When it comes to cybersecurity – what is your weakest link?
Confidentiality is key. In the wake of the digitalisation of arbitration processes follows a new focus on protection against data breach. Lise Alm, Head of Business Development at SCC, offers a checklist with the where, when and how-questions needed for assessing your vulnerabilities.
One of the central features of international arbitration is the that it is confidential, that the parties can choose to resolve their disputes in a private context. This requires that information intended to be private stays that way, that the walls around your data are tight.
When assessing cyber related risks, you need to find your weakest link. The best weapon you have against exposure of your data is your inside knowledge about your own weaknesses and vulnerabilities. To find your weakest link, you need to look at your process from several different angles. This is not something that can be delegated entirely to an IT department. Someone close to the process needs to take active part in the analysis, and everyone in the process needs to evaluate his or her own role. Below are some starting points for a vulnerability analysis based on our experience in business development at the SCC.
When thinking of cybersecurity, it’s easy to envision a hacker sitting in a basement exploiting vulnerabilities in your software and computer programs. While this is not irrelevant, it’s far from the only threat. When assessing your vulnerabilities, you need to look at all the potential entry points for a potential intruder. While software might be the front door, leaving a window open could have the same consequence. Here are some aspects to consider.
Software – which programs do you use? Do you use VPNs? Do you have any thresholds for externals to install software on your computer?
Hardware – is your computer or phone good enough? How about passwords? When can I plug in external hardware, like USB sticks? Do external people handle my hardware?
Networks – which networks outside the office are safe?
Physical environment – what does my environment look like from where I access the information? Is there a risk that print outs could end up in the wrong place?
Social engineering – is there a risk that I, or someone in my team, could be tricked into handing out data voluntarily? The easiest entry point for an intruder might be to play on the good nature of someone in your team, e.g by asking them to print something and thus open a harmful attachment.
The arbitral process has different stages, each with different types of challenges and potential vulnerabilities from a cyber security perspective. The challenges you face in the preparatory stages are different from the submission of briefs before the tribunal, hearings, enforcement or closing the case and archiving the file. By carefully tracking each step of the process, assessing who is involved when and over what means (email, platforms, videoconferences etc) you can identify your potential risks.
The questions above need to be addressed for anyone handling your data. You may not be able to control the answers for people outside you team, but if you are to maintain a high level of security, the risk assessment also needs to included members outside your team handling your data. You may even want to address them explicitly in an early stage of the proceedings, e.g. at the initial case conference.
In most arbitral proceedings, a fairly large group pf people will have access to potentially sensitive data relating to your case.
Your own team
The client · Potential other advisors to the client
Their counsel and potential other advisors
Experts and witnesses · The arbitral tribunal and sometimes tribunal secretary
The institution (if any)
This is a large group of people. It’s advisable to agree with these groups how you want to handle security matters, which security thresholds you want to put in place and how you should communicate securely with each other.
Protecting your data could be difficult, and most security measures are cumbersome and generally not very user friendly. Demanding two factor authentications every time you log in somewhere (i.e. where you need two separate steps to sign) is great for security, but it’s terrible for the user experience. If it’s hard for the attacker to get in, chances are, it’s hard for you too.
Humans are inherently both lazy and inventive, which is a great soil for ingenuity, but also for inventing various good or less good ways of circumventing cumbersome security step. Therefore, too much security might lead to a less secure end-result. For instance, it’s so complicated to access the data via the secure platform that you download the document and keep it locally and unprotected on your computer instead.
To make sure you put the barriers in place where they are needed, evaluate your data and the threats to it. Is all data equally sensitive? Who do you need to keep it from? How often does the data need to be accessed? How cumbersome is the security arrangement in relation to the sensitivity of the data?
Keeping your data secure is not unlike trying to stay fit. It doesn’t come without effort and requires continuous work and attention to be upheld, but once done, it provides a better night’s sleep.
Lise Alm, Head of Business Development SCC
Creative writing for arbitrators
There is room for improvement, innovation and creativity in award writing. Both reading awards and writing one can be challenging. Do you agree?
We are happy to publish an inspiering article written by former SCC legal counsel Anja Ipp for the Dossier of the Institute of World Business Law (ICC) 2020, ”Explaining Why You Lost, Reasoning in Arbitration".
