Carolina Mauro, Cemre Çise Kadıoğlu
Originally published on the CIArb London Branch website, 1 July 2021
The latest 2021 Queen Mary University of London International Arbitration Survey unveiled that only around a quarter of respondents have ‘frequently’ or ‘always’ seen cybersecurity measures put in place in their international arbitrations. The majority (57%) encountered such measures in less than half of their cases. However, as the international arbitration community is becoming increasingly aware of the risks involved and is now starting to face the consequences of cyber-breaches, one compelling question arises: is your arbitration cyber-secure?
On June 30, 2021, the Chartered Institute of Arbitrators (CIArb) London Branch held its supposedly last virtual-only event, dedicated to cybersecurity in international arbitration. The webinar was mediated by Karina Albers, FCIArb and member of the Executive Committee at CyberArb. The expert panellists, all with mixed technical background, were invited to discuss best practices and to satisfy the curiosity of the audience – with an important caveat: although it was noted that data protection laws and particularly GDPR are strictly intertwined, it was decided that the webinar would strictly focus on cybersecurity only.
International arbitration: an attractive target?
The participants to the webinar were asked whether they were aware of their arbitral proceedings being hacked in the past: a worrying 19% responded positively and 13% indicated that they were not aware.
Damian Hickman, CEO of the International Dispute Resolution Centre (IDRC), reported that the IDRC hosted over 3,000 days and over 20 million minutes of virtual hearings on Zoom, in addition to managing this year’s Vis Moot competition remotely. He stated that they are not aware of a single hack attack throughout.
Although this definitely sounded reassuring, the guard should not be lowered. Wolf von Kumberg, a Board Director of the American Arbitration Association (AAA) and international arbitrator with a long-standing expertise in cybersecurity, explained that in the past hackers were mostly engaging in political and industrial espionage, in a battle for competition among businesses and countries. Nowadays, the main driver behind cyber-attacks is money: independent hackers ‘kidnap’ sensitive data through ransomware with the intention to extort their owners or to sell them to the best offeror or industrial espionage in order to obtain intellectual property that is the subject of the arbitration. The pandemic has accelerated the digitisation process and consequently increased the vulnerability to cyber-threats, which are generally done by social engineering and social identity breaches, he noted.
International arbitration is not free from concerns. On the contrary, data processed in arbitration can be very sensitive as involving strategies, policies, trade secrets or even government secrets in case of investment arbitration, and consequences to a breach in security can be serious.
Cybersecurity: who is responsible?
The participants were asked who should be responsible for cybersecurity in arbitration. According to the 47%, the leading role should be played by the arbitral institutions, followed by the parties (28%), the tribunal (11%), the law firms (11%) and counsels (4%).
An objection was raised from the audience that the role of arbitral institutions in the proceedings is actually limited. However, the speakers argued that institutions have the capacity and the authority to create protocols and guidelines of general application, and to enhance general standards throughout the community. Moreover, where the institutions provide their own platforms, it is natural that they are also responsible for their security.
Notwithstanding the foregoing, when asked who should be given the power to impose cybersecurity measures, only 30% of participants referred to the arbitral institutions – the majority of 53% replied that such power should be given to the arbitrators/tribunal, while the 17% pointed at the parties. The panellists noted that, with regards to ad-hoc arbitrations where institutions are not at all involved, the tribunal has increased responsibility to oversee that the proceedings are running fairly and safely.
However, it should be noted that this was a tricky question: in fact, cybersecurity is a shared responsibility. As Wendy Gonzales, founder of CyberArb, noted, arbitrators, institutions, counsels, law firms, and parties, are all liable to ensure an adequate level of cybersecurity, as everyone could be the weak link – and this cannot be escaped. Von Kumberg argued that arbitrators are possibly the weakest link because they are usually sole practitioners, compared to counsels from big law firms and sophisticated parties who usually benefit from having internal IT departments.
