Cybersecurity in international arbitration – new answers to (not so) new problems

United Kingdom

The Working Group on Cybersecurity in Arbitration has launched the 2020 Cybersecurity Protocol for International Arbitration (“Protocol”). The Protocol sets valuable guidelines for parties, arbitrators and administering arbitral institutions to assess data protection risks and adopt preventative measures accordingly.

The Protocol

The International Council for Commercial Arbitration (“ICCA”) has partnered with the New York City Bar Association and the International Institute for Conflict Prevention and Resolution to provide for practical guidance on cybersecurity. From email exchange to the way hearings and conferences are held today, it is unarguable that international arbitration is evolving towards cyber-led proceedings. Indeed, the logistics associated with a dispute involving several jurisdictions, particularly (as is increasingly the case) where the dispute involves the parties and tribunal processing and considering huge volumes of data, coupled with increased climate-related pressure on all participants to reduce their carbon footprint, make this inevitable. However, this tendency requires caution by everyone involved.

The purpose of the Protocol is (i) to provide a framework to determine reasonable information-security measures for individual arbitration matters, while (ii) raising awareness about information-security in international arbitrations. The 14 principles that compose the Protocol are supplemented with commentaries and schedules for further guidance. The first principle clarifies that the Protocol does not aim to be a “one size fits all” solution, recognising the need for an approach based on a case-by-case analysis. The risk profile of the arbitration, the burden and costs to those involved as well as the efficiency of the arbitral process are some of the factors to consider in determining what information-security measures are reasonable in a particular case (Principle 6). Thus, if a security measure is so onerous that it would adversely affect the proceeding, that will weigh against its adoption. All factors considered, measures such as asset management or encryption may be put into place (Principle 7). The Protocol also highlights that information-security should be raised as early as possible (Principle 10), naming the case management conference as a recommended long-stop for doing so.


The Protocol provides useful, much-needed practical guidance on how information can and should be protected during the course of arbitral proceedings. Of course, cyber-security is a quickly evolving area and best practice in data-heavy arbitrations will necessarily evolve over time. The Protocol sensibly acknowledges this by flagging the possibility of future reviews to adapt in this fast-changing area.

The Protocol will be featured at the ICCA 2020 Congress to be held in Edinburgh, Scotland in May 2020.

For further information, please email the authors or your usual CMS contact.

The authors would like to acknowledge the assistance of Carolina Roque, intern at CMS London, in preparing this article.