Cybersecurity in Arbitration

K-Harisaiprasad
Author: K. Harisaiprasad CISA, APP, Associate Consultant, Mahindra SSG, India
Date Published: 29 December 2021

Arbitration is a process of resolving a dispute between two or more parties through one or more arbitrators to obtain a legally binding decision outside of court. The proceedings and awards remain confidential. 

Through the COVID-19 pandemic, conducting business remotely has become the norm. Due to insufficient cyber hygiene practices, information is often compromised from cyberattacks. Security measures should be implemented to prevent leakage of information through web, personal devices, storage, etc. Data can include sensitive personal information such as medical information, work-related emails, contracts, government-issued personal identification numbers, bank details, etc., and such information needs additional protection per various countries’ data protection regulations. Parties, arbitrators and administering institutions have to ensure the confidentiality of client information is maintained.

Most law firms and legal practitioners have implemented cybersecurity policies to reduce the chances of cyber-attacks. The recently reported cyberattacks on law firms such as Mossack Fonseca, Cravath Swaine & Moore, and Weil Gotshal & Manges have put the issue of law firm cybersecurity in the limelight. In 2019, the International Council For Commercial Arbitration (ICCA), New York City Bar Association (NYC Bar) and International Institute for Conflict Prevention and Resolution (CPR) published Protocol on Cybersecurity in International Arbitration, referred to as “2020 protocol.” This article not only discusses cybersecurity measures but also intends to increase awareness of cybersecurity in both domestic and international arbitrations.

The 2020 protocol is organized into 14 principles, commentaries and schedules. Each principle is supported by high-level guidance that is accompanied by explanatory commentary. Principles 1-4 provide scope and applicability of the protocol, Principle 5 sets out standards of reasonableness, Principles 6-8 establish reasonable security measures, Principles 9-13 address procedural steps to address information security issues in an arbitration, and Principle 14 clarifies the liability standard of the protocol. Detailed guidance based on these principles are given in the schedules. Schedules in this protocol are baseline security measures (Schedule A), Arbitral Information Security Risk Factors (Schedule B), Sample Information Security Measures for Arbitrations (Schedule C), and Sample Language (Schedule D), Standards and Resources (Schedule E) and Glossary (Schedule F).

Scope and applicability
Scope includes prevention loss due to confidentiality (unauthorized access), integrity (unauthorized change) and availability (make information available whenever it is needed). The scope is applicable to any information related to arbitration proceedings. Baseline security measures need to be implemented as established in Schedule A.

Before sharing arbitrational-related information arbitrators, parties or administering institutions need to ensure that information security measures are implemented as per applicable legal, contractual, regulatory and related requirements. All supporting personnel, including employees, lawyers, legal assistants, law clerks, trainees, administrative or other support staff, case management personnel, tribunal secretaries, etc., including third parties, will be given information security awareness training so that they adopt information security measures while handling arbitrational information. If there is conflict between legal regulations and information security measures, the former prevails.

Applying the standard
Standards recommend performing risk analysis to determine risk profile of the arbitration. Risk analysis involves determining the risk level through finding consequences, vulnerability, threats and probability of occurrence of a threat. Through this, high-risk level and low-risk level is determined by calculating the acceptable risk level. Controls are implemented in high-risk level cases to avoid information security breaches. Baseline securities measures are listed in schedule A. There are eight categories given in the schedule and are explained below in the context of the arbitration process:

  1. Knowledge and education: Security threats and solutions to be kept abreast of by subscribing to email alerts or newsletters and undertaking awareness training. Standards and government regulations shall be considered, to which Schedule E can be referred.
  2. Asset management: This involves identifying, classifying and controlling assets as appropriate for arbitration.
  3. Access controls: Access to arbitration information that includes systems, devices, applications, or services should be limited to authorized users on a need-to-know basis. Users should be given a unique user ID and password with multifactor authentication.
  4. Encryption: Encryption is used to protect confidentiality, integrity and availability of the arbitration information. There are various types of encryption mechanisms, such as AES, DES, RSA etc.
  5. Communication security: When arbitration information is transferred through emails, networks, memory cards, etc., the security of the information is ensured in communication security. Using secured shared services, secured networks, encrypted channels, providing password access to video conferencing, etc., are some examples.
  6. Physical and environmental security: Physical access to arbitration information should be controlled to prevent unauthorized access.
  7. Operational security: Integrity (unauthorized changes) issues arising in information processing facilities of arbitration information is prevented through operational security. Examples include vulnerability monitoring, system auditing, routine backup, etc.
  8. Information security incident management: Information security breaches are termed as incidents. Responding to incidents and providing notification of breaches to relevant authorities are part of incident management.

The types of security measures to be considered may differ depending on the parties, tribunals and institutions involved.

Guidelines for establishing reasonable security measures
Three-step guidance on how to establish reasonable security measures is provided in Schedule B. Risk factors related to what information security measures are reasonable in particular arbitration matters are covered in first step. The second step identifies categories of information security measures that should be considered in each matter, and the final step highlights the aspects of the arbitration process to which information security measures may be applied. Reasonableness provides flexibility to accommodate changes in technologies and best practices. Arbitrators, parties and institutions should agree on the reasonable security measures during the initial procedural conference. Sample procedural language is provided in Schedule D, which may be used to raise issues of information security for consideration at the procedural conference and sample language that arbitration tribunals can use in procedural orders. Arbitration tribunals and, if necessary, administering institutions can be consulted for finalized information security agreements between parties when there are disputes. Parties can elect arbitrators who have knowledge of information security issues.

The information security agreements can be modified during the course of arbitration depending on the circumstances. Such modification should be done with the consultation of all parties and administering institutions. In cases of information security breaches, the arbitration tribunal is empowered to direct the parties to cover the costs or order sanctions, per applicable laws.

Liability standard
The 2020 protocol is intended to provide a framework for securing arbitration information that can be overridden to comply with legal obligations. The protocol does not form any legal liability.