Addressing emerging cyber risks: reflections on the ICCA Cybersecurity Protocol for International Arbitration

/

Cyber criminals, such as hackers, pose an increasing threat to the security of our virtual world and have claimed a long list of victims from celebrities to governments. In a post-WikiLeaks world, participants in international arbitration have not been spared. In 2015, in the course of an arbitration between China and the Philippines over disputed territory in the South China Sea, the website of the Permanent Court of Arbitration in the Hague, the Philippines’ Department of Justice and the law firm representing the Philippines were hacked. This incident underscores the fact that every participant in an arbitration needs to consider these risks, and that data associated with any arbitration is only as secure as the weakest link in the chain through which that information passes.

In response to this growing threat, the International Council for Commercial Arbitration (ICCA) in collaboration with the New York City Bar and the International Institute for Conflict Prevention and Resolution (CPR) have published for consultation a draft cybersecurity protocol for international arbitration. According to a recent survey carried out by Bryan Cave Leighton Paisner (also covered by a post on this blog earlier this year),  there is broad agreement among lawyers and arbitrators that cybersecurity is an oft-neglected issue in international arbitration which needs to be addressed. In that connection, in advance of the publication of the final cybersecurity protocol, this post considers the potential implications of the protocol for international arbitration practitioners.

A little cybersecurity, but not too much

Article 6 of the draft cybersecurity protocol would confirm the tribunal’s authority to order cybersecurity measures, such as limiting the disclosure of confidential commercial information and personal data by anonymising or redacting information as necessary, restricting access to such information to a need-to-know basis and determining the safest means of transmitting this information between the various participants in the arbitral proceedings. The draft protocol does not, however, prescribe the extent to which disclosure ought to be limited in each case, who access should be restricted to or how best to communicate this confidential information. Instead, it leaves it to the tribunal to make these determinations.

This would allow tribunals the discretion to approach the issue of cybersecurity largely as they see fit, in circumstances where parties have agreed to follow the cybersecurity protocol or where the tribunal has determined to employ it. While tribunals may be tempted to take a belt-and-braces approach when it comes to cybersecurity, we suggest that a more measured approach is to be preferred. Often, cybersecurity measures are unsuccessful because they involve complex processes that rely on users being willing to alter their cyber habits to comply. For instance, where parties are accustomed to communicating or sharing documents by email, requiring them redact and anonymise the information contained in these documents, and to use alternative distribution mechanisms, such as secure data rooms for all correspondence, may prove too inconvenient to guarantee uptake. Instead, use of these cybersecurity measures might be limited to the most commercially or politically sensitive documents in an arbitration, and even then, less drastic measures may be contemplated, such as the use of password-protected documents attached to emails (with passwords delivered to the parties separately by a different mechanism).

Paradoxically, imposing overly cumbersome cybersecurity measures on parties may, in fact, lead them to adapt their behaviours to avoid detection rather than to comply with these requirements, potentially rendering information less safe. If overly restrictive measures imposed by a tribunal result in cyber fatigue, parties may even agree to waive certain cybersecurity measures where compliance would prove too costly or time-consuming, since party autonomy is a cornerstone of the cybersecurity protocol and arbitration more generally.

If you don’t keep it, they can’t hack it

Although the issue of cybersecurity in the course of arbitral proceedings is no longer treated as an afterthought, its relevance following the conclusion of the arbitration is still rarely discussed. Article 6 of the draft cybersecurity protocol acknowledges the importance of this issue by encouraging tribunals to consider whether documents are to be destroyed or retained post-arbitration. To the extent that this does not interfere with legal or ethical obligations and follow-on proceedings, the retention of such confidential information long after the conclusion of the arbitration often amounts to accepting a long term cyber risk in exchange for no reward.

What should you do?

While the draft cybersecurity protocol is non-prescriptive, it does recommend a list of best practices in Schedule C. In addition to the usual guidance in relation to ensuring that participants secure their devices with strong and frequently-updated passwords, the protocol also discourages the use of public WiFi systems. Public WiFi systems provide hackers connected to the network with easy access to other devices connected to the same network. In that connection, the protocol recommends the use of virtual private networks (VPNs) where appropriate or, alternatively, the use of mobile personal hotspots where this is more convenient.

The draft cybersecurity protocol also notes that participants in arbitral proceedings would be better able to mitigate the risk of a cybersecurity breach where they are cognisant of their digital architecture. What this means is that all parties, experts, tribunal members and their assistants should have a basic awareness of how data flows to and from their devices, and which applications store this data to enable them to view or transmit it.

The draft cybersecurity protocol acknowledges that, in practice, participants may use personal devices such as tablets to access data relevant to the arbitration. We suggest that these best practices should be extended to our personal digital architecture to prevent compromising our data security in a climate where participants are increasingly working remotely, using both personal and business devices.

Conclusion

The cybersecurity protocol is likely to be a useful piece of soft law and stands as a clear reminder to all participants in arbitration to give the issue due consideration. However, the full extent of its usefulness in mitigating the cyber threat depends on how parties and tribunals apply the protocol in practice. Arbitral institutions such as ICSID, the ICC or the LCIA might consider whether to adopt the protocol (or some modified version thereof) into their own institutional rules, to distinguish themselves from other arbitral institutions and present themselves as more cyber-secure. One of the reasons parties prefer international arbitration is the confidentiality that comes along with it, particularly when commercially or politically sensitive matters are at stake. Cybersecurity breaches pose significant threats to international arbitration in this regard and, as the draft protocol reminds us, institutions, tribunals and parties would be wise to address these risks.