Swiss Federal Council proposes new reporting requirement for cyber-attacks

Switzerland

On 12 January 2022, the Swiss Federal Council opened a consultation procedure on a contemplated amendment to the Federal Act on Information Security of 18 December 2020 (ISEA).

This Proposal introduces the obligation to report cyber-attacks for operators of certain types of critical infrastructure in Switzerland. The Proposal provides for the National Center for Cybersecurity (NCSC) to assume the role of a reporting centre with strengthened competences. It also provides for notifications to the NCSC to be made electronically. The consultation on the Proposal ends on 14 April 2022.

Current legal framework

There is currently no specific legal provision for mandatory reporting of cyber-attacks (whether successful or not). Notifications to the NCSC, whose current competences are set forth by the Ordinance of the Federal Council on Cyber Risks in force since 1 July 2020, are made on a voluntary basis.

Moreover, Article 29 para. 2 of the Federal Act on the Swiss Financial Market Supervisory Authority (FINMASA), under which financial institutions are subject to a reporting duty (see also below "Coordination with the existing reporting duty to FINMA for financial institutions"), is a general provision and limited to institutions under FINMA supervision.

Notions of critical infrastructures

The Proposal contains a relatively detailed list of operators of "critical infrastructures" subject to the obligation to report cyber-attacks to the NCSC upon discovery. Among other sectors, such as energy, education and healthcare, certain actors of the financial sector are specifically targeted. These include, in particular, financial institutions subject to the Banking Act (BA), companies subject to the Insurance Supervision Act (ISA), and financial market infrastructures subject to the Financial Market Infrastructure Act (FMIA).

The Proposal provides for the Swiss Federal Council to have the possibility to exempt certain actors if failures or malfunctions caused by cyber-attacks against their infrastructures are unlikely, particularly because of low dependence on IT resources.

An exemption by the Federal Council is also possible if such failures or malfunctions are perceived to have only a limited impact on the economy or on the well-being of the population and, in particular, if the following conditions are met (this list is non-exhaustive):

  • only a small number of persons are impacted;

  • the failures or malfunctions are compensated by other critical infrastructures; or

  • they have an overall low potential impact on the economy.

This last exemption could be relevant to certain FinTech companies subject to BA given their size and the already applicable FINMA supervision.

Coordination with the existing reporting duty to FINMA

The explanatory report on ISEA states that the obligation to report cyber-attacks to the Swiss Financial Market Supervisory Authority (FINMA), as set out in FINMA Guidance 05/2020 of 7 May 2020 on the duty to report cyber-attacks pursuant to Article 29 para. 2 FINMASA, will coexist in parallel with the obligation to report to the NCSC. The explanatory report adds that FINMA and the NCSC will consult each other in order to keep the reporting burden as low as possible.

It still remains to be seen whether the authorities would be able to achieve the promised coordination among them in practice with the least possible cost and operational complications for financial institutions. In addition, financial institutions not affected by the Proposal, such as asset managers or trustees, remain subject to the FINMA requirements set forth in the aforementioned FINMA Guidance of 7 May 2020.

Sanctions

The Proposal also contains a criminal provision entailing a sanction of up to CHF 100,000, as currently set out in the Proposal, for breaches of the duty to report or to inform. However, the sanction is not triggered automatically, but only if and after the respective operator of the critical infrastructure has been warned by the NCSC about the breach and has refused or failed to comply with the NCSC's requests/instructions.

Furthermore, if the fine is expected to not exceed CHF 20,000 while the investigation is expected to involve measures disproportionate by comparison, the authority may choose to waive the prosecution of the individuals involved and fine the relevant institutions instead.

Outlook

This Proposal is an opportunity to remind the Swiss financial institutions that they may be subject to numerous reporting requirements by a variety of local and foreign authorities, the scope and deadlines of which may vary. In particular, reporting duties may apply under:

  • the revised Swiss Data Protection Act (DPA);

  • the European General Data Protection Regulation (GDPR);

  • the FINMA Circular 2008/21 on operational risks;

  • the Swiss anti-money laundering rules (communications to MROS);

  • the FMIA for transaction reporting (securities and OTC derivatives reporting); and

  • any other applicable foreign regulations (e.g. MiFIR via SWIFT for ISO 20022).

To conclude, the Proposal raises awareness among all actors and the financial institutions in particular about the importance of setting up adequate internal organisations in terms of process (i.e. proper reporting line) and both human and technical resources.

For more information on financial regulations and regulatory compliance framework in Switzerland, contact your CMS client partner or local CMS expert: