Arbitration as a ‘new normal’ may hinge on cybersecurity

Arbitration as a ‘new normal’ may hinge on cybersecurity

11/05/2020  

Law360, Expert Analysis: Aside from certain hearings that might not be suitably conducted via video-conferencing, the disruptive impact of coronavirus (COVID-19) on international arbitration has been relatively modest, however widescale remote work exacerbates the gaps in cybersecurity, say Claire Morel de Westgaver and Rachel Chiu at Bryan Cave Leighton Paisner LLP.

The coronavirus pandemic has caused the world to adapt in an unprecedented way. Under government-imposed social distancing measures and travel bans, the vast majority of companies, state agencies and organisations have scrambled to maintain a sense of business continuity in the current social order, where people are largely confined to their homes.

Yet, given the cross-border nature of arbitration, parties, counsel, arbitrators and institutions have been conducting proceedings remotely even prior to the pandemic. It is no news that much of an arbitration practitioner's work can be done from anywhere with a secure Wi-Fi connection, an office, a home, a conference or hotel room, or an airport lounge. Aside from certain hearings that might not be suitably conducted via video-conferencing, the disruptive impact of coronavirus on arbitration has therefore been relatively modest.

There are, however, risks associated with the changes caused by work-from-home policies implemented as a result of the pandemic. The sudden surge in remote working and rapidly deployed and expanded information technology infrastructure inevitably exacerbate gaps in cybersecurity.

State cybersecurity agencies have reported increased coronavirus-themed cyber operations by advanced persistent threat groups and malicious cyber actors who are exploiting this vulnerability to 'hack and leak' and deploy malware. The threats that have been observed, and which are expected to continue over the coming weeks and months, include: 

  • phishing, using the subject of coronavirus as a lure

  • malware distribution, using coronavirus-themed lures

  • registration of new domain names containing words relating to coronavirus

  • attacks against newly, and often rapidly, deployed remote access and teleworking infrastructure

  • hijacking of video-conferencing virtual rooms which do not have sufficiently strong encryption and privacy protections (eg, reported cyber hackers who 'video-crashed' and disrupted conference calls hosted over certain unsecured video-conferencing applications) (see, Kelly Zegers, Law 360 ‘Shareholders Sue Zoom over Privacy, Hacking Concerns’)

Arbitration stakeholders are not immune to these heightened cybersecurity and hacking risks. As the community continues to tap into the flexibility of arbitration to meet the needs of the current environment, it must not lose sight of the cyber risks associated with remote working. Law firms, arbitration team leaders and other stakeholders should implement reasonable information security measures and best practices to mitigate against these risks.

Appropriate guidance from information technology experts should be sought, awareness of tools or behaviour that may compromise the security of arbitration proceedings should be raised, and the community should share takeaways from each of their own experiences.

For instance, the 2020 Cybersecurity Protocol for International Arbitration jointly released in 2019 by the International Council for Commercial Arbitration, New York City (ICCA-NYC) Bar Association and the International Institute for Conflict Prevention and Resolution (CPR) provides helpful guidelines and examples of information security measures that may be adopted and tailored to a particular arbitration.

On a more systemic level, some arbitral institutions had already put in place secure digital platforms for the transfer of communications and documents. The current situation caused by coronavirus is likely to generate initiatives to increase the scope of these platforms to address remote working measures and assist with the holding of virtual hearings and deliberations.

Information security measures that meet the needs of the day are important to preserve the integrity, confidentiality and fairness of the arbitration process. In some instances, the arbitral proceedings themselves might not be subject to confidentiality duties. However, some channels of communication and some documents generated and/or exchanged in connection with the arbitration will invariably be subject to strict duties of confidentiality.

For example, communications between counsel and their clients, and those between arbitrators, are always confidential. A data breach giving rise to the disclosure of communications covered by lawyer-client privilege may have profound consequences in terms of due process and fairness. Similarly, a leak of arbitrators' deliberations and draft awards would jeopardise the integrity of the proceedings and the validity of the ensuing award. It may also expose arbitrators to criticism or challenge, with the risk of wider political implications.

The aim of this article is to suggest some best practices and practical precautionary measures that arbitration practitioners can take to manage heightened cybersecurity risks.

