|Help

The Cybersecurity Incident Response Gap in the Cybersecurity Protocol for International Arbitration - WAMR - 2020 Vol. 14, No. 4

Author(s): 
Gisselle Fernandez
Page Count: 
20 pages
Published: 
November, 2024
Jurisdictions: 
International
Practice Areas: 
Categories of Disputes,
Confidentiality,
Online Arbitration,
Formal Requirements,
Arbitral Process,
Electronic Documents,
Experts,
Hearing,
Responsibility of Parties,
Responsibility of Arbitrators
Tags: 
cybersecurity. technology,
information security
Author Detail: 

Specialist lawyer on technology transactions and privacy at Vanguard.

PDF769.76 KB

$40.00
Description: 

Originally from World Arbitration and Mediation Review (WAMR)

PAGE PREVIEW

ABSTRACT

This article discusses the response of the international arbitral community to cybersecurity vulnerabilities and threats through an analysis of the ICCA-NYC Bar-CPR Cybersecurity Protocol in International Arbitration (“Cybersecurity Protocol” or “Protocol”) first approved in 2019 and amended in 2022.   More specifically, this article offers a discussion of the baseline security measures provided in the Protocol, and the appropriateness of reasonableness as the standard for setting cybersecurity measures. Second, the article will discuss the question of who is best suited to address cybersecurity issues in international arbitration and how the Protocol assigns different roles and authority between arbitral institutions, the arbitral tribunal, and the parties in international arbitration. Third, this article ascertains the key components that should be present in a cybersecurity incident response plan to—in the event of a cybersecurity breach or attack—properly set up a process for correcting and mitigating the breach or attack.

I. INTRODUCTION

Cybersecurity breaches are increasingly more prevalent in today’s world. Every industry and every country is vulnerable to this issue and the consequences are costly. The hack attack of the Permanent Court of Arbitration’s website during the hearing of the dispute between the Philippines and China over South China Sea territory is evidence that international arbitration is not immune to cybersecurity attacks.  Aside from the clearly identified and often spoken of harms such as reputational harm, breach of attorney-client privacy, loss of integrity of the arbitral process, loss or unauthorized disclosure of sensitive commercial information and personal data, as well as the adverse media coverage, high costs of breach notification, of data recovery, and legal liability,  it is evident that there are affirmative obligations of both the arbitral tribunal and parties appearing before the arbitral tribunal to address cybersecurity issues and safeguard client confidence in the digital space.  In consequence, international arbitration  moved to address the cybersecurity issue by publishing the ICCA-NYC Bar-CPR Cybersecurity Protocol in International Arbitration (“Cybersecurity Protocol” or “Protocol”) on November 21, 2019.  The Protocol was further revised in 2022 to address several concerns stemming from the maturity of the cybersecurity and data protection environment since the launch of the 2019 Protocol. Although the general principles remained the same as in the original Protocol, the 2022 revision incorporated an update to the list of references found at Schedule E and a sample personal data breach protocol found at Schedule D-1.