Protocol on Cybersecurity in International Arbitration | ICCA, NYC Bar, & CPR

ICCA-NYC Bar-CPR Protocol on Cybersecurity in International Arbitration (2020 Edition)

New York Arbitration Week 2019 Special Printing

Published by the International Council for Commercial Arbitration (ICCA), New York City Bar Association, & the International Institute for Conflict Prevention and Resolution (CPR)

The Cybersecurity Protocol for International Arbitration was released as part of New York Arbitration Week in 2019. The Protocol aims to provide a framework for determining reasonable information-security measures for individual arbitration matters and increasing awareness about information security in international arbitrations.

"Ensuring that proceedings in arbitration protect the security of the information at issue is critical to arbitration’s continued vitality" said Allen Waxman, CPR President & CEO." This protocol offers a practical approach for providing that safeguard."

Download a print-friendly version of the ICCA-NYC Bar-CPR Protocol on Cybersecurity in International Arbitration (2020 Edition).

For further information, please contact


Forward to the 2020 Protocol

I. Purpose of the Protocol

The purpose of the ICCA-NYC Bar-CPR Cybersecurity Protocol for International Arbitration (the “Cybersecurity Protocol” or the “Protocol”) is twofold.

First, the Protocol is intended to provide a framework to determine reasonable information security measures for individual arbitration matters. That framework includes procedural and practical guidance to assess security risks and identify available measures that may be implemented.

Second, the Protocol is intended to increase awareness about information security in international arbitrations. This includes awareness of: (i) information security risks in the arbitral process, which include both cybersecurity and physical security risks; (ii) the importance of information security to maintaining user confidence in the overall arbitral regime; (iii) the essential role played by individuals involved in the arbitration in effective risk mitigation; and (iv) some of the readily accessible information security measures available to improve everyday security practices.

II. Scope of the Protocol

(a) Application Beyond International Commercial Arbitrations

Although the Protocol has been drafted with international commercial arbitrations in mind, it may also be a useful reference for domestic arbitration matters and/or investor-state arbitrations.

(b) Data Protection Issues

Information security and data protection issues are closely connected, largely because there is increasing regulation around the globe governing the processing of personal data. It is typical for data protection law and regulations to mandate, among other things, that persons processing personal data implement reasonable information security measures.

Adherence to the Protocol may therefore facilitate compliance with data protection legal regimes such as the European Union General Data Protection Regulation. However, the focus of the Protocol is on mitigating information security risks and not on achieving compliance with such regimes. The Protocol does not supersede applicable legal or other binding obligations, and implementation of the Protocol does not guarantee compliance with data protection regimes.

As useful resources on data protection compliance become available (including the forthcoming Roadmap to Data Protection in International Arbitration Proceedings by the ICCA/IBA Joint Task Force on Data Protection in International Arbitration Proceedings), the Protocol will incorporate references to such resources to facilitate the concurrent consideration of information security and data protection issues. 

III. Future Revisions to the Protocol

As this version of the Protocol is released in late 2019, we refer to it as the “2020 Protocol.” The Working Group has adopted the editioning approach to emphasize that the Protocol will necessarily evolve over time in light of (i) changing technology; (ii) new and prevalent cyber threats; (iii) new or amended laws/regulations; (iv) consensus that may emerge as to reasonable measures/arbitration best practices; (v) new cybersecurity initiatives by institutions or others; and (vi) practical experience implementing the Protocol. To facilitate the periodic improvement and updating of the Protocol, the Working Group encourages persons who use the Protocol to share their experiences in deploying it and provide feedback. Feedback on the Protocol may be sent to

For an electronic copy of the Protocol with hyperlinks and bookmarks to facilitate navigation, please click here.


The information and resources on this website should not be construed as legal advice or opinion, or as a substitute for the advice of counsel.