Wendy Gonzales and Carolina Mauro
Originally published on Arbitrate.com in January 2021
The conversation about cybersecurity in international arbitration has been going on for quite a while now, perhaps mostly in parallel with the discussion on personal data protection. In recent years, the focus has shifted from raising general awareness on potential security threats to realising that a proactive approach to cybersecurity is required jointly by all stakeholders at all times, aiming to avoid intrusion and protect the con!dentiality, integrity, and availability of information handled in the international arbitration context. It is now widely acknowledged that information security is no longer an issue for IT professionals only to deal with. The current COVID-19 crisis, which ampli!ed the already increased digitisation of the markets and the evolving cybersecurity threat landscape, has made such a proposition even more urgent. In order to answer the compelling questions raised by the matter, a signi!cant number of protocols and guidelines have been published, such as the 2018 Cybersecurity Guidelines by the IBA’s Presidential Task Force on Cybersecurity, or the 2020 ICCA – NYC Bar – CPR Cybersecurity Protocol for International Arbitration.
Against this background, a new instrument arguably has the potential to impact international arbitration: the Proposal for a new Directive on measures for a high common level of cybersecurity across the European Union (the “Cybersecurity Directive” or the “Proposal”), published by the EU Commission on December 16, 2020. Such Proposal is part of the new EU Cybersecurity Strategy, which includes another newly proposed Directive on the resilience of critical entities and aims to increase the levels of cybersecurity across the internal market. The ultimate purpose is to make the EU !t for the digital age and build a future-ready economy that works for its people.
The Proposal builds on and repeals the previous Directive (EU) 2016/1148 on the security of network and information systems (the “NIS Directive”) and aims to modernise the existing legal framework, while addressing the identi!ed shortcomings of the previous regulation. It provides a basic framework identifying key actors responsible for the coordinated management of cybersecurity issues and disclosure of the vulnerability. In order to achieve its purposes, the Proposal imposes on certain entities new ‘cyber obligations’ in terms of security risk management (Article 18) and relevant information reporting/sharing (Articles 20, 26, and 27). These new obligations, where applied within the international arbitration context, could signi!cantly impact the conduct of the arbitral proceedings.
Concerned entities: ‘essential’ and ‘important’
In an attempt to expand the scope of application to a larger part of the economy, while eliminating the wide divergences among Member States existing under the previous NIS Directive, the Proposal identi!es new sectors and services based on their importance for key societal and economic activities within the internal market using uniform criteria.
Firstly, it enacts a size-cap rule whereby all medium and large enterprises (as de!ned by Commission Recommendation 2003/361/EC) fall within its scope.
Secondly, it adopts an additional qualitative requirement that applies to entities that are considered ‘essential’ as per Annex I (those operating in energy, transport, banking and !nance, health, drinking and waste water, digital infrastructures, public administration, and space) and those identi!ed as ‘important’ as per Annex II (postal services, waste management, chemicals, food, manufactures, and digital providers). This qualitative categorisation takes into consideration the level of criticality of the sector or type of service, as well as the level of dependency of other sectors or types of services.
It is noted that, while both ‘essential’ and ‘important’ entities are subject to the same cybersecurity risk management and information reporting/sharing obligations, the supervisory and penalty regimes between them are di”erentiated to ensure a fair balance between obligations and administrative burdens (see Articles 29 and 30 respectively).
In light of the above, the Proposal seemingly has the potential to have an impact on international arbitration, depending on the way it will be implemented by the Member States.
First of all, it could be argued that Online Dispute Resolution (ODR) platforms might fall within the category of ‘digital infrastructure’ as per Annex I, no. 8, and could thus be identi!ed as ‘essential’ entities – perhaps as cloud computing service providers (i.e. “a digital service that enables on-demand administration and broad remote access to a scalable and elastic pool of shareable and distributed computing resources”, in the words of Article 4(19) of the Proposal).
Similarly, other international arbitration stakeholders could possibly fall within the scope of the proposed Directive, although not expressly mentioned in its Annexes. In fact, the Proposal contains a safeguard clause that allows Member States to override the size-cap rule and establish lists – to be submitted to the EU Commission – of small or micro entities that nonetheless play a key role for their national economies or societies and are therefore deemed to be ‘essential’ or ‘important’ (see Recital 9 and Article 2(2)). This could be the case of an independent arbitrator, or an arbitral institution, dealing with privileged and con!dential information obtained by commercial companies and/or States in the context of an arbitration proceeding.
