On May 22, 2024, the Swiss Federal Council released its draft ordinance implementing the reporting requirement in the event of cyber-attack as set out in the Information Security Act. The public consultation will last until September 13, 2024. This new reporting requirement is expected to apply from January 1, 2025.
The Information Security Act contains a relatively detailed list of operators of “critical infrastructures” subject to the obligation to report cyber-attacks. Among other sectors, such as energy, education and healthcare, certain actors in the financial sector are specifically targeted.
These include, in particular, financial institutions subject to the Banking Act, insurance companies subject to the Insurance Supervision Act, and financial market infrastructures (FMIs) subject to the Financial Market Infrastructure Act. It should be noted that if the Draft Ordinance contains a certain number of exemptions for small infrastructures, the banks, insurance companies and FMIs are not exempted.
Obligation to report
According to the Draft Ordinance, the relevant Swiss financial institutions will be required to report a cyber-attack to the Federal Office for Cyber Security (FOCS) if such an attack:
- jeopardises the operation of the critical infrastructure concerned. Such a threat is deemed to occur when employees or third parties are affected by system interruptions or the organization or authority affected can only maintain its operations with the help of contingency plans;
- has led to the manipulation or leakage of information, in particular when business-relevant information is modified or published by unauthorized persons or the data security breach is reported in accordance with the Federal Data Protection Act;
- has gone undetected for a prolonged period, particularly if there are indications that it was carried out with a view to prepare further cyberattacks. According to the Draft Ordinance, a cyber-attack is considered to have gone undetected for an extended period if it occurred more than 90 days previously; or
- is accompanied by blackmail, threats or coercion, including when such acts are directed against the current or former officers or employees of the relevant financial institution, or against persons acting on their behalf.
A cyber-attack will have to be reported to the FOCS within 24 hours from the moment it has been detected. Information known up to that point must be communicated to the FOCS during this period. If the information required by the FOCS is not known in full at the time the report is made, the report can be supplemented later once new information is available or the supplemental report can confirm that the information is not available.
These supplemental details must be sent to the FOCS within 14 days of the cyber-attack being reported. These deadlines cannot be extended.
Content of the report
The Information Security Act specifies that the report to the FOCS must include information on:
- the institution subject to the reporting obligation;
- the type and execution of the cyber-attack;
- its effects;
- the immediate remediation measures taken and, if known;
- the planned measures.
The Draft Ordinance further specifies the information to be provided in the report by including data, such as the date and time of the detection of the attack, the date and time of the attack, the type of attack, the methods of attack and data on the attacker.
The Federal Council based its decision regarding the content of the report to the FOCS on the Swiss Financial Market Supervisory Authority (FINMA) Communication 05/2020 on the obligation to report cyber-attacks.
Outlook
This forthcoming Ordinance is a further opportunity to remind Swiss financial institutions that they may be subject to numerous reporting requirements.
in addition to the obligation to report to the FOCS, there are also obligations to report to the following:
- the FINMA as per the FINMA Communication 05/2020 and the Circular 2023/1 on Operational Risks and Resilience;
- the Federal Data Protection and Information Commissioner based on the Swiss Data Protection Act; and
- any competent foreign authorities (for example under EU GDPR).
The conditions for reporting to these authorities, however, are not the same. A cyber-attack will not necessarily trigger reporting to all these authorities.
Given that the entry into force of this new reporting requirement is in January 2025, Swiss financial institutions should start adapting their internal processes and take the opportunity to review their reporting mechanisms on a broader (even global) basis.
Dr Vaïk Müller is a partner and co-head of Banking & Finance CMS Geneva. His main areas of focus are banking, regulatory, financial services and products.