Cybersecurity 2025

SWITZERLAND Law and Practice Contributed by: Hugh Reeves, Jürg Schneider and David Vasella, Walder Wyss Ltd

presumably immediately. The actual report must then continue to be submitted via the EHP. Expectations for the Actual Report FINMA Guidance 05/2020 requires a final root cause report for reports of cyber-attacks with a severity level of “medium” or more, which at a minimum contains the internal or external inves - tigation or forensic report (further requirements can be found in FINMA Guidance 05/2020). As FINMA has now clarified, the root cause report should include the following aspects for the “high” and “serious” severity levels: • the reason for the success of the cyber- attack; • the impact of the attack on compliance with regulatory requirements, the institution’s operations and its clients; and • the mitigating measures introduced to address the effects of the attack. For cyber-attacks categorised as “serious”, evi - dence and analyses of the crisis organisation’s ability to function must be included in the sub - mission. Calculation of Deadlines FINMA has confirmed its existing practice: where an attack is detected by an outsourcing provider to the institution, the 24-hour window starts when the provider becomes aware of the attack, shortening the time left for the institu - tion, in order to treat institutions that have not outsourced any functions equally to others. When calculating the deadlines for the initial report and follow-up reports, only official bank - ing days count. An exception applies to attacks with the “serious” severity level. In this case, the deadline for the initial report also applies outside of banking days. FINMA must be interpreted

here as meaning that this does not apply to the deadline for the follow-up report. It should be noted that FINMA did not formally align its guidance with the EU Digital Operational Resilience Act (DORA) or its level II and level III legislation, although they are similar in several regards. 3.4 Operational Resilience Enforcement Concerning operational resilience enforcement, see 1.1 Cybersecurity Regulation Strategy and 1.2 Cybersecurity Laws . 3.5 International Data Transfers The FADP aims to protect the personality rights and fundamental rights of natural persons whose personal data is processed. As a conse - quence, the FADP contains provisions on how this protection is to be guaranteed when data is transferred abroad, for instance to a state that does not offer the same level of data protection as Switzerland. Controllers or processors may transfer personal data abroad if the Swiss Federal Council has determined that the legislation of the relevant state or international body guarantees an ade - quate level of protection. Therefore, the Swiss Federal Council determines, in a binding man - ner, to which countries the export of data is per - mitted. On the other hand, in the absence of such a decision by the Swiss Federal Council, personal data may be disclosed abroad only if appropriate protection is guaranteed. Thus, at least one of the following conditions must be fulfilled: • an international treaty; • data protection provisions of a contract between the controller or the processor and

281 CHAMBERS.COM

Powered by