Cybersecurity and Gen AI in Arbitration Lead NYSBA Day 3

NYSBA Annual Meeting Day 3: Cybersecurity Management and Safe AI Use in Arbitration

Day three put two issues front and center: how firms manage cybersecurity risk, and how arbitrators and counsel can use generative AI without compromising confidentiality, ethics, or due process. The through line was clear-governance first, tools second.

What legal teams need from cybersecurity right now

Threats are getting quieter and more persistent. Ransomware crews target vendors and lateral movement. Email remains the easiest entry point. Clients want proof you have a program, not a policy binder.

• Adopt a framework and map it to client demands. The NIST Cybersecurity Framework is a workable baseline for firms of any size.
• Assume compromise. Segment systems, enforce MFA everywhere, and log everything that matters (identity, email, file access, admin actions).
• Run tabletop exercises with IT, legal, PR, and insurers. Decide in advance who calls whom, what gets shut off, and what "business as usual" looks like on day two.
• Vendor risk is your risk. Require SOC 2 or equivalent, review data flows, and set breach notification timelines in your contracts.
• Client-ready evidence. Keep short, current artifacts: control matrix, incident response plan, backup/restore test results, phishing metrics, and access reviews.

Incident response that works in practice

• First hour: contain identity (SSO, MFA resets), isolate affected endpoints, preserve logs.
• First day: counsel directs for privilege, forensics scoping, insurer notice, and a single source of truth for facts.
• First week: root-cause fixes, client notices as required, regulator assessments, and a clear timeline for remediation.

Speed matters, but documentation matters more. If you can't show it, it didn't happen.

AI in arbitration: useful, but bounded

Generative AI can speed document review, chronology building, clause drafting, and language cleanup. The risk sits in confidentiality, provenance, bias, and overreliance. Arbitrations need clarity up front on where AI fits-and where it doesn't.

• Disclosure: Parties should state if they plan to use AI tools, for what tasks, and with what safeguards.
• Confidentiality: No uploading protected material to public models. Use vetted, enterprise platforms with data controls or local deployments.
• Accuracy: AI outputs are starting points. Human verification is required for factual assertions and citations.
• Fairness: If one side uses AI for efficiency, consider timelines and process that keep a level field.
• Evidence handling: Preserve original sources. If AI helps summarize or translate, keep the chain back to the primary document.

Suggested protocol language for tribunals and counsel

• Define "permitted uses" (e.g., drafting assistance, translation) and "prohibited uses" (e.g., submitting undisclosed AI-generated expert analysis).
• Require written safeguards: access controls, data retention limits, and a ban on training external models with case data.
• Set a duty to correct: if AI introduces an error, counsel must promptly notify the tribunal and opposing party.
• Agree on disclosures: identify AI-assisted sections when material to credibility or analysis.

Governance checklist for firms and arbitration teams

• Publish an internal AI policy covering tool approval, data handling, and review standards.
• Run conflict checks on AI tools (hosting region, subcontractors, training data practices).
• Train staff on prompt hygiene, confidentiality boundaries, and citation verification.
• Integrate AI use into your litigation hold and discovery plans.
• Audit quarterly: tool inventory, access logs, and sample output quality.

Standards and guidance worth bookmarking

• NIST AI Risk Management Framework for risk controls and governance language.
• ICCA cybersecurity and tech guidance for arbitration-specific protocols.

Bottom line

Clients expect defensible cybersecurity and sensible AI boundaries. Build the guardrails now-frameworks, playbooks, and clear tribunal protocols-so your team can move faster without creating new risks.

Need structured AI upskilling for legal teams?

For practical courses and certifications that help attorneys and ops leaders evaluate and implement AI safely, explore courses by job role or see the latest AI courses.