PROCEDURAL ORDER NO. _ (*) on CYBERSECURITY of [Date and year] in the Arbitral Proceedings Case no [registered number] [name of Claimant] v. [name of Respondent]
MAY 2021 – Version 1
By CyberArb (*) This open-source is intended as educational or general information only. CyberArb makes no representation or warranty of any kind, express or implied, regarding the accuracy or completeness of any information provided.
I. On [date], the Arbitral Tribunal held a case management [remote] meeting with the Parties at which the following matters were discussed.
II. After consultation with the parties, the Arbitral Tribunal sets out below a fundamental and “non-exhaustive” cybersecurity checklist (hereinafter “the Checklist”) that shall apply to these proceedings.
III. The stakeholders in these proceedings for the purposes of the Checklist (hereinafter “the Stakeholders”) are as follows:
Permanent Stakeholders | Non-permanent Stakeholders |
1. Arbitral Institution (if applicable): [Name of Arbitral Institution & contact persons] 2. The Arbitral Tribunal: [Name of Arbitrator(s) & contact person(s)] -Arbitral secretary (if applicable) -Secretary for technology (if applicable) 3. Claimant: [Company name] -Law firm [Name of law firm] -Party representative(s) [contact person] -In-house legal department (if applicable) [contact person] -IT department (if applicable) [contact person] 4. Respondent: [Company name] -Law firm [Name of law firm] -Party representative(s) [contact person] -In-house legal department (if applicable) [contact person] -IT department (if applicable) [contact person] 5.External providers with security assessment (indicate if any of them is provided by Arbitral Institution) -Online Dispute Resolution platform (if applicable, then point “b” to “e” might be dismissed) [contact person] -Online case management platform (if applicable) [contact person] -Video/Audio Conferencing software (if applicable) [contact person] -Share site or cloud platform software (if applicable) [contact person] -Instant message platform or software (if applicable) [contact person] | 6. Witness and experts (if applicable) [contact person] 7. Translator(s) (if applicable) [contact person] |
IV. The Stakeholders shall use their best efforts to understand and comply with the Checklist in order to safeguard the security information of the proceedings as well as its confidentiality, integrity and availability.
V. The Checklist is subject to modification or alteration to reflect the technological and cybersecurity threat evolution, along with the kind of information brought to the proceedings and the security events that may occur during the proceedings. Modification may be made by the Arbitral Tribunal, after consultation with the parties. In doing so, and after consultation with the parties, the Arbitral Tribunal may obtain expert technical advice.
VI. The following Checklist has been reviewed as at [date and year].
- (If applicable) Constantly review the applicable cybersecurity protocols accepted by the parties and the Arbitral Tribunal.
- The information which is physically or virtually shared by the Stakeholders during the proceeding should be under the “need-to-know” basis, especially for non-permanent stakeholders.
- Periodically produce back-up copies of the related Arbitration information which should be (digitally) stored in different locations from the one of the main source. Consider encrypted archiving if deletion is not possible once proceedings are finished.
- Classified, confidential and sensitive information that a stakeholder shares by virtual means or stores on personal or portable devices should be encrypted, password-protected or using a Secure File Transfer Protocol (SFTP). Passwords should be transmitted to other Stakeholders by different means than the one used for sensitive information itself.
- Stakeholders shall not use public internet networks (WiFi) for the transmission, storage or review of any Information unless they use a secure Virtual Private Network (VPN), a work-related 4G or 5G mobile data system or a personal hotspot.
- E-mail accounts and external providers profiles shall be protected by secure and memorized passwords and multi-factor authentication processes.
- Pending the proceedings, instant messaging tools used to share arbitration-related information shall have “end-to-end” encryption. However, regard shall be given to the business model of the service providers and it shall be avoided if not suitable for arbitration proceedings.
- Use privacy screens for laptops and mobile devices where in a public area (e.g. in airplanes or public transport).
- Cover and turn off any camera on devices when not in use.
- Constantly updating the operating system of devices such as smartphones and laptops.
- Constantly updating the antivirus software.
- Review regularly the applications (Apps) downloaded onto devices, especially smartphones, and delete those Apps that have not been used recently, for instance, in the past 14 days.
- Set an automatic lock for a device’s screen after five minutes of inactivity. If away from the screen, lock the device manually.
- Turn off any “virtual assistant” and Bluetooth connected to any technological device in the same working space.
VII. A Stakeholder who is reasonably aware that further security measures are necessary to secure the confidentiality, integrity and availability of the related information or reduce any cyber-related risk. It shall immediately inform other Stakeholders and the Arbitral Tribunal of that fact. Accordingly, the Arbitral Tribunal will proceed as stipulated in this Procedural Order.
Signed in [City, Country], the seat of arbitration, this [date] day of [month] [year].
[Names and signatures from Arbitral Tribunal]