Cyber hack challenges in international arbitration

Proceedings disrupted over allegations of hacking by an adversary

In arbitration proceedings, the current pandemic is proving to be a catalyst in a shift towards more online dispute resolution, with participants attending virtual hearings and moving to online case-management platforms. On the one hand, using such technology can help to save time and costs. On the other hand, arbitration proceedings (which often relate to high-value disputes that are business-sensitive, or involve public or state-controlled entities) are not immune to cyber risks. Many stakeholders – be it competitors, hackers, investigative journalists, state agencies or even the opponent party – might have an interest in the data relating to the arbitration being shared and may attempt to influence, control or even taint the outcome of such proceedings.

Latest cyber hack in international arbitration proceedings

It has been reported that a Sao Paulo court stayed the enforcement of a partial award in favour of the claimant and obtained in February 2021 in a multibillion-dollar ICC dispute over the sale of a pulp maker while it considers allegations that the arbitration has been tainted by cyber hacking (for example, see Global Arbitration Review, 12 April 2021: “Brazilian pulp award leads to cyber hack challenge”). The defendant had challenged the award and asserts that the claimant orchestrated a hacking of its servers and thus gained access to confidential information (around 70.000 emails) during the arbitration proceeding. The claimant rejects those accusations. Brazilian news outlets report that the Sao Paulo police detected illegal spyware on numerous email accounts of the defendant. Apparently, two hackers admitted having hacked the defendant’s IT system, but denied any connection to the claimant.

Regardless of the question of who commissioned the cyber-attack, it is clear that privileged information may well have been compromised, the impartiality of the arbitral tribunal is being questioned and arrests have been made by the police in connection with the cyber-attack allegations. In short: the proceedings face difficulties.

What can be done to be prepared?

This recent example of a cyber incident disrupting an on-going arbitration illustrates the importance of arbitral proceedings being prepared to prevent an incident from happening and to cope with such an incident if it does occur. Obviously, a cyber-attack cannot be fully prevented as there is no such thing like full technical security, with cyber attackers constantly adapting their methodology. However, there are risk mitigation measures that parties may wish to consider, with the involvement of the arbitral tribunal, in order to limit the chances of a breach, and to help ensure the smooth running of the proceedings. The exact measures deployed will depend on the nature of the arbitration, its risk profile, and proportionality considerations, but these can include, amongst others:

• Agreement on a comprehensive cyber security and data protection protocol.
• Agreement on a cyber incident response plan in the protocol that allows to follow a defined set of rules in case of a cyber hack (including a notification obligation in the event of a security breach and an obligation for the arbitral participants to cooperate in good faith to investigate the breach).
• Use of reasonable technical security measures, e.g. encryption, access control, usage of secure online platforms for storage and case management, etc.
• Informed selection of arbitrators; in case of a higher susceptibility of the arbitration for a potential cyber hack preferably rely on tech-savvy, and cyber-risk and data protection conscious arbitrators.
• Express agreement on the sanctions which the tribunal can impose if an arbitral participant does not comply with the cyber security measures or acts obstructively in connection with the investigation of a cyber hack.
• Provision for the arbitral tribunal to have substantive jurisdiction over a dispute between the parties arising out of a security breach.
• Agreement on the evidentiary status and admissibility of hacked information, such as agreeing on a provision that excludes any material obtained as a result of a security breach.
• Provision for contingency measures in case of sudden technical failures, e.g. backups and fallback solutions for communication.
• Provision for an appropriately secure IT environment. Consider the scope and effectiveness of the security practices and keep abreast of security threats and solutions.

• Consider maintaining adequate insurance to cover against cybersecurity risks.