All panellists agreed that cybersecurity issues should be brought up at an early stage of the proceedings by identifying all the relevant stakeholders involved, to conduct an early collective risk assessment involving the whole arbitration ecosystem – as Shobana Iyer, barrister at Swan Chambers, called it. As a result, a protocol should be adopted that provides a shared understanding of the risks involved, the measures to be taken, and possibly the distribution of liability. It was suggested that such protocol should also include an obligation of notice to other stakeholders in case a breach occurs. With this regard, Gonzales introduced the Template for Procedural Order on Cybersecurity for Arbitral Tribunal recently published by CyberArb.
In a nutshell, all arbitration stakeholders have the responsibility to ensure that the award is not overturned due to cyber-breaches.
Cyber-tainted evidence: what are the consequences for the arbitration?
When worrisome allegations emerged of a cyber-attack in a multibillion-dollar ICC dispute over the sale of a Brazilian pulp maker, last April, the respondents challenged the entire tribunal, arguing it was ‘irreparably compromised’. Allegedly, the claimant used malware to breach into privileged correspondence – between the respondents and their executives, internal and external counsels, experts and key witnesses, for a total of over 70,000 emails – and consequently the evidence presented to the tribunal was tainted by the hack.
When asked whether, in their opinion, the impartiality of the tribunal in the Brazilian pulp case was effectively compromised, the majority of participants (57%) could not decide and 21% responded affirmatively. When asked whether the award should consequently be set aside, the audience was equally split into 30% in favour of setting aside and 30% of upholding the decision. The remaining 40% suggested instead that the entire proceedings should start from scratch.
Regardless of the poll results, the shared notion was that parties should not be able to benefit from illegal hacking activity. Iyer recalled the earlier cyber-attacks occurred in the South China Sea case, where the Permanent Court of Arbitration (PCA) website was attacked by Chinese hackers and made temporarily inaccessible, and in the Libananco v. Turkey case, where the respondent similarly intercepted the claimant’s privileged emails. More recently, well-known chamber 4 New Square has been struck by a ransomware attack and forced to get a court order demanding the criminals not to share stolen data. Tony Gee, a ‘white hacker’ who also provides cybersecurity consultancy to private entities, explained that cyber-attacks mostly succeed thanks to what he called the ‘human factor’ and stressed the importance for law firms to undergo continuing training to increase security awareness. He noted that very few firms dealing with international arbitration cases have requested his services so far – there is definitely room for manoeuvre, as attacks are on the rise.
What can arbitration stakeholders do? The experts’ recommendations:
Cybersecurity does not have to be complicated: basic measures such as having antivirus software in place, installing a password manager, using multi-factor authentication, and connecting to a private hotspot rather than a public Wi-Fi when outside the office, are accessible to all, including sole professionals;
Personal and business devices should be kept separate, to reduce the risks of intrusions and data loss;
Computer operating systems and applications, including video conferencing platforms and instant messaging apps, should always be kept up to date: technology improves continuously, so that the latest version is also the safest;
Virtual hearings should not be recorded without sufficient security to protect the recorded files and their accessibility. Outsourcing the hosting of a virtual hearing could be a good way to delegate safety concerns to a business provider and to have a neutral moderator;
Free e-mail domains are not necessarily unsafe, yet buying a professional one enhances confidentiality and affords the arbitrator more control over where their data is hosted and how the service is secured;
Special insurance policies covering cyber-breaches for arbitration proceedings are in the picture, yet they could prove to be a double-edged sword: knowing there are deeper pockets involved, hackers could feel even more encouraged;
There are useful guidelines available already, among others: the 2018 IBA Cybersecurity Guidelines, the 2020 ICCA – NYC Bar CPR Protocol on Cybersecurity in International Arbitration, the AAA-ICDR Best Practices Guide for Maintaining Cybersecurity and Privacy, the 2020 Protocol on Online Case Management in International Arbitration, and the 2020 CCBE Guidance on the Use of Remote Working;
Last but not least, the focus on cybersecurity should not draw the attention away from ensuring physical security as well.
And in case you were among those who would have answered that they are not aware of their devices being hacked in the past, here is a way to find out, courtesy of Gee: Have I Been Pwned.com. You are welcome!
Post scriptum Pending the publication of this article, news came out that the ICC Court has refused to disqualify the entire tribunal in the Brazilian pulp case on the basis of the alleged cyber-attack. There is definitely ample scope for debate and development.