Cybersecurity 2025

SWITZERLAND Law and Practice Contributed by: Hugh Reeves, Jürg Schneider and David Vasella, Walder Wyss Ltd

2. Critical Infrastructure Cybersecurity 2.1 Scope of Critical Infrastructure Cybersecurity Regulation A breach notification obligation in cases of cybersecurity incidents affecting critical infra - structures will come into force on 1 April 2025. Moreover, the Federal Office for National Eco - nomic Supply (FONES) published a minimum information and communication technology (ICT) standard document as well as an ICT self- assessment tool directed at operators of criti - cal infrastructures. This document rests, in part, on the requirements of the relatively ubiquitous National Institute of Standards and Technology (NIST) framework to which it refers. 2.2 Critical Infrastructure Cybersecurity Requirements Concerning critical infrastructure cybersecurity requirements, see 2.1 Scope of Critical Infra- structure Cybersecurity Regulation . 2.3 Incident Response and Notification Obligations Concerning incident response and notification obligations, see 2.1 Scope of Critical Infrastruc-

3. Financial Sector Operational Resilience Regulation 3.1 Scope of Financial Sector Operational Resilience Regulation FINMA, as the financial market supervisory authority, frequently adopts and adapts various circulars and notices. In particular, FINMA Circu - lar 2008/21 and its recent replacement (entering into effect on 1 January 2024), Circular 2023/01 Operational Risks and Resilience – Banks, are central to all banks’ cybersecurity practices lay - ing out principles and guidelines on proper risk management in relation to client-identifying data (CID). FINMA Circular 2018/3 on Outsourcing by Banks and Insurers is another essential text as it contains rules on the security of data in an outsourcing context. In the banking and financial markets sector, the regulator, FINMA, supervises the relevant actors (namely banks, insurance companies, financial institutions, collective investment schemes and fund management companies) and plays a role in the cybersecurity realm. Indeed, given the importance of the financial industry in Switzer - land, data security and cybersecurity are core concerns. FINMA publishes an annual risk moni - tor as an overview of risks seen as particularly significant, and the 2023 version highlights that cyber-risks remain one of the biggest operational risks and notes a trend towards malware attacks targeting external service providers. FINMA has also revised its circular, with the updated version, Circular 2023/1 Operational Risks and Resilience – Banks, coming into force on 1 January 2024. It requires banks and invest - ment firms to report certain cyber-attacks within 24 hours of becoming aware of them and to sub - mit a full report within 72 hours.

ture Cybersecurity Regulation . 2.4 State Responsibilities and Obligations

Concerning state responsibilities and obliga - tions, see 2.1 Scope of Critical Infrastructure Cybersecurity Regulation .

279 CHAMBERS.COM

Powered by