This year, BCLP’s annual arbitration survey focuses on the issue of cybersecurity in international arbitration.
In recent years there has been a dramatic increase in cyber attacks on corporations, governments and international organisations. Arbitration proceedings are not immune from the threat of attack as the attack on the website of the Permanent Court of Arbitration during the China-Philippines maritime boundary dispute clearly demonstrated. In a world increasingly dominated by technology, cybersecurity has become a hot topic. The most recent manifestation of this being the publication of a draft Cybersecurity Protocol for International Arbitration by the International Council for Commercial Arbitration, the International Institute for Conflict Prevention and Resolution and the New York City Bar.
We wanted to find out whether participants in international arbitration regard cybersecurity as an important issue, what sorts of measures they think should be put in place to protect data against unauthorised access, and who should take the lead in formulating a cybersecurity strategy.
We asked arbitrators, corporate counsel, external lawyers, users of arbitration and those working at arbitral institutions for their views on these and other related issues. The geographical regions covered by our 105 respondents included Central and South America, North Africa, Western Europe, East and South East Asia, Australasia, the Middle East, Latin America, Eastern Europe (including Russia and the Commonwealth of Independent States (CIS)), West and East Africa and North America.
The survey report
The key findings of the survey are summarised below and the full survey report can be downloaded here.
Cybersecurity is an important issue
The results of this year’s survey confirm that the importance of cybersecurity in international arbitration is widely recognised. 90% of respondents said that it was an important issue, with 11% of respondents indicating that they had had experience of a breach in cybersecurity (that is, someone was able to obtain unauthorised access to electronic documents or other information).
Who should take the lead?
There was a large measure of consensus about the desirability of considering cybersecurity measures at an early stage of the proceedings, but opinion was divided over who should take the lead on initiating discussions. 48% thought the parties should take the lead, 31% thought the supervising arbitral institution (if any) should take the lead, and 21% thought it should be the tribunal. Among respondents who sat as arbitrators, nearly half (48%) thought that the parties should take the lead in initiating discussion.
Is cybersecurity a procedural or administrative matter?
One question that has been the subject of much discussion is whether the need for cybersecurity measures is a procedural matter, best handled by the tribunal after hearing submissions from the parties, or an administrative matter, best handled by the supervising arbitral institution, assuming there is one. Just over half of respondents (52%) thought it was a procedural matter for the tribunal, 41% thought it was an administrative matter and 7% were undecided.
What factors should be taken into account when deciding on cybersecurity measures?
The two factors regarded by the largest number of respondents as being relevant to a cybersecurity strategy were the level of sensitivity/commercial value of the documents/information to be used in an arbitration (94%) and the consequences for the parties if someone were to gain unauthorised access to the documents/information (78%). Other factors included the costs of implementing the proposed measures (70%) and the extent to which the proposed security measures may hinder the ability of a party to present its case (61%).
Should tribunals have the power to impose and enforce cybersecurity measures?
52% of respondents felt that a tribunal should have the power to impose measures in cases where the parties were unable to agree them. 71% of respondents thought that a tribunal should have the power to impose sanctions on a party that breaches data security measures that have been agreed or ordered by the tribunal.
What is the correlation between measures that parties think would be desirable and measures that are adopted in practice?
In nearly all cases the percentage of respondents who felt a particular measure to be desirable was significantly higher than the percentage of respondents who had seen the same measure used in practice.
83% of respondents thought it desirable for electronic documents to be transferred by means of a secure shared portal, as opposed to 53% who had seen the measure adopted in practice. 50% of respondents thought participants in an arbitration should have in place appropriate firewalls and anti-spyware or anti-virus software, as opposed to 12% who had seen the measure implemented in practice.
Who should engage in the process?
The majority of respondents agreed that active engagement by all participants to an arbitration would be necessary in order for a cybersecurity strategy to be effective. There was, however, a recognition that obtaining agreement from all participants to observe cybersecurity measures would not be straightforward. 96% of respondents thought that the parties would need actively to engage with the process and 94% thought that the arbitrators would need actively to engage with the process. However, only 56% of respondents thought that obtaining the agreement of the parties or the arbitrators to observe security measures would be very or relatively easy.
Do arbitral institutions have a role to play?
It was clear that respondents felt that arbitral institutions could have an important role to play in dealing with issues of cybersecurity. 68% of respondents said that they would be more likely to use the arbitration rules of an institution that was able to provide advice or assistance on appropriate data security measures. 70% of respondents felt that support from within an institution’s secretariat would be useful to improve cybersecurity.
Cybersecurity is very much a hot topic in arbitration, but there is still a debate to be had over what sorts of measures should be put in place to protect data against unauthorised access and who should take the lead in formulating a cybersecurity strategy. We believe that the results of our survey make a valuable contribution to the ongoing debate on this topic.