A multi-organisational Working Group on Cybersecurity in International Arbitration has released the 2020 edition of its Cybersecurity Protocol for International Arbitration (the “Cybersecurity Protocol”).

This edition reflects comments received by the ICCA-NYC Bar-CPR Working Group during a year-long consultation on the initial draft of the Cybersecurity Protocol (on which we commented here).

The Cybersecurity Protocol is intended to assist stakeholders in the arbitral process to address issues of cybersecurity, acknowledging that arbitration is now an often largely digital process which can be the subject of “increasingly pervasive cyberattacks“.

The content of the Cybersecurity Protocol

The purpose of the Cybersecurity Protocol is twofold:

  • To “provide a framework to determine reasonable information security measures for individual arbitrations. The framework includes procedural and practical guidance to assess security risks and identify available measures that may be implemented.”
  • To “increase awareness about information security in international arbitrations, including awareness of information security risks in the arbitral process, the importance of information security to maintaining user confidence in the overall arbitral regime; the essential role played by individuals involved in the arbitration in effective risk mitigation; and some of the readily accessible information security measures available to improve everyday security practices.”

The Protocol comprises 14 Principles, which aim to provide high-level guidance (rather than a one-size-fits all recommendation) to tribunals, parties and administering institutions when considering what information security measures are reasonable to apply. Those principles are supplemented by explanatory comments and schedules (including a glossary, sample language for addressing information security in – for example – a procedural order, example steps that can be taken to better protect data exchanged in an arbitration, a list of prevailing cybersecurity standards and other relevant resources).

The Cybersecurity Protocol is a living document and will continue to evolve as arbitration participants adopt new technologies and face changing cybersecurity threats.


The Cybersecurity Protocol will no doubt prove to be a useful tool for both parties and tribunals to ensure better cybersecurity in arbitration, and as a guide for arbitration participants in bringing the issue to the fore and seeking/issuing appropriate procedural directions. How it is employed, and how it evolves with the changing practices and technological landscape will be key to its continued relevance and longevity.

Cybersecurity also increasingly needs to be addressed in the context of balancing competing requirements upon arbitration participants in the context of data handling. Arbitral participants must understand their individual obligations (including their mandatory data protection obligations under the GDPR or other applicable data protection laws) and be equipped to meet those obligations in a balanced manner which preserves the interests of justice and the speed and efficiency of the arbitral process.

The Cybersecurity Protocol therefore needs to be read alongside other useful resources on data protection compliance (such as the forthcoming Roadmap by the ICCA/IBA Joint Task Force on Data Protection in International Arbitration Proceedings) and to be applied in the context of the available online tools that help streamline the arbitral process and the exchange of data between its participants.


For more information, please contact Nicholas Peacock, Partner, Charlie Morgan, Senior Associate, or your usual Herbert Smith Freehills contact.

Nicholas Peacock
Nicholas Peacock
+44 20 7466 2803
Charlie Morgan
Charlie Morgan
Senior Associate
+44 20 7466 2733