The draft Cybersecurity Protocol for International Arbitration has been published by the International Council for Commercial Arbitration (ICCA) Working Group on Cybersecurity in International Arbitration. Accessible here, the protocol does not specify particular measures to be included in arbitration agreements or procedural orders, but instead proposes a framework for developing cybersecurity measures appropriate to each individual case. Written comments should be submitted to firstname.lastname@example.org no later than 30 September 2018.
Arbitration proceedings are not immune from attacks by cybercriminals. Consider the hacking of the Permanent Court of Arbitration’s website in July 2015. Days into a high-profile hearing concerning a long-running territorial dispute between China and the Philippines, malware was embedded on the PCA’s website. Those who visited the site were subject to data theft, potentially allowing the hackers access to a plethora of further systems. Although those were somewhat politicised proceedings, it is not hard to imagine more commercialised motives for hackers to target arbitrations.
The consequences are potentially grave – from economic loss to the parties to reputational damage to the arbitral institutions themselves. This has been recognised by the ICCA. Alongside the New York City Bar Association and the International Institute for Conflict Prevention and Resolution, it convened a Working Group on Cybersecurity in Arbitration in November 2017, which has now published its draft consultation.
The Draft Protocol itself is very clear that it does not aim to provide definitive guidance on the steps that parties should take to minimise the risk of breaches in cybersecurity – but instead proposes a mechanism for the adoption for ‘reasonable’ cybersecurity measures. In doing so, the Draft Protocol emphasises that a ‘one-size-fits-all’ approach would be inappropriate. Instead, parties to an arbitration should consider both the degree of risk that the arbitration proceedings face, and the technical resources of the parties involved, before determining the cybersecurity measures that are to be implemented. Accordingly, Schedule A – containing a proposed clause to be included into an arbitration agreement should the parties want to ensure that proceedings are conducted in line with the Protocol – refrains from offering specific cybersecurity measures, although the Working Group has stated that particular measures may be included depending on feedback. Articles 7-12 provide guidance on the factors to be considered in determining the degree of cybersecurity that would be appropriate.
Although the arbitral tribunal ultimately has the power to determine what security measures are to be implemented, the Draft Protocol suggests that the parties will have a great deal of influence in the decision. Article 13 encourages the parties to attempt to agree on reasonable cybersecurity measures in the first instance. If an agreement is reached, then the commentary to Article 4 states the tribunal is to respect this agreement ‘unless other significant countervailing factors exist that in the tribunal’s view outweigh the significant weight to be given to party autonomy’.
The significance of third parties in guaranteeing cybersecurity is also recognised by the Draft Protocol. As the commentary to Articles 15-16 notes, ‘there is little point in agreeing to stringent cybersecurity measures…. if the same information is to be sent to third parties without adequate standards’. As such, the commentary to these articles instructs counsel, where possible, to obtain the written agreement of third parties to abide by the tribunal’s cyber security measures. Where third parties cannot or will not comply, the tribunal is to be notified, and directions will be given when appropriate.
The Draft Protocol purposefully avoids addressing the allocation of costs arising from a data breach, or establishing standards for liability, leaving the Tribunal with considerable discretion should the worst come to pass. Article 18 does, however, suggest that the cybersecurity measures adopted could address material issues relating to information security breaches, such as what constitutes a breach, who shall be notified of such a breach, and the specific steps to be adhered to should such a breach occur. As recognised by the commentary to Article 18, there may be laws that mandate a particular response irrespective of the agreed response; for example, the mandatory 72-hour notification requirement contained within the General Data Protection Regulations (GDPR).
Schedule C to the Draft Protocol is also worth highlighting; it lists a series of good general cybersecurity practices. None of these are revelatory – avoid using public Wi-Fi, consider encryption and remote tracking and wiping for mobile devices, steer clear of ‘password123’ and so on – but all are practical, easily adhered-to steps that any party to proceedings, no matter how financially constrained, can follow to enhance their cybersecurity.
Feedback on the Draft Protocol can be submitted online until (and including) 30 September 2018, by emailing email@example.com. In addition to this, the Working Group has stated that it will hold several public workshops in different countries to engage with interested parties. After any necessary revisions are made, the final version of the Protocol is due to be published at the next ICCA Congress, which takes place in Edinburgh in May 2020.
Erin Marsh would like to thank Matthew McGonagle for his assistance in the preparation of this article.