The latest global ‘WannaCry’ attack has again brought to the fore the need for sovereign and private parties to have in place adequate cyber-security measures and response plans to deal with cyber-attacks, including in the context of international arbitration. As attackers are becoming increasingly resourceful in their ability to exploit vulnerabilities, it is critical that participants in arbitration play their part in mitigating against this type of risk, particularly where sensitive information is involved and large sums are at stake. Even the arbitral institutions themselves are not immune, as was evidenced by the hack on the Permanent Court of Arbitration’s (PCA) website during a hearing of a high profile maritime border dispute.
The increase in transparency in investor-State arbitration through the publication of case documents during the proceedings might provide new opportunities for hacktivists to interfere with the arbitral process. For example, hacktivists could use a form of social engineering that would involve impersonating a tribunal chairperson based on information from published procedural orders for the purposes of eliciting confidential information from the parties or co-arbitrators. This type of ‘social engineering’ has become a common method of attack and has supplanted the more basic forms of phishing attempts. Cyber-attacks can only be thwarted if all participants in arbitration remain alive to this type of threat.
How can organisations prepare for and respond to cyber-threats arising in arbitration?
Participants in arbitration should always consider taking appropriate steps to mitigate against cyber-security risks. These steps may include:
- Conducting a risk assessment at the inception of each case, involving both IT specialists and legal counsel to ensure that the risks are assessed holistically and comprehensively.
- Agreeing a cyber-security protocol with the tribunal, adverse party and their counsel at an early stage (for example, as part of the Terms of Reference or First Procedural Order) requiring participants in the arbitration take at least certain basic steps to address cyber-security risks, such as using encrypted email services (or at least not using web-based email services that are known for their vulnerability to attacks), avoiding the use of any email services for the circulation of extremely sensitive documents, using some form of anti-virus software and web browser filtering, monitoring for and notifying other participants of breaches or attempted breaches, etc.).
- Evaluating whether cloud-based repositories and other web solutions are sufficiently secure before selecting them.
- Backing-up critical content in a secure manner (through systems that are not vulnerable to ransomware and other attacks).
- Continuously monitoring cyber-security risk throughout the arbitral process (and subsequently, if documents are retained), including in light of new third parties becoming involved (such as translation agencies and independent contractors that agencies may engage, transcription providers, copying vendors, etc.)
- Considering whether breaches may be covered by any cyber-insurance policies and whether any steps would need to be taken in arbitration in order for incidents arising out of the arbitration to be covered.
- Ensuring as far as possible that all organisations participating in the arbitration take general cyber-readiness steps (see our five steps to help ensure an organisation’s cyber-readiness)
The most recent global incident has surprised many through its magnitude, the speed with which the ransomware spread and the fact that it exploited organisations’ basic failure to update their systems in a timely manner. The attack serves as a timely reminder to all involved in arbitration that cyber-security must be taken seriously and cannot simply be ignored.