Cybersecurity risk management obligations: security by design, by default
Where the proposed Directive was deemed to be applicable to international arbitration stakeholders, !rstly, they would have to perform their cybersecurity risk management obligations and take appropriate and proportionate technical and organisational measures to tackle cybersecurity threats.
Particularly, Article 18 provides a list of minimum cybersecurity measures that the concerned entities should take. These include risk analysis and information system security policies, incident handling, business continuity, and crisis management, supply chain security, security in network and information system acquisition, development and maintenance, including vulnerability handling and disclosure, e”ectiveness assessment policies and procedures, the use of cryptography and encryption. Member States are then required to ensure that concerned entities comply with their duty.
The Proposal seemingly takes a “security by design, by default” approach (meaning that the data protection measures shall be built on in the system right from the design stage through the entire lifecycle and should run automatically, without any intervention from the users), so that concerned entities should take cybersecurity issues into consideration at all stages of the arbitral proceedings – in parallel with the approach adopted by the GDPR with regards to personal data protection.
The new Article 30A of the 2020 LCIA Arbitration Rules is a good example of such approach, as it provides that “[a]t an early stage of the arbitration the Arbitral Tribunal shall, in consultation with the parties and where appropriate the LCIA, consider whether it is appropriate to adopt: (i) any speci!c information security measures to protect the physical and electronic information shared in the arbitration; and (ii) any means to address the processing of personal data produced or exchanged in the arbitration in light of applicable data protection or equivalent legislation”. A corresponding rule is to be found in Article 30A of the 2021 DIFC-LCIA Arbitration Rules.
Similarly, in its Note to Parties and Arbitral Tribunals on the Conduct of the Arbitration published on January 1, 2021, the ICC recommends that the arbitral tribunals, the parties, and their representatives “shall put in place and ensure that all those acting on their behalf put in place appropriate technical and organisational measures to ensure a reasonable level of security appropriate to the arbitration” (para 121).
The measures listed in Article 18 of the Proposal could o”er a guide as per what ‘speci!c information security measures’ and ‘appropriate technical and organisational measures’ concretely consist of.
Relevant information reporting/sharing obligations: con!dentiality issues
Under the Proposal, where applicable, international arbitration stakeholders would also be bound to relevant information reporting/sharing obligations, and this might give rise to concerns about one of the cornerstones of arbitration: con!dentiality.
Article 20 of the Proposal requires the Member States to ensure that the concerned entities report, without undue delay, any incident or threat that have, or could have, a signi!cant impact on the provision of their services. In the event of an actual incident, the entity should also notify the a”ected recipients of its services where appropriate.
Moreover, Article 26 encourages the concerned entities to exchange relevant cybersecurity information with the purpose of preventing, detecting, responding to, or mitigating incidents and enhancing the general level of cybersecurity through raising awareness of the threats.
Finally, it should be noted that Article 27 demands the Member States to make it possible even for entities falling outside the scope of the Proposal to voluntarily notify of signi!cant cybersecurity incidents and threats to competent authorities. This means that, even where the Proposal was not applicable to international arbitration stakeholders after all, still they would be strongly encouraged to share relevant information.
In performing their information reporting/sharing obligations, concerned entities may exchange even con!dential information (Article 2(5)). However, principles of relevance and proportionality apply to the exchange of con!dential information, which shall be limited to the purpose of preventing, responding, or mitigating an incident, or enhancing the common level of security. The above-mentioned Article 26 expressly provides that the exchange of information among concerned entities is without prejudice to the application of the GDPR, and Article 2(5) states that the exchange shall preserve the con!dentiality of the information, to protect the security and commercial interests of the entities involved.
The Proposal will next be subject to negotiations among the co-legislators, particularly the European Parliament and the Council. Once they have agreed upon a !nal text which will subsequently be adopted, Member States have an 18-month term to implement the new Directive into their respective national legislative systems. Given the importance and urgency attached to the matter, the EU Commission would expect to implement its new Cybersecurity Strategy within the coming months.