In our recent blog post, “Cyber hack challenges in international arbitration – Part 1” we took a look at the steps parties might wish to consider to help limit the chances of problems arising in their arbitration. If there are suspicions that security has been compromised, however, what might be the consequences for the tribunal? We take a look at some recent events and how to avoid some of the pitfalls.

Cyber-security allegations can undermine the tribunal

In “Part 1” we discussed recent reports of the staying of the enforcement of a partial award in a multibillion-dollar Brazilian ICC arbitration over allegations that the arbitration has been tainted by cyber hacking. It is now reported (see “Tribunal challenged over alleged cyber-attack in Brazil pulp case”, Global Arbitration Review, 21 April 2021) that the defendant has brought a challenge to the impartiality of the tribunal directly before the ICC Court on the basis that the arbitral proceedings (which remain ongoing) have been irreparably tainted due to the hacking incident.

Consequences for arbitration proceedings

These reports show how cyber-security risks are not an abstract problem and may escalate to become a real ground of difficulty for the tribunal. The decisive question in such circumstances, from the tribunal’s perspective, is likely to be whether and, if so, to what extent the arbitral tribunal might have been influenced by any tainted evidence when it rendered the decision. The arbitral tribunal will thereby face a situation for which it is not responsible in the first place. It merely assesses the presented facts and evidence of the parties. However, the partial consequences of a use of tainted evidence may be far-reaching. Indeed, a successful challenge of an arbitral tribunal could mean a complete re-set of the proceedings and the arbitration starting from scratch again.

What can be done?

Clearly such a situation is not a position that the majority of parties that arbitrate will want to find themselves in; and the easiest way to avoid such trouble is, of course, to steer well clear of any improper practices and to consider implementing the type of hygiene steps discussed in our previous article. Even innocent parties can, however, unwillingly be drawn into allegations of this type; neither a cyber-attack in general nor related allegations of the opponent party (true or not) to obtain an advantage can be fully prevented. And, as the above example illustrates, such allegations may extend to evidence presented to the tribunal, which then may (unwillingly) be drawn into challenges and other proceedings.

Considering the potentially negative implications of such a result, there may therefore be some additional steps which parties may wish to consider in order to shield the tribunal from such allegations, and their potentially disruptive effect on the proceedings. These will depend on the peculiarities of the arbitration and the circumstances in hand, but the following are some potential guidelines to keep in mind; inter alia:

• Provide for a clause in the cyber security protocol that excludes any evidence obtained from hacking and other unlawful activity, regardless of whether one of the parties can be shown to have been involved in the cyber-attack or not.
• Carefully assess which facts and evidence to present to the arbitral tribunal and which evidence to rely on, to avoid any suggestions that improperly obtained evidence has been relied on.
• In case of doubt, consult with the arbitral tribunal first before submitting a piece of information, which might later be contested.
• Make sure the evidence presented supports the conclusions without reference to excluded evidence.
• Take usual steps to check the credibility of sources from which information has been obtained, as well as the methodology which has been followed to acquire information and evidence.
• Honor and safeguard the integrity of the proceedings and the impartiality of the tribunal.