In the article ”Creative writing for arbitrators” Anja Ipp explains how arbitrators can write better awards if they apply some principles of effective storytelling:
The Dossiers of the ICC Institute of World Business Law are collections of Articles by contributors to the Institute's Annual Meetings. Each Dossier is published in English and provides a compilation of current thinking by leading specialists on a subject of topical interest. ICC webbsite:
Bottlenecks and gaps in current legislation?
The United Nations Commission on International Trade Law (UNCITRAL) recently presented a report on the new digital economy and emerging technology. SCC Head of Business Development Lise Alm, with extensive experience from the cross-section of innovation and digitalization, was part of the expert group which drafted the report. Below she elaborates on some of the issues discussed in the report and by UNCITRAL on its 53rd Commission Session.
• Can robots solve disputes? Should they? Are they already? Are disputes related to high technology a breed of their own? • Is data a tradable asset, like a house or a horse? If so, who owns it? The potential individuals referenced in the data, or the persons collecting and making sense of the data? Or both at the same time? If it’s not an asset, how do we handle the immense value of it? It is after all the new black gold of trade.
These are some of many questions raised for legislators and policy makers by the new digital economy.
In order to promote emerging technology while protecting certain core legal values and principles, we need to evaluate current legislation to find potential bottlenecks or gaps. First step of this is to define the terminology. What is meant by data, artificial intelligence, distributed ledger technology, digital platforms? What is the relevant taxonomy or terminology to be used to make sure we hit the right target when we legislate?
The digital economy has been one of the focus points of UNCITRAL’s work over the last year. This has included an expert group where I had the opportunity to contribute read more here laying some ground work on the taxonomy of this new digital world. On September 15, our report was presented to the UNCITRAL Commission together with a request for a renewed mandate to continue working on these matters. One of the areas specifically pointed out for further work is dispute resolution.
UNCITRAL highlights two areas of interest when it comes to the intersection of dispute resolution and emerging technology. Using AI and automated systems to handle complains and resolve disputes, and the use of existing dispute resolution processes for disputes arising out of transactions in the digital economy, including within high-tech industries.
When it comes to the first aspect, UNCITRAL notes:
“Nearly all legal systems presuppose human analysis and judgment as an essential element of recognized dispute settlement mechanisms such as mediation and arbitration. The use of AI and automated systems thus raises a number of issues relating to the application of existing laws, including the UNCITRAL texts on arbitration and mediation, such as the [NY Convention], the [Model Law] and the [Singapore Convention]. Those issues include whether the parties can validly refer terms generated by an AI system to settlement and whether a corresponding agreement would be enforced as an arbitral award or settlement agreement.”
I addressed the complexity of some of these issues before the UNCITRAL Commission earlier this summer, in an intervention where I focused on the need for on overview of the frameworks of dispute resolution against the backdrop of AI. (starting at 1 hr 24m)
From my horizon, the dispute resolution community needs to focus on three main areas ahead;
Learn and take an active part in the development of emerging technology
Use technology as a tool to combat some of today’s challenges to the justice system
Ensure that fundamental principles like access to justice will stand the test also of new technology and methods.
In the discussion on disputes arising from the new technology, one issue raised was wether these disputes are so specific that they need separate rules. The need for speed, highly specialised expertise and the ability to handled vast, sometimes digital evidence in a short time frame were some of the elements specifically mentioned.
These are indeed highly relevant and challenging issues. However, it may be questioned whether this wish list is unique to high tech disputes. The SCC and other institutions have previously established separate industry specific rules and processes, but in the experience of the SCC, these have come very close to the general rules and over time the general rules have prevailed also where industry specific rules exist. It will be interesting to follow the development in this area.
Even if I'm not convinced high tech disputes will require a specific toolbox, I'm convinced that new technology will challenge the frameworks we have today. Legislators have an important role in both promoting and regulating some of the upcoming technologies ahead, for us all to be able to harvest as much of the benefits and suffer as little of the drawbacks as possible. Therefore, I was encouraged to hear that most member states expressed their sup port for UNCITRAL's continued work in this area. The report is a starting point for the important effort to reach global consensus on terminology, which facilitates the evolution of a global digital economy. It will exciting to follow the development going forward.