Cybercrime is a global occurrence that has affected every sphere of life, including arbitration. It is no news that the Covid-19 pandemic, despite its negative impact, ushered in an era of a new way of doing things globally. Many arbitral references were and are still being held virtually, and in general, the online presence of many people, activities, and things, increased astronomically. According to Jurgen Stock, the Secretary-General of Interpol, "Cybercriminals are developing and boosting their attacks at an alarming pace, exploiting the fear and uncertainty caused by the social and economic situation created by COVID-19"1
The legal sector is such a vulnerable sector, as it thrives based on its attempts and ability to ensure Law and order in society. It is invariably vulnerable to cybercrime and diverse forms of cyber-attacks due to the sensitive information it holds, and the resultant financial and social implications that could occur due to compromise of such given information.
International arbitration operates on the underlying principles of confidentiality, procedural flexibility, the involvement of diverse arbitral players around the globe, and data, which in all rational sense is considered sensitive. In 2015, the Permanent Court of Arbitration (PCA) was hacked2 in the pendency of an arbitration between China and the Philippines over a maritime border dispute. Equally, in 2021 the legal sector proved not to be totally immune to these kinds of occurrences as evidenced by the Panama Papers Leak, which involved the compromise of encrypted attorney-client documents in the possession of a Panama-based law firm.
In conjunction with the New York City Bar Association, the International Council for Commercial Arbitration, and the International Institute for Conflict Prevention and Resolution (CPR) have worked to launch a Working Group on Cybersecurity in Arbitration. A set of guidelines have been prepared by this group, to the end that practical guidance is provided for arbitrators, counsel, and the arbitral institutions alike.3
There are multiple convergent points between cybersecurity and data protection, as both concepts perceive the receipt, usage, processing, transmission, and preservation of data, as being core to attorney-client privilege. The Covid-19 pandemic opened the eyes of the legal sector to the pertinent nature of these issues. The Pandemic did not prevent arbitration hearings from going on. In fact, the year 2020 saw a tangible increase in the number of arbitration hearings around the world. The number of arbitration hearings conducted in the International Chamber of Commerce were 9464. The London Court of Arbitration equally saw an increase, as the number of arbitration hearings were 4405. In most jurisdictions, the number of arbitration hearings that occurred in the year 2020 were more than those in the previous years.
A core reason cybersecurity should be taken seriously in relation to Arbitration hearings, is that more proceedings with high value and business-sensitive information are being conducted online, and the digital exchange of these information is often unencrypted.
Unfortunate incidents like the intercepted correspondence in Libananco v Republic of Turkey (ICSID ARB/06/8), and the cyber breach on the Permanent Court of Arbitration (PCA) website during the China–Philippines maritime boundary dispute, have stressed the need and the reason for which arbitral institutions would need to implement a structure for effective cybersecurity management, as well as mechanisms to guard against the compromise of the confidentiality of proceedings.
In the Data protection, privacy, confidentiality and cybersecurity session at the 22nd Annual IBA Arbitration Day in 2019, Catherine Amirfar further posited some concrete prevention techniques and tips, which included limiting the collection and use of sensitive data, understanding the organizational assets and electronic architecture, as well as establishing a cyber threat mitigation plan in the early stages. Although limiting the collection of sensitive data may be impracticable for arbitral institutions, implementing cybersecurity and data protection measures by design within the institutional structure may limit any risk of breaches exponentially.
By way of reference, the IBA Guidelines6, which is ordinarily aimed at lawyers and law firms, contains a plethora of recommendations which are worth considering by all stakeholders in the arbitral process. Three major areas of the recommendations which are discussed below include: Technology, Organizational Process, and Staff Training
In Arbitration, where the arbitral tribunal's technology in receiving processes from parties to a dispute is compromised, or the personal computers of the arbitrators and counsel are individually or collectively hacked, it could cause a high quantum of damage and detriment to getting justice done. The IBA guidelines provide that a veritable way to mitigate the risk of a cyber incident is to keep all system software updated periodically. When making such system update, caution should be applied, as the update must be from only trusted sources (Windows' or Mac's official website). Arbitrators and counsel alike are saddled with the responsibility of ensuring that arbitral suits are handled competently and diligently. Thus, attaching little or no importance to complying with the IBA guidelines of keeping software updated regularly, would be tantamount to negligence. As failing to constantly update software, or downloading from unknown sources in this era, could consequently result in a data breach, which is a deviation from an Arbitrator, or generally a lawyer's duty of confidentiality. The principle of confidentiality in arbitration was upheld by the Tribunal de Commerce of Paris, which ruled that "arbitration is a private procedure of a confidential nature."
