercial Arbitration (ICCA), the New York City Bar Association and the International Institute for Conflict Prevention & Resolution (CPR).
In December 2018, consultations were concluded during which the draft was examined at arbitration workshops around the world. The document contains recommendations on cybersecurity, and the final version is expected to be published this year. The aim of the protocol is to raise awareness of the existence of cybersecurity threats in international arbitration and to introduce measures to counter these threats.
The protocol contains solutions designed to support the process of protecting the exchange of information in arbitration, including an indication of:
- Factors to be taken into account when choosing specific cybersecurity measures, e.g. the nature and value of the dispute, the identity of the parties and the type of industry they operate in
- Measures to enhance the security of information exchange, e.g. limiting the exchange of information, encryption or anonymisation of information, limiting access to information or using secure data transmission methods
- Measures that can be taken to limit the impact of breaches, e.g. identifying the source and type of a breach, informing all interested parties and relevant institutions and bodies about the breach, and strengthening the system of safeguards.
The protocol takes into account the autonomy of the parties and the fact that cybersecurity measures will vary according to the specific case.
“Cybersecure” arbitration clauses
The protocol recommends the inclusion of security clauses in arbitration agreements. In a security clause, the parties undertake that the arbitration proceedings will be conducted in compliance with the cybersecurity measures established by the arbitral tribunal competent to hear the dispute between the parties. According to the protocol, a “cybersecure” arbitration clause could read as follows: “The parties agree that the arbitration shall be conducted in a secure manner as determined by the arbitral tribunal, taking into consideration the views of the parties and the Cybersecurity Protocol for International Arbitration.”
Procedure for application of cybersecurity measures
The protocol indicates that before adopting appropriate cybersecurity measures, the parties should first agree on the measures they wish to apply in consultation with the arbitral tribunal or arbitration institution. In some cases, the need for appropriate security measures will not immediately become apparent, so the parties may also raise the need for such measures at a later stage of the proceedings.
The arbitral tribunal should address the issue of cybersecurity and the parties’ agreements in this regard as soon as possible, no later than at the first meeting. In justified circumstances, the tribunal may reject the parties’ agreements, e.g. on grounds of the need to protect the interests of third parties or on grounds of conflict with mandatory provisions of law.
All participants in the arbitration and witnesses should be informed of the security measures applied and, as far as possible, confirm in writing that they will comply with them.
Cybersecurity breaches in arbitration proceedings
The protocol also mentions the steps to be taken by the participants in the arbitration proceedings when a cybersecurity breach occurs, namely:
- Measures to identify the specific source of the breach, to address any vulnerabilities in the security system and to prevent future breaches
- Informing interested parties of the breach, in a timely manner, while respecting the confidentiality of the arbitration
- If appropriate, taking systems and applications offline to prevent further loss of information
- Taking action to recover lost information
- If appropriate, involving law enforcement authorities.
The introduction of uniform solutions increasing the security of arbitration proceedings should reduce unnecessary conflicts and streamline the proceedings. It may also increase the effectiveness, security and predictability of arbitration and, as a result, confidence in international arbitration.
This will allow us to use the full potential of arbitration as a modern, effective and tailor-made dispute resolution method.
Karolina Kozłowska, Dr Marta Kozłowska