Accounts, passwords and virtual private networks

With most practitioners now accessing their work or organisation's network systems remotely, passwords are the first line of defence in protecting user accounts from being hijacked in account-takeover attacks.

Individuals involved in arbitral proceedings should ensure that the access and transfer of confidential information, work-sharing spaces, data rooms, servers and network systems are protected by strictly observed passwords with case, special character and numerical-sensitive combinations. Multifactor authentication should be used when possible and appropriate.

Counsel, arbitrators and other participants should exercise caution if they choose to circulate documents or information using applications outside the relevant organisation's selected or approved document management systems. Where external, non-approved document management systems are used, these should ideally be reviewed and approved by the organisation's IT security team, to scan for any encryption or security risks.

Alongside this, given that most practitioners are accessing their organisation's network systems remotely, virtual private network, or VPN, servers are paramount to the security of each organisation's systems and data, including information and communications relating to arbitral proceedings.

In this context, it is critical that law firms, expert advisory firms, barristers' chambers, and academic and arbitral institutions take steps to ensure that their VPN servers are fully patched with sufficient bandwidth to support the current surge in traffic for the foreseeable future. In addition, it is important for all employees to access the firm's VPN servers strictly via a secure, private Wi-Fi connection to reduce exposure of the VPN servers to cyberattacks (see, Bryan Cave Leighton Paisner, ‘Work From Home Cybersecurity Basics: Wireless Network Security’).

Use of personal devices

Many practitioners will now be accessing their work, organisation's network systems, or carrying out business functions from their own personal devices (laptops, tablets and smartphones) in addition to or in the absence of corporate managed devices. The use of personal devices heightens the risk of user-initiated deliberate data loss (eg, from copying data from a work application to the personal device's local storage system). Personal devices are also more vulnerable to malicious exfiltration and scraping of data, and malicious exploitation of the device as a result of weak security configuration and lack of monitoring.

A proportionate security control of these devices is critical to ensure that they are adequately protected. Access to personal devices should be password protected with minimum passcode length and multifactor authentication where possible. No business or confidential data should be stored locally on the personal device.

In addition, third-party use of this personal device (eg, by family members, or in the course of maintenance or repair services) should be controlled with care. Organisations should conduct regular audits of business data accessible via their employee's personal devices. They may also consider imposing a universal level of security by requiring use of antivirus software on all personal devices that are used for work and business functions.

Telephone and video conferences

Telephone and video-conferencing has become the primary medium of communication between colleagues and clients even within the same jurisdiction. In the realm of dispute resolution, many courts and arbitral institutions, state bodies and tribunals have transitioned to virtual hearings with the use of telephone and video-conferencing platforms (eg, ICC, CIArb, AAA-ICDR and HKIAC) and online dispute resolution (see, Harry N Mazadoorian, Law 360 ‘COVID-19 and Online Dispute Resolution: A Whole New World Out There’ and Vincent Chow, Law 360 ‘China Pushes for Increase in Online Dispute Resolution as It Reboots Economy’).

On 22 March 2020, it was reported that the substantive merits hearing of a large Brazilian corporate International Chamber of Commerce arbitration, involving over 70 participants, was successfully heard remotely via a cloud-based video-conferencing software platform (see, Graziella Vlenti ‘A pandemia na maior arbitragem societária do país, a disputa pela Eldorado’).

With respect to the use of video and telephone conferencing, it is important that practitioners ensure that the relevant platform or software offers the necessary security and encryption required to protect the information that is exchanged. To the extent practicable, the platform or application should be run by the relevant IT support team to ascertain any potential security risks.

Many video and telephone conferencing platforms offer the option to share documents and presentations. However, to the extent that any such documents or presentations include confidential information, use of this feature should be avoided, unless the organisation's IT security team has confirmed that the platform has the necessary encryption to prevent unlawful interception or retention by third parties. Instead, participants could agree to use a shared, multifactor password-secured and encrypted virtual/cloud document repository, where the relevant documents could be shared prior to or during the meeting.

More broadly, practitioners and users will also find helpful guidance on best practices for the planning, testing and use of video-conferencing in international arbitration in the Seoul Protocol on Video Conferencing in International Arbitration.

