Switzerland: Prevention, Action, Reaction - Legal Handling Of Cyber Risks

Last Updated: 25 April 2018
Article by Roland Mathys

With the intensified business pervasion by technology, white-collar crime is also increasingly shifting into the digital sphere. Hardly any company has not yet been targeted or even become the victim of a cyber-attack. Although companies are becoming more and more aware of this new form of threat, there is often a lack of clear ideas as to what needs to be done to prevent and cope with it.


Cyber-attacks have become increasingly widespread and meaningful in the recent past. Prominent cases such as that of ransomware "Petya", which temporarily paralysed the IT systems of numerous large companies, have sharpened attention for this new form of danger. Cyber- attacks, however, take place on a daily basis. In recent studies, almost 90 percent of the surveyed companies stated that they had been affected by cyber-attacks in the past twelve months.

Cyber-attacks target almost all companies, regardless of industry, size or jurisdiction. The global group of financial companies is similarly affected by this as local SMEs. Accordingly, cyber risks and cybercrime are nowadays classified as one of the greatest threats to businesses in numerous surveys. This makes it all the more surprising that measures to defend against and manage cyber-attacks are often missing or only exist at the very beginning.

This enforcement backlog becomes clearly evident, for example, in the duration elapsing between a successful cyber-attack and its eventual discovery: in about 85 percent of all cases, a successful cyber-attack is only detected after five months; on average, a successful cyber-attack remains hidden even for about 250 days and thus about eight months. During this time, an affected company is particularly vulnerable, and the attackers remain largely undisturbed.

This newsletter aims to show how cyber risks are dealt with from a legal point of view. A distinction is made here between the three phases of prevention to ward off attacks, immediate action in the event of a (successful) attack, and reaction in the wake of an attack.



Prevention, i.e. the implementation of measures to preclude cyber-attacks from reaching their target, should be at the beginning of any defence strategy against cyber- attacks. Such measures are not only recommended for reasons of self-protection and the reputation of a company, but are also partly prescribed by law and thus form part of corporate compliance.

A general and comprehensive obligation to prevent cyber risks cannot be explicitly derived from the applicable laws in Switzerland. However, this task can be understood as part of the overall management of the company (Art. 716a of the Swiss Code of Obligations) and thus as a duty of the Board of Directors. This task is further specified, for example, by the Swiss Code of Best Practice for Corporate Governance issued by economiesuisse, the umbrella organisation of the Swiss business associations, according to which the Board of Directors must ensure risk management and an internal control system adapted to the company (Principle 20). Given the current threat situation, prevention of cyber risks is one of the measures to be taken by the Board of Directors.

A concretisation for personal data can be found in the Swiss Data Protection Act (DPA): It provides that personal data must be protected against unauthorised processing by appropriate technical and organisational measures (Art. 7 DPA); what this includes in detail can be derived from the pertaining Ordinance (ODPA; see Art. 8 et seq.). The draft of the currently revised DPA places greater emphasis on the risk-based approach to data security (see Art. 7 draft DPA). As an example, the Dispatch expressly mentions protection against malware (BBl 2017 6941 et seq., 7031). The Eu General Data Protection Regulation (GDPR), which comes into force on 25 May 2018, also states data security as a key principle (Art. 32 GDPR).

Explicit rules for the prevention of cyber risks also exist for individual economic industries, especially in the finance sector. The Circular 2008/21 "Operational Risks - Banks" of the Swiss Financial Market Supervisory Authority (FINMA) stipulates since 1 July 2017 that the Executive Board must implement a risk management concept for dealing with cyber risks (Principle 4). This concept should cover at least the following aspects:

  • Identification of the specific threat potentials;
  • Protection of business processes and technology infrastructure; > Real-time detection and recording of cyber-attacks;
  • Responding to cyber-attacks by timely and targeted measures;
  • Ensuring the timely recovery of normal business operations after cyber-attacks through appropriate measures.

According to the Circular, the management's tasks also include regularly reviewing the effectiveness of the concept and measures through vulnerability analyses and penetration tests.


The arsenal of preventive measures to avert cyber risks is large. First of all, every company should set up a cyber- security program. This program defines basic responsibilities, such as the designation of a Chief Information Security Officer (CISO). The involvement of top management is crucial to this. The program also sets security guidelines and monitoring systems for the rapid detection of cyber-attacks; especially in the case of monitoring systems, new solutions have recently conquered the market having led to reliable findings by using the mechanisms of artificial intelligence. The effectiveness of the established processes and systems should be tested regularly, e.g. by means of simulated attacks.

