SWITZERLAND Trends and Developments Contributed by: Hugh Reeves, Jürg Schneider and David Vasella, Walder Wyss Ltd
Updated government organisation at a federal level The ISA and ensuing legislation have also reworked the government’s security organisa - tion. BACS, within the DDPS, now serves as the centre of competence for cybersecurity, acting as the primary contact for the economy, admin - istration, educational institutions and the public on cyber-related issues. Its tasks include raising public awareness, receiving reports on cyber- incidents and supporting operators of critical infrastructures in managing these incidents. BACS has absorbed the former NCSC, and protection of the federal administration against cyber-attacks is now a key task of a new spe - cialist unit within the new State Secretariat for Security Policy (SEPOS), also within the DDPS. Other regulatory activity Other authorities have an increased focus on cybersecurity as well, within the scope of their supervisory activities. A key example is the Swiss Financial Market Supervisory Authority (FINMA), which oversees compliance with – inter alia – data security regulations in the financial sector. It publishes an annual risk monitor as an overview of risks that FINMA sees as particu - larly significant. The 2024 version highlights that cyber-risks remain one of the biggest operation - al risks and observes a trend towards malware attacks targeting external service providers and a need for financial institutions to improve their responsibilities and control activities with regard to service providers. Outsourcing contributes to cyber-risks and is a focus for FINMA. One of FINMA’s main supervisory tools is issuing guidance and circulars, which set out its expec - tations for regulated institutions. These include FINMA Circular 2023/1 Operational Risks and Resilience – Banks, which entered into force on 1 January 2024. It applies to banks and
investment firms, requiring them to report cer - tain cyber-attacks within 24 hours of becoming aware of them and to submit a full report within 72 hours. Again, this obligation is in addition to any other incident notification obligations. There is ongoing discussion in the market in relation to ensuring that the 24-hour requirement is met even where an institution has outsourced IT operations to a provider, such as a cloud ser - vices provider. On 7 June 2024, FINMA pub - lished FINMA Guidance 03/2024 – Findings from FINMA’s cyber risk supervision, clarification of FINMA Guidance 05/2020 and scenario-based cyber risk exercises (see 3.3 Key Operational Resilience Obligations in the Swiss Law & Prac - tice chapter in this guide). Initiatives at a cantonal level The cantons have also recently increased their efforts to prevent cyberthreats. For example, Switzerland’s largest canton by population, the Canton of Zurich, operates a Cantonal Cyber Security Centre (CCSC) as a knowledge hub for the canton, acting as a point of contact for cyber- issues for the cantonal administration, public authorities, critical infrastructure providers, cit - ies, municipalities, cantonal organisations, busi - ness and industry, as well as the population. The CCSC is also responsible for implementing the cantonal cybersecurity strategy. In addition, cantonal data protection legislation – applicable to public entities acting under can - tonal laws, which may include private actors car - rying out public tasks – requires notification of personal data security breaches to the cantonal data protection authorities. The Artificial Intelligence Regulation, AI Regulation, AI Act or AIA Regulation (EU) 2024/1689 laying down harmo - nised rules on artificial intelligence and amend -
290 CHAMBERS.COM
Powered by FlippingBook