The Seoul Protocol identifies potential challenges and risks associated with the use of video-conferencing and sets out various practical preparatory arrangements that parties can take to avoid logistical breakdowns. In addition, it recommends the technical specifications of video, audio, bandwidth and bridging that parties should use to ensure the efficient and smooth operation of hearings conducted by videoconference.

It is important for practitioners to adopt the necessary information security measures in telephone and video-conferencing so that fairness and impartiality, effectiveness and confidentiality in the arbitration process are safeguarded.

Informal communications—instant messaging

Working remotely also means that instant messaging via various digital messaging platforms like WhatsApp are more commonly used for business. Where instant messaging is used as an informal, expeditious medium for work-related communications during this period, the boundaries between private and professional life in this medium of communication become blurred.

Some professionals may use these digital messaging platforms for informal, ad-hoc communications. Others use instant messages for virtually all their business dealings. The 'social' and inherently informal nature of instant messaging often means that individuals are less circumspect in what they write than they would be if communicating by email. It is for these reasons that arbitration users, counsel and clients should exercise special care in the information they disclose on these platform mediums. The level of security can vary significantly from one platform to another.

Furthermore, there is potential for such communications to be considered as a form of discoverable evidence in a prospective dispute or, for instance, be deemed representative of an agreement in lieu of a signature.

Informal communications—email

Many companies have reported an uptick of coronavirus phishing attempts via email, web links and instant message communications targeted at employees who are working remotely from personal devices (rather than firm-issued and firm-configured devices).

Practitioners should be wary of clicking on links embedded in emails from unknown or unusual senders (whether in their personal or work email inboxes). This is especially critical when accessing emails on the organisation's VPN servers, as it may risk a potential hacking of the organisation's VPN server, infiltration of the remote network system, and leaking of large amounts of confidential information. Law firms and other organisations should circulate updated guidance to their employees on phishing emails.

Document sharing and storage

With the closure of physical offices and the consequential unavailability of printing facilities, almost all communications and exchange of information is being done in electronic format. In fact, most major arbitral institutions have issued guidance to the effect that all communications, submissions and exhibits should be filed and exchanged via electronic means, to the full extent possible (see, ICC Guidance Note on Possible Measures Aimed at Mitigating the Effects of the COVID-19 Pandemic, LCIA Services Update: COVID-19, ICSID Makes Electronic Filing its Default Procedure, SIAC COVID-19: SIAC Case Management Update and AAA-ICDR COVID-19 Update).

While this approach is not new to practitioners, it is even more critical to maintain good practices in the circulation and exchange of information between colleagues, clients and counterparties. As far as possible, documents should be exclusively stored and shared within the relevant organisation's network system and/or the designated cloud document repository or file transfer platforms.

The exchange of documents outside these channels (eg, third-party services like Dropbox, Google Drive) should be avoided as much as possible. If documents are transferred externally (using personal email addresses or outside the designated file transfer platform), users may wish to require a password to access these documents. The password should be transmitted separately from the underlying documents.

In addition, storage of these documents or client confidential information on the local drive of personal devices should be avoided. Furthermore, documents, client confidential information and other work product should exclusively be saved on the firm's network system folders or on password protected data storage carriers.

Conclusion

The shift toward working from home on a full-time basis and the more widespread dependence on technology may have long-term positive effects on international arbitration in terms of time and cost efficiency, impact on the environment and diversity.

Furthermore, arbitration is now being considered by some litigants not only as a temporary solution to the closure of national courts, but also as a long-term alternative to litigation, for its potential ability to weather future (health-related or otherwise) crises that may have an impact on national courts' ability to function.

It is, however, imperative that members of the international arbitration community recognise existing and new cybersecurity risks and work to build cybersecurity resilience in arbitration across the board to protect the integrity of arbitral proceedings and, ultimately, the future of arbitration as a sustainable dispute resolution process.

This content is based on an article first published by Law360, a LexisNexis® company, on 6 May 2020 and is published with permission.

Further information can be found at: https://www.law360.com/internationalarbitration (subscription required).

The views expressed are not necessarily those of the proprietor.


Related Articles:
Latest Articles: