As rapid technological developments and digitalisation of infrastructure raise the stakes for cybersecurity, Swiss attorney and technology law expert Florian Roth offers perspective on questions the Swiss legislator still needs to answer in connection with the tracking of and response to cyber incidents.
There is currently no general requirement for companies to report cybersecurity breaches in Switzerland. In December, the Federal government signalled that it is considering the introduction of such a duty for providers of critical infrastructure, raising a host of questions about what such a reporting duty could look like in practice.
Many countries in the EU including Germany and Austria have introduced obligations for certain companies to report cybersecurity incidents, recognising the vital role network and IT systems play in the modern economy and society.
In fact, one of the corner stones of the EU’s cybersecurity framework is a duty of operators of so-called essential services to report incidents. It is articulated in a 2016 EU directiveexternal link that also calls on member states to ensure the establishment of appropriate technical and organisational measures to ensure a level of network and information security commensurate with the risks posed.
Switzerland has not yet followed this lead. However, last December the Swiss government adopted a reportexternal link that considers the key issues and implementation models for the introduction of a general reporting obligation for operators of critical infrastructure. The purpose of such a reporting requirement is to enable the authorities to collect information about and get a reliable overview of imminent cyber threats and to help launch a coordinated cross-sectoral response.
This is especially important with a view to increasing dependencies between various infrastructures, creating the risk of domino effects in the event of failure or disruption of one system.
A decision whether to push ahead with the introduction of a general reporting duty is expected by the end of 2020. On the way, there are several questions that the Federal Council will have to figure out.
Three main questions
Currently, Swiss law setting forth reporting obligations in relation to security incidents is scattered in several sectoral laws. These reporting obligations are often phrased vaguely and are not tailored specifically to cyber incidents. Although providers of critical infrastructure may notify the Federal Reporting and Analysis Centre for Information Assuranceexternal link (Melani) about cyber incidents, they are not obliged by law to share information and thereby support the exchange of relevant information across industry sectors.
As the government produces a bill on the subject, it will need to evaluate a couple of points, particularly:
1. Who shall be subject to the reporting obligations?
In the EU, the reporting obligations apply both to operators of critical infrastructure and to providers of “digital services” (e.g. online search engines, cloud computing services, online market places), acknowledging the increasing importance not only of traditional infrastructures but also of certain online services to modern society and the economy.
While the Swiss government apparently does not intend to include digital services, it already defined in its National Strategy to Protect Critical Infrastructure the sectors it qualifies as so-called critical infrastructure, i.e. mainly energy, telecommunications, information technology, water and food supply, banks and insurances, health as well as the transportation. In addition, it includes certain parts of the public administration such as universities, government agencies and courts as well as institutions of public security (police, armed forces etc.).
2. What kind of incidents shall be reported?
The government does not clarify in its report how and to which extent the new reporting obligations will replace, amend or extend notification duties currently existing under Swiss law. It also doesn’t indicate to which degree the obligations as well as the events triggering them shall be harmonized across the critical industry sectors.
It is important to distinguish between (i) incidents which are actually linked to an IT security issue and (ii) incidents that may well affect the operation of critical infrastructure, but are not related to cyber risks, e.g. network breakdowns due to technical issues.
In my view, a feasible concept would be to standardise inconsistent reporting obligations according to existing sectoral law triggered e.g. by “events of relevance for the supervisory authority” or by “disruptions in operations affecting a relevant number of clients”. This would include all major incidents which affect either the availability of critical infrastructures or the authenticity, integrity or confidentiality of the rendered services.
This catch-all regulatory approach is currently applied for instance under the German IT Security Act. Whether an event is considered a “major” incident would then have to be defined in a second step by way of sector-specific criteria (e.g. number of clients affected by telecom systems availability issues).
Another question is which of these major incidents occurring in one critical sector are actually also of interest to other sectors and should therefore be shared with a body responsible for a coordinated response to security risks. The regulator will have to determine who will be called upon to carry out this triage of incidents as part of the implementation model design.
3. How shall the reporting obligation be implemented?
The government will consider different options to implement the reporting obligations. These comprise mainly models involving (i) a single central reporting office, (ii) the mere strengthening of existing sectoral reporting offices, or (iii) a combination of sectoral reporting offices with a central body.
In my view, it would make the most sense to combine decentral offices with a centralised agency, making use of the existing authorities’ expertise while enabling effective cross-sectoral response. In this model, the existing decentralised offices would carry out the triage of incidents to be shared with the central cybersecurity response agency according to the latter’s guidelines.
Lastly, there is a question about how to coordinate a new reporting requirement with obligations under article 22 of the revised Data Protection Act (DPA), which is expected to enter into force in 2021. As per art. 22 DPA, persons and enterprises processing data will be obliged to report to the Federal Data Commissioner data security breaches which result in a high risk for the rights and freedom of the data subjects concerned.
The two types of notifications serve different purposes; one safeguards the functioning of vital services to the economy and society while the other seeks to protect an individual’s information privacy and self-determination.
It is likely that providers of critical infrastructure will in the future have to make two separate notifications for the same incident. In any case, the regulator should take precautions so that companies are not deterred from reporting cybersecurity incidents because they fear the considerable fines possible under the revised DPA. If the government succeeds to set the right incentives, the envisaged reporting obligation in relation to security incidents might become a powerful instrument in response to cyber threats.
The views expressed in this article are solely those of the author, and do not necessarily reflect the views of swissinfo.ch.end of infobox