Every company must be or become aware of the risks it is exposed to. An inventory of sensitive data and infrastructures is drawn up as part of such a risk assessment. Possible threats and potential attacks are identified, whereby the human factor and especially the potential of internal attacks must not be underestimated. A gap analysis is then used to locate gaps and weak points in the current protection and defence system and eliminate them with appropriate technical and/or organizational measures. Insurance coverage must be considered for remaining risks (see below).

The risk assessment should not be carried out by the company in isolation, but with bearing in mind the role third parties. Contracts with third-party providers of essential services (e.g. data hosting) must be thoroughly examined to see whether the aspect of data and information security is given sufficient consideration. Providers of business-critical services should be subjected to an actual cyber security due diligence.

Employee training is considered an essential element of preventive measures. On the one hand, this is intended to raise awareness of the potential threat posed by cyber risks; on the other hand, it is intended to provide employees with the most important principles for preventing cyber- attacks and for correct behaviour in the event of a successful cyber-attack, for example by providing mock trainings under realistic conditions.

Finally, the preparatory measures include the setup of a cyber-incident response plan, which describes how to proceed in the event of an emergency (cf. right below).


Every company must be prepared for the event that a cyber- attack reaches its target despite preventive defence measures. In addition to the rapid detection of a successful attack, the focus is on correct behaviour in an emergency. To this end, responsibilities must be clearly defined and the tasks properly assigned.

3.1 TEAM

In the event of an emergency, the company's incident response team must act immediately. This team is made up of representatives from the areas of IT, law/ compliance, HR, communications, the business line affected by the attack and top management. The team should also include selected external specialists (e.g. cyber forensic experts or lawyers).


The team's first tasks include assessing the scale of the cyber-incident and taking immediate action to minimize damage (e.g. by separating all devices from the network to prevent the spread of malware). Business continuity must then be ensured in an emergency setup and at short notice. In the medium to long term, the return to normal business operations must be planned and initiated.

The incident response team must also check whether and how the incident is communicated internally and externally and whether formal notifications are necessary (cf. below). The question also arises to what extent an internal investigation of the incident should be initiated and whether further steps (e.g. criminal complaints or disciplinary measures) are required. Finally, the team should consider how similar incidents can be avoided in the future.



After a successful cyber-attack has occurred, it must be clarified promptly whether and to whom the incident must be reported. Such a notification requirement may primarily arise from data protection law. The current DPA does not expressly state any obligation to report security-relevant incidents. In contrast, the draft of the revised DPA stipulates that, under certain conditions, the Federal Data Protection and Information Commissioner and, if necessary, the affected individuals must be informed "as soon as possible" about a cyber-incident (Art. 22 draft DPA). The same applies under the Eu General Data Protection Regulation (see Art. 33 et seq. GDPR). Additionally, there are reporting obligations for individual sectors in accordance with specific laws (e.g. for telecommunications service providers, for financial market supervisees, or in the health sector).

In the case of listed companies, a duty to report a cyber- incident may also arise from the rules on ad hoc disclosure. Accordingly, all information that is likely to have a significant impact on the share price of a company must be disclosed. Even where there is no statutory notification requirement, disclosure can be recommended, for example for reasons of reputation, best practice or to minimise potential damage.


Once a cyber-incident has occurred, the company must consider what legal action should be taken against the perpetrators of the attack. Civil and criminal law measures as well as individual special instruments are available.

Under civil law, claims for injunctive relief, removal or damages may be based on breaches of contract (e.g. by customers or suppliers) or on tortious acts; in the latter case, illegality is usually due to the committing of a criminal offence, an infringement of trademark or copyright, a personality or data protection infringement or unfair competition. under criminal law, the spectrum includes on the one hand specific cyber crime offences (e.g. hacking, data theft or damage, computer fraud) and on the other hand "classic" criminal offences (e.g. fraud, blackmailing, coercion, forgery of documents or breach of secrecy), often in combination.

The Ordinance on Internet Domains (OID), which has been revised since 1 November 2017, introduces a new instrument for blocking domain names of illegal websites. The remedy applies to websites of the top-level domains .ch and .swiss through which phishing is practiced or malware is distributed or which support such illegal activities.

There is also the possibility to report cyber-incidents of any kind to the Reporting and Analysis Centre for Information Assurance MELANI (www.melani.admin.ch) or to the Cybercrime Coordination unit Switzerland CyCO (www.kobik.ch). However, due to the large number of reports and limited resources, these institutions will often not be able to investigate reported incidents in detail.

As outlined above, a large arsenal of legal measures is generally available; however, the inherent circumstances and specific challenges of cybercrime, in particular the anonymity and virtuality of the perpetrators, the international dimension and the time factor, often make the enforcement of these measures appear to be less promising.


