When arbitration gets hacked: why cybersecurity now belongs at the centre of arbitral practice
Cybersecurity in arbitration is often treated as an operational issue, something to be handled by IT teams in the background while lawyers focus on pleadings, evidence, and hearings. That view no longer holds. As the recent webinar When Arbitration Gets Hacked made clear, cybersecurity has become a core governance, confidentiality, and procedural issue in arbitration itself.
That is the shift many practitioners still underestimate. Arbitration has embraced digital working with impressive speed. Documents move through shared platforms and email chains. Hearings take place online. Counsel, clients, experts, tribunals, and service providers collaborate across jurisdictions and devices. These changes have made arbitration more flexible and efficient. They have also expanded its attack surface – which in turn requires the implementation of steps in order to minimise the cyber risks.
Moderated by Courtney Lotfi, the webinar brought together Jenny Arlington, Glenn Hoek, and Katie Hyman to examine what cyber risk now looks like in practice. Their discussion pointed to a simple but important conclusion: cyber resilience is no longer a specialist add-on in arbitration. It is part of competent case management.
Arbitration’s digital convenience has created a wider risk perimeter
The first insight from the panel was that arbitration now operates inside a much broader digital ecosystem than many of its traditional assumptions reflect. Confidentiality remains one of arbitration’s defining attractions, but confidentiality today depends on the security of digital behavior as much as on legal principle.
As Jenny Arlington explained, arbitration involves multiple actors, each handling valuable information. Tribunals, external counsel, in-house teams, witnesses, experts, translators, and other vendors may all hold parts of the same record. That fragmentation creates opportunity for threat actors. The problem is not only the prospect of a dramatic system breach. It is the accumulation of access points.
Here is the part many teams miss. Sensitive information does not become secure simply because the proceeding is private. In practice, arbitration files can include internal investigations, pricing strategies, personal data, draft commercial analyses, and privileged communications. In many cases, they contain some of the most commercially sensitive material a business will ever disclose outside its own walls.
That makes arbitration an attractive target, not a niche one.
The real vulnerability often lies in ordinary workflow
Katie Hyman brought the discussion down to the level where risk usually emerges, daily working habits. Her point was especially persuasive because it cut against the popular image of cybersecurity as a matter of rare, sophisticated attacks. In arbitration, many vulnerabilities arise from ordinary convenience.A document gets sent to a personal email account so it can be read on another device. A secure platform is used, but files are then downloaded and stored locally. Access permissions are set too broadly. Someone works while travelling and pays less attention than usual. None of these actions appear dramatic on its own. Together, they create exposure.
The counterintuitive truth is that the weakest link in many matters is not the platform. It is the workflow around the platform.
In practice, that means legal teams should stop asking only whether a tool is secure. They should also ask how people are actually using it. Every extra copy of a document, every unnecessary forwarding step, and every workaround adopted for speed can widen the risk perimeter. For arbitration, where data often moves across organizations and borders, that matters a great deal.
Arbitration is not safer than litigation by default
One of the webinar’s most useful correctives was the rejection of a comfortable assumption, that arbitration is somehow less exposed than court litigation. It may be less public. It is not inherently more secure.
The panel referred to reported incidents affecting both arbitral and court processes, including hacked systems, intercepted communications, and compromised materials. The lesson is not that arbitration faces unique danger. It is that digital vulnerability now cuts across dispute resolution as a whole.
What may make arbitration especially sensitive is the nature of what is at stake when something goes wrong. A cyber incident in litigation is serious. A cyber incident in arbitration may also undermine one of the process’s central promises, confidentiality. That raises the stakes quickly, not only for the parties, but for counsel and tribunals managing the proceeding.
This is why cybersecurity should not sit in a separate technical silo. It now shapes procedural integrity, client trust, and strategic risk.
Regulation and arbitral procedure are moving in the same direction
Another important theme was that cybersecurity in arbitration is increasingly framed by both arbitral rules and national law. Jenny Arlington noted that a growing number of arbitral institutional rules now address information security expressly, whether by encouraging parties to agree on protective measures or by empowering tribunals to direct them.
That trend matters because it formalizes what many practitioners have treated informally. Cybersecurity is starting to appear not as background good practice, but as part of the procedural architecture of the case.
At the same time, national regulation continues to apply outside the four corners of the arbitration. Data protection rules, sector-specific cybersecurity obligations, and breach notification requirements do not pause because a dispute is private. If a breach affects personal data or regulated systems, parties and their advisers may face legal obligations that extend far beyond the arbitration itself.
These competing pressures, procedural and regulatory, require the implementation of steps aimed at mitigating the risks.
What a breach disrupts is larger than the case record
It is tempting to think of a cyber incident in arbitration as an issue compromising documents. The panel made clear that this is too narrow. An incident often very quickly becomes a management issue, a legal issue, and often a reputational issue that require handling effectively and efficiently.
Time and attention shift from the merits of the dispute to containment and response. External experts may need to be engaged. Reporting obligations may arise. Businesses may have to consider regulatory, contractual, and communications consequences at the same time. The arbitration itself can become only one piece of a wider crisis.
That broader impact helps explain why governance matters so much here. If a company treats arbitration data as somehow separate from enterprise-sensitive data, it creates inconsistency at exactly the wrong moment. Katie Hyman’s point was clear: the same discipline used internally should follow the data into the arbitration process.
A practical framework: address cybersecurity at the start, not after a scare
Glenn Hoek offered a practical way to think about the issue from a case management perspective. At minimum, he suggested, cybersecurity should be discussed early in the proceeding. Whether detailed provisions belong in a procedural order depends on the case, the institution, and the sensitivity of the material.
A useful framework for practitioners is this three-part approach:
- Classify the sensitivity of the dispute
Not every case requires the same level of control. But teams should assess early whether the matter involves trade secrets, personal data, internal investigations, regulated information, or politically sensitive material. - Map the data flows
Identify who will access documents, how they will be shared, where they will be stored, and which third parties will handle them. This often reveals risk more effectively than abstract policy language. - Set procedural expectations early
Agree where possible on platforms, permissions, communication channels, and escalation steps if an incident occurs. In higher-risk matters, these expectations may belong in a procedural order or hearing protocol.
This works best when parties treat the issue as part of case planning rather than as a sign of mistrust. Avoid it only if the discussion becomes performative and disconnected from actual working practices.
The new professional baseline
The strongest message from When Arbitration Gets Hacked was not alarmist. It was professional. Cyber risk in arbitration is real, but the response does not begin with panic. It begins with discipline.
That means basic controls still matter: multi-factor authentication, patching, strong passwords, careful permissions, and reliable backups. It also means something more cultural. Arbitration practitioners need to recognize that digital habits now affect procedural fairness, confidentiality, and client protection in direct ways.
The field does not need to become technocratic. It does need to become more deliberate. For most teams, the right next step is simple: review how arbitration data actually moves, decide where convenience has outpaced judgment, and raise cybersecurity at the beginning of the next case. The question is no longer whether arbitration is digital. It is whether arbitral practice is ready to govern that reality well.
Have you not been able to attend the webinar?
You can still watch the replay: When Arbitration Gets Hacked.