The Cybersecurity Protocol of International Arbitration is the end product of a two year collaboration by a working group on cybersecurity comprising of the representatives of the International Council of Commercial Arbitration (ICCA), the New York City Bar Association (City Bar), and the International Institute for Conflict Prevention & Resolution (CPR).
The purpose of the Protocol is:
- To provide a framework to determine reasonable information security measures for individual arbitration matters, and
- To increase awareness about information security in international arbitration, including:
- Information security risks in the arbitral process;
- The importance of security in maintaining user confidence;
- The role of individuals in effective risk mitigation, and
- Information to improve everyday security practices.
The scope of the Protocol is:
- Specifically intended for international commercial arbitration (but may be a useful reference for domestic arbitration);
- Mitigation of information security risks, and
- Information security and data protection are greatly regulated by data protection law.
- Adherence to the Protocol may facilitate compliance with data protection legal regimes, such as the European Union General data Protection Regulation (however this is not a main objective of the Protocol).
The Protocol reviews the importance of cybersecurity in arbitration, which has become a principally digital process. There are inherent risks in international arbitration, partly due to the cross-border and multi-jurisdictional nature of the disputes, which often involve extensive traveling and the use of multiple networks and legal teams.
The Protocol is organised into Principles, Commentary, and Schedules. The Principles provide guidance on how to adhere to a high standard of information security during an international arbitration. The Schedules then offer more detailed guidance.
Principles 1 to 4 address the scope and applicability of the Protocol. In particular, they address the role of the arbitral tribunal, the parties, and other administering institutions in ensuring effective information security. Principle 5 establishes the standard of reasonableness. Principles 6 to 8 take into account practical considerations regarding how reasonable action towards better information security can be taken. The recommendations include identifying and classifying all information and controlling access to it. Weight should be given to communication security. Secure means of communicating include exercising caution with attachments and links, using secure share-file services, and avoiding the use of public networks. The Protocol recognises that the necessary security measures vary depending on the type of arbitration. Specifically, consideration should be given to how transmissions of arbitral data during an ongoing arbitration will be made. Principles 9 to 13 further outline the procedural steps to be taken in an individual arbitration and the importance of party autonomy in determining those steps. However, it also recognises the authority of the arbitral tribunal to modify security measures that have been insufficiently agreed upon by the parties. Furthermore, in light of Principle 13, the tribunal may (in the event of a breach) impose sanctions on those parties. Lastly, Principle 14 clarifies that the Protocol does not establish any liability or any liability standard.
Cybersecurity is crucial in arbitration as the credibility and integrity of the dispute resolution process depends on it. The Working Group has deliberately adopted an ‘editing approach’. Consequently, the Protocol will evolve over time in response to ongoing feedback.