On 5 February 2019, we released the results of our annual International Arbitration survey. This year’s survey focuses on the issue of cybersecurity in international arbitration.
In recent years there has been a dramatic increase in cyber-attacks on corporates, governments and international organisations. Arbitration proceedings are not immune from the threat of attack as the attack on the website of the Permanent Court of Arbitration during the China-Philippines maritime boundary dispute clearly demonstrated. In a world increasingly dominated by technology, cybersecurity has become a hot topic. The most recent manifestation of that being the publication of a draft Cybersecurity Protocol for International Arbitration by the International Council for Commercial Arbitration, the International Institute for Conflict Prevention and Resolution and the New York City Bar.
We wanted to find out whether participants in international arbitration regard cybersecurity as an important issue, what sorts of measures they think should be put in place to protect data against unauthorised access, and who should take the lead in formulating a cybersecurity strategy.
We asked arbitrators, corporate counsel, external lawyers, users of arbitration and those working at arbitral institutions for their views on these and other related issues. The geographical regions covered by our 105 respondents included Central and South America, North Africa, Western Europe, East and South East Asia, Australasia, the Middle East, Latin America, Eastern Europe (including Russia and CIS), West and East Africa and North America.
The results of the survey confirm that the importance of cybersecurity is widely recognised. 90% of respondents said that it was an important issue in international arbitration, with 11% of respondents indicating that they had had experience of a breach in cybersecurity (i.e. someone was able to obtain unauthorised access to electronic documents or other information).
There was a large measure of consensus about the desirability of considering cybersecurity measures at an early stage of the proceedings but opinion was divided over who should take the lead on initiating discussions on cybersecurity issues. 48% thought the parties should take the lead, 31% thought the supervising arbitral institution (if any) should take the lead, and 21% thought it should be the tribunal. Among respondents who sat as arbitrators, nearly half (48%) thought that the parties should take the lead in initiating discussion.
One question that has been the subject of much discussion is whether the need for cybersecurity measures is a procedural matter, best handled by the tribunal after hearing submissions from the parties, or an administrative matter, best handled by the supervising arbitral institution, assuming there is one. Again, opinion on this was divided. Just over half of respondents (52%) thought it was a procedural matter for the tribunal, 41% thought it was an administrative matter and 7% were undecided.
It is generally accepted that there is no “one size fits all” approach to cybersecurity in arbitration. There are a range of security measures that can be adopted and a common recommendation is that parties start with a risk assessment in order to determine what sorts of measures are required to address or mitigate the risks that exist. We asked respondents what factors they thought should be taken into account when deciding what measures should be put in place to protect data security.
The two factors regarded by the largest number of respondents as being relevant to a cybersecurity strategy were the level of sensitivity/commercial value of the documents to be used in an arbitration (94%) and the consequences for the parties if someone were to gain unauthorised access to the documents/information (78%). Other factors included the costs of implementing the proposed measures (70%) and the extent to which the proposed security measures may hinder the ability of a party to present its case (61%).
We also asked respondents for their opinion on tribunal powers to impose and to enforce cybersecurity measures. 52% of respondents felt that a tribunal should have the power to impose measures in cases where the parties were unable to agree them. 71% of respondents thought that a tribunal should have the power to impose sanctions on a party that breaches data security measures that have been agreed or ordered by the tribunal.
We were particularly interested in exploring the correlation between security measures that parties have seen adopted or imposed in practice and those measures that parties think it would be desirable to adopt. In nearly all cases the percentage of respondents who felt that a particular measure to be desirable was significantly higher than the percentage of respondents who had seen the same measure in practice.
83% of respondents thought it desirable for electronic documents to be transferred by means of a secure shared portal, as opposed to 53% who had seen the measure adopted in practice. 50% of respondents thought participants in an arbitration should have in place appropriate firewalls and antispyware and/or antivirus software, as opposed to 12% who had seen the measure implemented in practice.
One point on which the majority of respondents were agreed is that active engagement by all participants to an arbitration would be necessary in order for a cybersecurity strategy to be effective. There was, however, a recognition that obtaining agreement from all participants to observe cyber security measures would not be straightforward. 96% of respondents thought that the parties would need to actively engage with the process and 94% thought that the arbitrators would need to actively engage with the process. However, only 56% of respondents thought that obtaining the agreement of the parties or the arbitrators to observe security measures would be very or relatively easy.
It was clear that respondents felt that arbitral institutions could have an important role to play in dealing with issues of cybersecurity. 68% of respondents said that they would be more likely to use the arbitration rules of an institution that was able to provide advice or assistance on appropriate data security measures. 70% of respondents felt that support from within an institution’s secretariat would be useful to improve cybersecurity.
Carol Mulcahy, the partner responsible for the survey, commented: “The results of this year’s survey confirm that cybersecurity is an important issue in international arbitration. Data security will only ever be as strong as the weakest link in the chain, so everyone in the arbitration community has an important part to play if we are to protect the future of international arbitration in a world that is increasingly dominated by technology.”