Even with comprehensive preventive measures, the occurrence of a cyber-incident cannot be completely ruled out, which raises the question of the insurability of cyber risks. The market for cyber insurance is still relatively young in Switzerland, but is growing. The insurance models available to date cover third party losses (e.g. liability claims) and/or "own losses" of the affected company (e.g. costs for crisis management, costs for data recovery or the consequences of a business interruption).

In the case of cyber insurance, it is advisable to examine in detail which risks are covered, which due diligence obligations on the part of the policyholder are assumed (especially preventive technical and organizational measures) and which obligations the policyholder has in the event of damage (e.g. reporting or notification obligations).


In Switzerland, numerous political advances in the field of cybercrime can currently be observed. These range from the creation of specific competence centres and centralized contact and coordination points to the introduction of new reporting requirements (e.g. for operators of critical infrastructures). The need for action has thus also been recognized by legislators and authorities.

Companies in Switzerland are becoming increasingly aware of cyber risks. However, the implementation of appropriate measures is often still lacking. The proactive management of cyber risks is becoming an increasingly central pillar of corporate governance and compliance.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

To print this article, all you need is to be registered on Mondaq.com.

Click to Login as an existing user or Register so you can print this article.

Some comments from our readers…
“The articles are extremely timely and highly applicable”
“I often find critical information not available elsewhere”
“As in-house counsel, Mondaq’s service is of great value”

Practice Guides
by Mondaq Advice Centres
Relevancy Powered by MondaqAI
Related Topics
Related Articles
Up-coming Events Search
Font Size:
Mondaq on Twitter
Mondaq Free Registration
Gain access to Mondaq global archive of over 375,000 articles covering 200 countries with a personalised News Alert and automatic login on this device.
Mondaq News Alert (some suggested topics and region)
Select Topics
Registration (please scroll down to set your data preferences)

Mondaq Ltd requires you to register and provide information that personally identifies you, including your content preferences, for three primary purposes (full details of Mondaq’s use of your personal data can be found in our Privacy and Cookies Notice):

  • To allow you to personalize the Mondaq websites you are visiting to show content ("Content") relevant to your interests.
  • To enable features such as password reminder, news alerts, email a colleague, and linking from Mondaq (and its affiliate sites) to your website.
  • To produce demographic feedback for our content providers ("Contributors") who contribute Content for free for your use.

Mondaq hopes that our registered users will support us in maintaining our free to view business model by consenting to our use of your personal data as described below.

Mondaq has a "free to view" business model. Our services are paid for by Contributors in exchange for Mondaq providing them with access to information about who accesses their content. Once personal data is transferred to our Contributors they become a data controller of this personal data. They use it to measure the response that their articles are receiving, as a form of market research. They may also use it to provide Mondaq users with information about their products and services.

Details of each Contributor to which your personal data will be transferred is clearly stated within the Content that you access. For full details of how this Contributor will use your personal data, you should review the Contributor’s own Privacy Notice.

Please indicate your preference below:

Yes, I am happy to support Mondaq in maintaining its free to view business model by agreeing to allow Mondaq to share my personal data with Contributors whose Content I access
No, I do not want Mondaq to share my personal data with Contributors

Also please let us know whether you are happy to receive communications promoting products and services offered by Mondaq:

Yes, I am happy to received promotional communications from Mondaq
No, please do not send me promotional communications from Mondaq
Terms & Conditions

Mondaq.com (the Website) is owned and managed by Mondaq Ltd (Mondaq). Mondaq grants you a non-exclusive, revocable licence to access the Website and associated services, such as the Mondaq News Alerts (Services), subject to and in consideration of your compliance with the following terms and conditions of use (Terms). Your use of the Website and/or Services constitutes your agreement to the Terms. Mondaq may terminate your use of the Website and Services if you are in breach of these Terms or if Mondaq decides to terminate the licence granted hereunder for any reason whatsoever.

Use of www.mondaq.com

To Use Mondaq.com you must be: eighteen (18) years old or over; legally capable of entering into binding contracts; and not in any way prohibited by the applicable law to enter into these Terms in the jurisdiction which you are currently located.

You may use the Website as an unregistered user, however, you are required to register as a user if you wish to read the full text of the Content or to receive the Services.

You may not modify, publish, transmit, transfer or sell, reproduce, create derivative works from, distribute, perform, link, display, or in any way exploit any of the Content, in whole or in part, except as expressly permitted in these Terms or with the prior written consent of Mondaq. You may not use electronic or other means to extract details or information from the Content. Nor shall you extract information about users or Contributors in order to offer them any services or products.

