Protocol on Cybersecurity in International Arbitration | ICCA, NYC Bar, & CPR

ICCA-NYC Bar-CPR Protocol on Cybersecurity in International Arbitration

Published by the International Council for Commercial Arbitration (ICCA), New York City Bar Association, & the International Institute for Conflict Prevention and Resolution (CPR).

The Cybersecurity Protocol for International Arbitration was released in 2019 (2020 Edition) and updated in 2022. The Protocol aims to provide a framework for determining reasonable information-security measures for individual arbitration matters and increasing awareness about information security in international arbitrations.

"Ensuring that proceedings in arbitration protect the security of the information at issue is critical to arbitration’s continued vitality" said Allen Waxman, CPR President & CEO. "This protocol offers a practical approach for providing that safeguard."

Download a print-friendly version of the ICCA-NYC Bar-CPR Protocol on Cybersecurity in International Arbitration (2022 Edition).

For further information, please contact icca@pca-cpa.org.

Forward to the 2022 Protocol

I. Purpose of the Protocol

The purpose of the ICCA-NYC Bar-CPR Cybersecurity Protocol for International Arbitration (the “Cybersecurity Protocol” or the “Protocol”) is twofold.

First, the Protocol is intended to provide a framework to determine reasonable informa- tion security measures for individual arbitration matters. That framework includes pro- cedural and practical guidance to assess security risks and identify available measures that may be implemented.

Second, the Protocol is intended to increase awareness about information security in international arbitrations. This includes awareness of: (i) information security risks in the arbitral process, which include both cybersecurity and physical security risks;

(ii) the fact that reasonable information security is required by law in many jurisdictions;

(iii) the importance of information security to maintaining user confidence in the overall arbitral regime; (iv) the essential role played by individuals involved in the arbitration in effective risk mitigation; and (v) some of the readily accessible information security measures available to improve everyday security practices.

II. Scope of the Protocol

(a) Application Beyond International Commercial Arbitrations

 Although the Protocol has been drafted with international commercial arbitrations in mind, it may also be a useful reference for domestic arbitration matters and/or inves- tor-state arbitrations, as well as mediations and other ADR procedures.

(b) Data Protection Issues

 Information security and data protection issues are closely connected, largely because there is increasing regulation around the globe governing the processing of personal data. It is typical for data protection laws and regulations to mandate, among other things, that entities and individuals processing personal data implement reasonable information security measures.

The ICCA-IBA Roadmap to Data Protection in International Arbitration (the “Roadmap”) is being launched concurrently with this 2022 edition of the Protocol. The Roadmap recognizes that adherence to the Protocol facilitates compliance with data protection legal regimes, such as the European Union General Data Protection Regulation (“GDPR”), which require reasonable information security. Readers may refer to the Roadmap for further guidance on the application of the data protection laws during an arbitration.

The Protocol is intended to complement the Roadmap and other resources on data pro- tection compliance by providing guidance in the arbitration context on: (i) the mitigation of information security risks and (ii) breach notification expectations and procedures. The Protocol recognizes that breach notification is one aspect to be considered when preparing an incident response plan for situations in which information security may have been compromised, and that notice expectations and procedures warrant special attention because whether a security incident (or “data breach” under the GDPR) con- stitutes a security breach triggering notice obligations (often on a very short timeline) will depend on applicable law. The Protocol does not supersede applicable legal or other binding obligations, and while implementation of the Protocol supports compliance with the security requirements imposed by data protection laws, it does not impact the many other requirements imposed by those laws.

III. Revisions to the Protocol

This 2022 edition of the Protocol was launched at the XXVth Congress of ICCA held in Edinburgh Scotland. In addition to updating the list of references found at Schedule E, the main revision from the 2020 Protocol, which was released in late 2019 and was the original iteration of the Protocol, was to add the sample personal data breach protocol found at Schedule D-1. This addition recognises the importance of having an incident response plan in place were a security incident to occur during an arbitration.

These changes reflect that the cybersecurity and data protection environment in which the Protocol operates has matured in the nearly three years since the Protocol was launched, but the general principles remain the same. In particular, the number of global cyberattacks has increased, the sophistication of cyber threat actors has evolved, and the issue of cybersecurity has received increased attention on the world stage. Entities of all kinds have matured their cybersecurity systems and processes at the same time that regulators have placed increased focus on establishing and maintaining reasonable cybersecurity practices and programs. At the same time, the arbitration community has become increasingly aware of its security obligations in the digital environment, which awareness was accelerated by the changes that occurred during the pandemic. It is against this backdrop of increased awareness and attention that we issue the 2022 edition of the Protocol.

The Working Group has adopted the editioning approach to emphasize that the Protocol will necessarily evolve over time in light of (i) changing technology; (ii) new and prevalent cyber threats; (iii) new or amended laws/regulations; (iv) consensus that may emerge as to reasonable measures/arbitration best practices; (v) new cybersecurity initiatives by institutions or others; and (vi) practical experience implementing the Protocol. To facilitate the periodic improvement and updating of the Protocol, the Working Group encourages persons who use the Protocol to share their experiences in deploying it and provide feedback. Feedback on the Protocol may be sent to cybersecurity@ arbitration-icca.org.