Cybersecurity: international arbitration proceedings
International arbitration procedures represent a prominent means of dispute resolution at the global level. As an alternative to traditional courts, they offer flexibility, neutrality and confidentiality. In an environment where the parties involved may belong to different jurisdictions, arbitration provides an impartial and efficient framework for resolving commercial and legal disputes. Arbitration proceedings are governed by agreements between the parties and are conducted under specific rules. The choice of subject matter experts as arbitrators and the applicability of international treaties add to the complexity of this process.
Although these procedures have always been immersed in the need to safeguard the confidentiality of the information associated with the process, the digital context imposes the continuous adaptation of protection to the changing scenario of threats which, as we shall see, may originate from actors not usually associated with cybercrime.
The protection of information has thus acquired an unavoidable relevance, posing specific challenges that require innovative solutions. In this article, we explore the crucial relationship between information security and arbitration proceedings, unravelling the key challenges that emerge, outlining essential strategies for preserving sensitive information, and examining how constant technological advancement reshapes the very notion of security in the context of arbitration.
Arbitration provides an impartial framework for resolving commercial and legal disputes
Why is cybersecurity important in international arbitration proceedings?
The interest of third parties, stakeholders or participants, in accessing information related to an arbitration process makes the assets that manage, store or communicate such information a clear target for cybercriminals:
- As a neutral forum for the resolution of commercial and investment disputes, international arbitration often involves parties that are themselves prominent targets of attack: multinational groups, governments or state entities, public figures and NGOs.
- Although the level and extent of confidentiality varies, arbitration offers the possibility of resolving disputes behind closed doors. Disputes subject to this process generally require documentary or expert evidence that is not in the public domain and that may have the potential to influence, for example, political decisions, financial markets, or commercial relations.
- International arbitration involves actors from different jurisdictions operating in a variety of settings. These are usually large, cross-border teams of lawyers, counsel, arbitrators, highly mobile professionals working in environments that can facilitate a successful attack.
Who Are the Actors Involved in Cybersecurity in International Arbitrations?
Information used in international arbitration proceedings can be of great interest to various entities and actors due to its confidential and potentially influential nature.
- Activists, individuals or groups motivated by a social or political cause. Depending on the motive or subject of the arbitration process, they may pursue economic, social, political or environmental reforms, and seek to obtain information that they can use to achieve their goals.
- States or state actors, in search of information that will allow them to advance their own political agenda or achieve a privileged position vis-à-vis other countries or regions.
- Cyber criminals, who typically carry out cyber attacks for financial gain, either by holding information for ransom or by stealing it to sell it to interested third parties. Obtaining a draft version of an arbitration award before its disclosure to the parties themselves could be very lucrative for cybercriminals.
- Finally, the opponents themselves in international arbitration proceedings. It is possible that commercial or individual parties to an arbitration may attempt to illegally obtain information against their opponents in order to gain an advantage in the dispute resolution process.
The assets that manage this information are a clear target for cybercriminals
The impact of cybersecurity in international arbitration proceedings
All security incidents have a significant impact on an organisation, regardless of their magnitude. These events compromise the integrity, privacy and confidentiality of information. Even seemingly minor incidents can have a domino effect leading to major consequences. In the field of international arbitration, the impact of a security incident is no less significant:
- Economic losses: Arbitration proceedings often involve highly sensitive information and relevant economic amounts. For the parties involved, almost always companies of international scope and dimension, the impact of a security incident can cause serious economic damage, frustrate business strategies or influence their share price in the financial markets.
- Reputational impact: When a security incident leaks sensitive information the reputational damage for arbitrators, advisors and institutions is inevitable. In the case of law firms, even if they quickly and diligently resolve the situation, the damage will affect future business expectations as the incident will be linked to the organisation's history. Overall, confidence in the arbitration system itself may be questioned if incidents occur recurrently in different proceedings and involve multiple actors.
- Legal liability: The transnational nature of the proceedings means that the parties are bound by a wide range of legislation. The impact of an incident can result in non-compliance with laws and regulatory frameworks such as the General Data Protection Regulation (GDPR), which often have a penalty regime associated with them.
- Breach of contract: Parties involved in arbitration proceedings are usually subject to contractual obligations for the protection of sensitive and confidential information to which they gain access because of the arbitration process. In the case of legal agents, moreover, professional ethics itself demands confidentiality in all matters relating to the process and to their client, being, in some countries such as the USA, not only an ethical obligation but implicitly a contractual one.
In July 2015, the Permanent Court of Arbitration in The Hague (PCA) was conducting a case between China and the Philippines. An attack, attributed to China, on the CPA's website meant that any user visiting the site could potentially be infected by malware that would allow China to access all the information on their computer. By infecting the computers of journalists, diplomats, lawyers and other involved or interested parties, China was able to get the names of people following the process and anticipate their position before the Court.
The answer
The different institutions involved in arbitration processes have worked on the development of frameworks, protocols, instructions and recommendations aimed at ensuring the security of information related to these processes. The most relevant of these initiatives is the so-called "2020 Protocol" developed by ICCA-NYC, which defines a framework for participants to achieve and maintain a reasonable level of cybersecurity during dispute processes.
However, while the protocol is useful in emphasising awareness and the need for a cyber security strategy in the parties, it is still far from perfect:
- It requires courts to define the cybersecurity measures to be applied in each individual case and to each of the parties, which is obviously beyond the court's capacity and expertise.
- Their application can be inconsistent from case to case, making it difficult to apply cybersecurity measures between parties who are often involved in several arbitration proceedings simultaneously.
- Finally, while some inconsistency is inevitable, a wide disparity in the requirements of cybersecurity measures to the parties by different tribunals, or even in each proceeding in the same tribunal, may negatively affect the reliability, effectiveness and predictability of the arbitration regime and, in the long run, its credibility.
The most interesting initiative is "Protocol 2020", but it is far from perfect
Last but not least
Cybersecurity, or lack thereof, in the parties involved in international arbitration can affect the legitimacy of the proceedings and erode confidence in the institutions and the dispute resolution system itself. For the parties, a cybersecurity incident can result in the dissemination of sensitive information, breach of customer confidence, negative media references and regulatory non-compliance.
Any firm in the legal sector, law firm, legal boutique, advisory and consulting services entities, arbitrators and counsel must have a strategic approach to identify, assess and mitigate risks related to information management, implement it effectively and efficiently, and back it up with certifications such as ISO 27001 for information security management systems.
ISO 27001 certification is a globally recognised standard that demonstrates an organisation's implementation of security best practices, provides its customers with the necessary confidence and strengthens the organisation's reputation and competitiveness in the marketplace.
ISO27001 certification ensures information securit
To achieve this, of course, it is essential to have a supplier who is committed to the model, who takes the lead in guiding and supporting the organisation at every step towards defining, implementing and certifying an appropriate strategy, and who has a team of industry experts who work closely with the client to understand their specific needs and design a strategy adapted to their environment. At Izertis we offer cybersecurity solutions for our clients, continuously monitoring infrastructures to detect potential threats and risks in advance.