Snapshot on Cybersecurity from the 2021 QMUL Survey on International Arbitration

Share:

Measuring the impact of the Covid-19 global pandemic in the International Arbitration field was not an easy task. However, it has been promptly targeted by Maria Fanou and Norah Gallagher from the School of International Arbitration at Queen Mary University of London, in collaboration with White & Case LLP.

The recently published “2021 International Arbitration Survey: Adapting arbitration to a changing world” (the Survey) collects impressions from an outstanding number of 1,218 participants representing a wide variety of stakeholders in international arbitration including counsels, arbitrators, in-house counsels, and arbitral institutional staff from different geographical regions. Taking into consideration the impact of the pandemic and the consequent changes to the arbitration practice, the survey focusses on current choices and future adaptations, diversity of tribunals, use of technology, sustainability, and information security.

With particular regards to the latter, the results are striking: despite the undisputed crucial role of cybersecurity in daily operations, only around 25% of respondents indicated that they ‘frequently’ or ‘always’ have seen cybersecurity measures implemented in arbitration proceedings. At the same time, however, the Survey revealed that the focus on technology and information security is increasingly getting stronger. It follows that initiatives aiming to provide practical guidance in the field, such as CyberArb (www.cyberarb.com),  come to play a fundamental role.

Is cybersecurity a disadvantage to virtual hearings?

Similarly to the recent 28th Vis Moot which promptly forecast the trends, respondents of the survey were asked about the disadvantages of virtual hearings, which widely took place during the pandemic.

Although the Survey does not indicate whether respondents have actually encountered any negative experience concerning cybersecurity, 30% of them listed confidentiality and cybersecurity concerns as a disadvantage of conducting arbitration proceedings virtually. However, it seems that virtual hearings are likely to be chosen over in-person hearings even in the post-pandemic scenario, and thus 37% of respondents showed sound awareness when requiring more reliable and secure technology for the immediate future.

Despite a growing awareness about the importance of having cybersecurity measures put in place to protect the confidentiality and security of electronically submitted data, the Survey clearly shows that there is still a long way to go. The majority of 57% of the respondents said they only encountered such measures in less than half of their cases, while 16% said they have never seen such measures put in place.

These data indicate a significant gap in international arbitration practice with respect to cybersecurity. The cybersecurity concerns might be elevated once a dispute involves a State or public interest issue. Even if the reasons for increased concerns were not stated, regard shall be given to malicious actors or state-sponsored cyber-attack groups which might target this area.

Overcoming the cyber-challenges and embracing technology

Despite the concerns, technologies that increase the efficiency of arbitration proceedings are generally found desirable. The Survey reveals that the most commonly used technologies are by far video conferencing and hearing room technologies, ‘always’ or ‘frequently’ used by 63% of the respondents. Another technology that attracted the arbitration community is cloud-based storage, adopted by more than half the respondents (56%). Particularly, respondents considered cloud-based platforms to be protective of confidentiality and security of electronic or electronically submitted arbitration-related data.

It should be noted that the cybersecurity measures to be adopted with regards to each platform providing services of video conferencing, hearing rooms, and cloud-based storage, should be considered separately and not be given as granted. This concept is based on the basic principle that information security shall be a “team-sport” or joint effort which involves all arbitration participants and cannot be fully relied on external service providers only.

The respondents were also asked to choose technological improvements that they would like to be commonly used. Almost half of them (47%) answered that only professional email addresses – rather than personal ones – should be used. Other suggested measures include access controls, e.g., multi-factor authentication (44%), institutional guidance or protocols (41%), platforms or technologies provided or controlled by the arbitral institution (40%), the adoption of soft law instruments and guidance, such as the 2020 ICCA – New York City Bar – CPR Protocol on Cybersecurity in International Arbitration (40%), and specific directions from arbitral tribunals (37%).

Furthermore, it has been noted that emerging technologies such as blockchain and AI could be considered as an infrastructure to be developed by the institutions, particularly for limited data access and data encryption purposes. Although these technologies are not themselves exempt from cybersecurity violations, it is worthy to explore them for the future and potential automatization of some aspects in international arbitration.

These statistics seem to suggest that arbitration users are expecting more guidance and support in dealing with cybersecurity issues. According to the Survey, in order to gain more market advantage, arbitral institutions should consider having a more hands-on approach with providing practical guidance, secure platforms, and technological infrastructure.

However, these data are still concerning, as “the majority (57%) encountered such [cybersecurity] measures in less than half of their cases”. Overlooking the importance of cybersecurity  enables gaps and “weak links” that could open the door to malicious actors activities, which have increased due to pandemic.

Is the arbitration seat “cyber-secure”?

According to the Survey, the top five most preferred seats are  London (54%), Singapore (54%), Hong-Kong (50%), Paris (35%), and Geneva (13%). One of the main reasons for the respondents’ choices is the ‘safety’ of such seats, although allegedly this information attains to physical/traditional security only.

However, given that cybersecurity is listed among the main concerns for the present and immediate future, and that improvements in the field are suggested as features to make institutions more competitive, the concept of safety in this digitalised era will likely entail cybersecurity in the due course. As a result, international arbitration may become a worldwide driving force for the adoption of soft law and hard law instruments aiming to increase the levels of cybersecurity in the countries where the competitive seats are located.

What role for popular arbitral institutions in enhancing cybersecurity?

There seems to be a common belief that arbitral institution should lead the discussion on cybersecurity. For instance, the ICC, which appears to be the most preferred arbitration institution (57% of the respondents), provides Suggested Clauses for Cyber-Protocols and Procedural Orders Dealing With The Organisation of Virtual Hearings that parties may consider adopting to ensure and enhance cybersecurity during the arbitral proceedings. Also the second-placed LCIA (39% of respondents) in the new 2020 LCIA Rules included a provision stipulating that the  tribunal could adopt specific information security measures and means to address the processing of personal data in consultation with the parties and, only where necessary, with the LCIA (see Article 30A).

In conclusion, the Survey arguably indicates that international arbitration practitioners are aware that the use of technology can boost efficiency. As such, virtual hearings may very well be the normal way of doing business even for the post-pandemic future.

However, virtual hearings and other technological means employed increase concerns regarding cybersecurity. To tackle these issues, arbitral institutions and professional organizations arguably are in the position to take the lead and be more proactive in raising g awareness on the topic, as well as providing guidance and services. In this mission, they can rely on the support from other multidisciplinary initiatives.

As highlighted by the Survey, “[a]lthough there are encouraging signs that users are mindful of cybersecurity issues and the need to address them, there is nonetheless ample scope for more engagement on this front”.