Cybersecurity in international arbitration: on the road towards green flags

>> authors: Dragana Nikolić, Sabine Leimüller <<

International arbitration is not immune from cyberattacks. This is because arbitration proceedings usually involve a vast amount of sensitive data, trade secrets and privileged documents that are stored digitally these days. Arbitrators, administrative bodies and lawyers must keep these digital records confidential when the parties want to keep them out of the public eye. If they fall into the wrong hands, the impact may be troublesome.

Cybersecurity risks

Confidentiality in international arbitration requires cyber hygiene. In the era of paperless but data-heavy arbitration proceedings, electronic data may be exposed to unauthorised access.

For example, e-mails to which written pleadings and decisions are attached may be a target for cyber intrusions. Similarly, internal and external electronic databases allowing the parties to share their documents may be identified as weak links by cyber crooks.

Audio or video recordings of physical hearings may also be leaked to the public. Likewise, virtual hearings – another digital novelty in arbitration – require measures to safeguard them against any hacking or presence of "shadow listeners".

Other arbitration participants (such as fact and expert witnesses) and external service providers (such as interpreters and translators), who have access to or hold information pertinent to arbitral proceedings, may also fall prey to cyberattacks, especially when they store relevant data on their personal laptops or mobile phones.

Cybersecurity incidents

Indeed, there have been recent cases and hacker attacks in the arbitration world showing that cybersecurity should not be neglected.

An infamous example is the attack on the website of the Permanent Court of Arbitration (PCA) in 2015. Amid an ongoing maritime border dispute between China and the Philippines, malware was planted on the section of the website devoted to this dispute. The entire website containing information about dozens of other cases eventually had to be taken offline for security reasons.

Then there is the case of Gela Mikadze et al. v. Ras Al Khaimah Investment Authority et al., a commercial arbitration governed by the Stockholm Chamber of Commerce (SCC), in which one of the parties initiated set-aside proceedings before the Swedish courts claiming that due process was violated because a third party hacked confidential information from them, their counsel and the tribunal at the instruction of the opposing party.

A prominent example from the realm of investment arbitration is Caratube v. Kazakhstan, where a tribunal was confronted with leaked documents obtained through the hacking of Kazakhstan's government systems, that were later used by the claimant in the arbitration. Similarly, another investment arbitration tribunal in ConocoPhillips v. Venezuela was presented communication between diplomatic officials related to the arbitration that appeared on WikiLeaks.

While these red flag examples are highly exceptional, they indicate that cyberattacks in arbitration proceedings are real threats.

Consequences of cyberattacks

The consequences of cyberattacks may be severe. Businesses participating in arbitrations may face adverse commercial consequences because of data leaks. For example, the revelation of an IP dispute or disclosure of financial forecasts, business plans or technical formulas used in arbitration may negatively affect company's ongoing or prospective deals, share value, market position or reputation.

Furthermore, the disclosure of personal data of fact witnesses may sometimes affect them personally. Public disclosure of documents referring to other businesses or persons involved in a dispute may lead to adverse outcomes for them. Governments participating in arbitrations may face political pressure if investment arbitration materials become public. In the long run, even the legitimacy of international arbitration may be undermined.

Efforts to strengthen cybersecurity

The arbitration community is aware of the cybersecurity challenges. The key stakeholders are busy developing best practices to reduce cyber risks and tackle cyberattacks. Consensus is reached that shared responsibility and proactive measures are the key to ensure protection of digital data in arbitral proceedings.

Thanks to these efforts, practical and procedural guidelines have become available for all arbitration users to shield arbitration proceedings from cyberattacks.

In 2018, the International Bar Association (IBA) adopted its own Cybersecurity Guidelines focused on providing best practices for law firms to protect themselves from breaches of data security and potential liability.

Two years later, the Protocol on Cybersecurity in International Arbitration (Cybersecurity Protocol) was adopted as a joint effort of the International Council for International Arbitration (ICCA), the New York City Bar Association and the International Institute for Conflict Prevention and Resolution (CPR), setting forth the guidelines for arbitrators, administrating institutions and parties to assess data protection risks and, if necessary, to adopt reasonable information-security measures. The Cybersecurity Protocol was updated in 2022.

That same year, the IBA and the PCA adopted the Roadmap to Data Protection in International Arbitration, with the goal of identifying and effectively addressing data protection issues in arbitration, including those stored digitally.

Arbitration institutions also care about cybersecurity. They recommend or even obligate arbitrators to discuss issues of data protection and cybersecurity, and, if they find it necessary, to issue decisions to enhance data security in each particular case (e.g. LCIA, Swiss Rules). Many of them have also issued detailed protocols and guidelines for virtual hearings, including measures to secure their privacy (e.g. SIAC, VIAC).

There is also a growing tendency among the arbitral institutions to provide an additional layer of protection by introducing cloud-based platforms to secure communication and file sharing among the tribunal, parties and third-party neutrals participating in the arbitration (e.g. ICC, ICSID, SCC). In a digital landscape, the use of such platforms may become standard and an important shield against cyberattacks.

Practical tips to prevent cyberattacks

Preventive measures should be taken by businesses too, even before the arbitration proceedings begin. A party and its legal counsel should perform a preliminary risk assessment to identify confidential documents and sensitive data likely to be introduced into the arbitration.

Depending on the outcome of the risk assessment exercise, an internal protocol should be made to protect these documents. For example, a secure channel for arbitration-related communication should be created. Case materials should be exchanged through secure shared portal platforms and back-up data should be created. Appropriate firewalls and antivirus programs should be put in place. USBs should be encrypted. Access to electronic documents should be allowed only with complex passwords or multi-factor authentication. So-called "confidentiality clubs" could be created to control access to documents. A breach action plan for damage control should be agreed in advance.

Likewise, witnesses, experts, external vendors and other supporting personnel should be educated about the importance of cybersecurity. Compliance with cybersecurity measures should be expected from them too, including their obligation to destroy the documents once the arbitration is concluded.

The appeal of arbitration

The opportunity to keep disputes and their outcome private is often the main reason why businesses choose arbitration instead of going to court. If confidentiality is compromised by cyberattacks, arbitration may suffer reputational loss. Arbitral institutions, tribunals, parties, their counsel and other stakeholders should work together to keep arbitration proceedings safe from cyberattacks. The building blocks of cybersecurity architecture in arbitration are already in place. Red flags have been successfully detected – first steps towards green flags have been taken.

authors: Dragana Nikolić, Sabine Leimüller