The IBA guidelines equally recommend the implementation of 'endpoint' protection for network of computers which are involved in the passage and dissemination of certain forms of data. 'Endpoints' simply refer to computers and other devices which are connected to the entire arbitral tribunal's network. Arbitrators, Counsel and Tribunal secretaries must ensure that all the devices which will be used in disseminating sensitive information pertaining to the arbitration suit have Endpoint protection, which will in turn stop malicious code (malware) from gaining access to the systems.
The routes through which many successful attack-vectors use are Emails and Web browsing. It was recommended that web filtering systems, gateway antivirus and sandbox security be put in place to reduce exposure to cyber-attacks. A Data retention policy was also recommended as a veritable strategy for reducing the risk of data compromise. This could be done through backups and archiving of older documents through a Cloud-based backup system.
It was equally recommended that data and communication between devices be encrypted,7 as sensitive data should be limited to only the people who need it. Thus, all communication between Arbitrators, Counsel, and Tribunal secretaries must be encrypted to prevent ease of access by a potential cybercriminal.
Also, a remote erasure function which wipes all the sensitive data, or the entire content of a device was recommended to be put in place. This would prove most helpful in the event that an arbitrator's device or the device of any other player in the arbitration suit gets stolen or lost.
Access to the network must be strictly controlled. In the event that an Arbitration ceases to preside over an arbitration suit, or a counsel has ceased to represent a particular party, their access to any form of information regarding the suit should be reduced to the barest minimum, or better still terminated. This is aimed at preventing access by former players in the arbitration suit, and it prevents the access of hackers to unused information lying fallow.
Audit logs should be conducted periodically to monitor the activities on all devices to detect and address suspicious activity early on and identify unused and dormant accounts.
Devices that retain data such as flash drives have the potential for the loss of the data which they store, and the possibility of being infected with malware. These removable devices should be virus-scanned periodically, kept carefully and used with caution.
2. Organizational Process.
Human errors could be precursors to cyberattacks. Thus it is important that a process or structure that identifies sensitive data, assesses the cybersecurity risk profile, and introduces cost-effective strategies to mitigate the risk of a cyber-attack be put in place. Each arbitral panel should have designated cybersecurity officers that would enforce cybersecurity policies and comply with international best practices.
Further, it is important that all data which are considered as sensitive and valuable, including, but not limited to personal information, designs, third-party trade secrets, client information, information about the parties and the arbitral suit, are specifically identified, and consideration is taken as to where it is stored, and with whom it is shared. An outbreak alert system should be employed to speedily notify the right people in the event of a cyber breach.
After risk exposure is identified, it is imperative that cyber insurance is gotten. The reality of the matter is that even the best cybersecurity risk mitigation strategy is not a hundred percent immune to cyber-attacks. Getting cyber insurance helps to cover costs that relate to data privacy breach, regulatory fines, and a couple of other expenses.
As earlier stated, human errors are usually precursors to cyber-attacks. Due to ignorance of lack of attentiveness to details, people fall prey to cyberattacks. Cyberattacks are ordinarily designed to appear legitimate on the exterior, but constitute acute damage, including the collection of sensitive information like username, passwords, and credit/debit card details. It is therefore important that Tribunal secretaries and ad-hoc staff who are responsible for storing documents, and recordings of arbitral sessions are trained to seamlessly identify common forms of cyberattacks, and on how to evade cyber booby traps.
A cyber-attack could either be overt (an attempt to manipulate or destroy a computer network, to the end that business profitability or national security is compromised), or covert (theft of data). Ordinarily, people have a proclivity towards undermining the importance of cybersecurity, including Arbitrators, Counsel, and other staff. However, the importance of cybersecurity should be stressed, and these stakeholders should be made to see the negative effects of cyber-attacks. The economic and national risks which are associated with cyberattacks should be revealed, as the positions of parties to an arbitral suit could be compromised if they have their data mined and released. It defeats the very purpose of arbitration, as it goes to the confidentiality of the information which the parties might have shared in the course of the arbitration suit.
Cybersecurity is an area that cannot be overlooked in all spheres of life, and particularly, in Law and Arbitration. Arbitrators and their Counsel hold information which are vital to the lives and properties of people. Information about their finances, interests, and generally, matters which are ordinarily supposed to be confidential are entrusted into the hands of Lawyers and Commercial arbitration practitioners. Stringent measures must be taken to guard against breach of these forms of information through Cybersecurity.
Reference should be made to the IBA guidelines for detailed tips on effective structures of Cybersecurity.
7. Encryption is a concept of cryptography, which involves the scrambling of data sent between devices in such a way as to enable only authorized people to understand it.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.