A&M’s Managing Director and Head of Forensic Technology Asia, Davin Teo spoke in a panel discussion  hosted by Baker McKenzie on ‘International Arbitration in the Digital Landscape: Technology, Cybersecurity and Data Protection’. With Gary Seib and Philipp Hanusch from Baker McKenzie and Sarah Grimmer from the Hong Kong International Arbitration Centre (HKIAC) also on the panel, the discussion offered practical insights into cybersecurity risks for international arbitration.

Arbitrations often involve highly confidential information that is commercially valuable or sensitive such as trade secrets, commercial know-how, personal data and privileged information. In addition, international arbitration susceptible to a data breach. These factors make IA (IA) typically involves cross-border data transfers and many different parties – each potentially highly vulnerable to cyberattacks and it is important to address these risks with appropriate measures. 

The pandemic has accelerated a rise in cyber-attacks, and this will put arbitrations at high risk. “The new normal globally is for most people to be working from home during the pandemic,” said Davin. “Unfortunately, cyber-criminals have also adapted to this new normal, and they have increased cyber-attacks to take advantage of the current situation. Phishing and ransomware attacks have increased, and targeted cyber-attacks on remote data access and virtual videoconferencing rooms are on the rise. 

Gary Seib (Baker McKenzie), Sarah Grimmer (HKIAC), Davin Teo (A&M), Philipp Hanusch (Baker McKenzie)

A poll question to the panel’s audience revealed that they considered cybersecurity issues in less than 25% of the arbitrations they were involved in over the past two years. “This lack of cybersecurity awareness is consistent with my experience where too often I have seen parties use Gmail and unencrypted USB flash drives to share documents,” said Davin. “Our recent investigations point towards the same trend,” according to Davin. “One was a phishing attack where unfortunately a client lost over USD 400,000 just from one false invoice payment. Even with security checks in place, that payment went through. We are also handling another matter were a client has been the target of a cyber-attack with potential personal identifiable information (PII) has been leaked.”

In the context of cross-border arbitration, security is key. According to Davin, “the critical first step is identifying where the data is located, for instance whether email data is on a physical or stored in the cloud. Arbitration involves multiple parties, and as such, collecting data in a systematic manner using forensic software and hardware tools is important for us to ensure in the first instance data integrity and data security is maintained. Often for arbitrations, the metadata of a document is important and therefore needs to be forensically preserved and sound.”

“A key step in mitigating cybersecurity risks is establishing a practical baseline cybersecurity standard”, said Davin. The ICCA-NYC Bar-CPR Protocol on Cybersecurity in International Arbitration Framework 2020 protocol “is a great starting point for establishing this baseline. Cybersecurity knowledge is paramount to mitigating risks, and this framework protocol helps to raise awareness amongst arbitration practitioners on the importance of cybersecurity.”

Some practical information security measures from the protocol are: 

1. Asset management: understand where the data is located and how it is stored 
2. Access controls: determine what data is accessible, know who has access rights, put appropriate security checks and password controls in place
3. Encryption: assess the type of encryption and whether it is easily breached or broken into
4. Communications security: Assess security levels of all communication methods such as emails, cloud-based storage environments 
5. Physical and environmental security: Consider the need for traditional physical security methods such as a secure filing cabinet to keep confidential data. 

“One of the cross-border arbitrations we are currently working on involves a large PRC State-Owned Enterprise (SOE). We were tasked to manage the document collection process and the electronic discovery management and support for their cross-border arbitration. Certain electronic documents which were highly sensitive were kept on an offline machine and some were kept only in hard copy format in a secure room. From a cybersecurity angle, it would be near impossible to attack this secure setup,” said Davin. 

When asked at what stage should cybersecurity risk mitigation measures kick in to place, Davin explained it should “ideally happen even before the arbitration takes place. When I get asked to assist with cyberbreach investigations, often we find that unfortunately the client has not adopted a proactive approach to data security and cyber security and chosen to reactively handle a breach when it arises. From a cost perspective, in my experience a post-breach cybersecurity assessment can be as much as 10 times costlier than a proactive cybersecurity assessment before an attack.  Ensuring that appropriate data security and cybersecurity measures are in place. Apart from this financial cost, there are greater repercussions in the form of potential reputational damage, for instance when sensitive or personal data are leaked.

Ultimately, according to Davin “we are only as strong as our weakest link, so it is important that everyone involved in an arbitration is equally secure. The key steps are building knowledge and awareness and being proactive about putting simple baseline cybersecurity measures in place. Cyber-criminals do not work office hours or take holidays at Christmas. We must remain constantly vigilant now and in the future.”