In your use of the Website and/or Services you shall: comply with all applicable laws, regulations, directives and legislations which apply to your Use of the Website and/or Services in whatever country you are physically located including without limitation any and all consumer law, export control laws and regulations; provide to us true, correct and accurate information and promptly inform us in the event that any information that you have provided to us changes or becomes inaccurate; notify Mondaq immediately of any circumstances where you have reason to believe that any Intellectual Property Rights or any other rights of any third party may have been infringed; co-operate with reasonable security or other checks or requests for information made by Mondaq from time to time; and at all times be fully liable for the breach of any of these Terms by a third party using your login details to access the Website and/or Services

however, you shall not: do anything likely to impair, interfere with or damage or cause harm or distress to any persons, or the network; do anything that will infringe any Intellectual Property Rights or other rights of Mondaq or any third party; or use the Website, Services and/or Content otherwise than in accordance with these Terms; use any trade marks or service marks of Mondaq or the Contributors, or do anything which may be seen to take unfair advantage of the reputation and goodwill of Mondaq or the Contributors, or the Website, Services and/or Content.

Mondaq reserves the right, in its sole discretion, to take any action that it deems necessary and appropriate in the event it considers that there is a breach or threatened breach of the Terms.

Mondaq’s Rights and Obligations

Unless otherwise expressly set out to the contrary, nothing in these Terms shall serve to transfer from Mondaq to you, any Intellectual Property Rights owned by and/or licensed to Mondaq and all rights, title and interest in and to such Intellectual Property Rights will remain exclusively with Mondaq and/or its licensors.

Mondaq shall use its reasonable endeavours to make the Website and Services available to you at all times, but we cannot guarantee an uninterrupted and fault free service.

Mondaq reserves the right to make changes to the services and/or the Website or part thereof, from time to time, and we may add, remove, modify and/or vary any elements of features and functionalities of the Website or the services.

Mondaq also reserves the right from time to time to monitor your Use of the Website and/or services.


The Content is general information only. It is not intended to constitute legal advice or seek to be the complete and comprehensive statement of the law, nor is it intended to address your specific requirements or provide advice on which reliance should be placed. Mondaq and/or its Contributors and other suppliers make no representations about the suitability of the information contained in the Content for any purpose. All Content provided "as is" without warranty of any kind. Mondaq and/or its Contributors and other suppliers hereby exclude and disclaim all representations, warranties or guarantees with regard to the Content, including all implied warranties and conditions of merchantability, fitness for a particular purpose, title and non-infringement. To the maximum extent permitted by law, Mondaq expressly excludes all representations, warranties, obligations, and liabilities arising out of or in connection with all Content. In no event shall Mondaq and/or its respective suppliers be liable for any special, indirect or consequential damages or any damages whatsoever resulting from loss of use, data or profits, whether in an action of contract, negligence or other tortious action, arising out of or in connection with the use of the Content or performance of Mondaq’s Services.


Mondaq may alter or amend these Terms by amending them on the Website. By continuing to Use the Services and/or the Website after such amendment, you will be deemed to have accepted any amendment to these Terms.

These Terms shall be governed by and construed in accordance with the laws of England and Wales and you irrevocably submit to the exclusive jurisdiction of the courts of England and Wales to settle any dispute which may arise out of or in connection with these Terms. If you live outside the United Kingdom, English law shall apply only to the extent that English law shall not deprive you of any legal protection accorded in accordance with the law of the place where you are habitually resident ("Local Law"). In the event English law deprives you of any legal protection which is accorded to you under Local Law, then these terms shall be governed by Local Law and any dispute or claim arising out of or in connection with these Terms shall be subject to the non-exclusive jurisdiction of the courts where you are habitually resident.

You may print and keep a copy of these Terms, which form the entire agreement between you and Mondaq and supersede any other communications or advertising in respect of the Service and/or the Website.

No delay in exercising or non-exercise by you and/or Mondaq of any of its rights under or in connection with these Terms shall operate as a waiver or release of each of your or Mondaq’s right. Rather, any such waiver or release must be specifically granted in writing signed by the party granting it.

If any part of these Terms is held unenforceable, that part shall be enforced to the maximum extent permissible so as to give effect to the intent of the parties, and the Terms shall continue in full force and effect.

Mondaq shall not incur any liability to you on account of any loss or damage resulting from any delay or failure to perform all or any part of these Terms if such delay or failure is caused, in whole or in part, by events, occurrences, or causes beyond the control of Mondaq. Such events, occurrences or causes will include, without limitation, acts of God, strikes, lockouts, server and network failure, riots, acts of war, earthquakes, fire and explosions.

By clicking Register you state you have read and agree to our Terms and Conditions