SwissInfo.ch reports that Switzerland Proposes Mandatory Incident Reporting For Critical Infrastructure. The Swiss Parliament is being asked to update the Information Security Act to make CI incident reporting mandatory, and aid the National Cybersecurity Centre (NCSC) in assessing and addressing CI incident.
The Swiss Council began a consultation process on a proposed change to the National Act on Data Security of December 18, 2020, on January 12, 2022. (ISEA).
This proposal establishes in Switzerland the need for operators of specific categories of vital infrastructure to notify cyberattacks. The National Organization for Security (NCSC) will take on the function of a monitoring. Centre with expanded competencies, according to the proposal. Additionally, it allows for electronic notifications to be sent to the NCSC. The Proposal’s consultation period expires on April 14, 2022.
Present-Day Legal System
A clear legislative requirement for the mandatory reporting of cyberattacks does not yet exist (whether successful or not). It is optional to notify the NCSC, whose present authority is defined by the Federal Council’s Ordinance on Cyber Risks. Which went into effect on July 1, 2020.
The Regulatory Act on the Swiss Financial Industry Supervisory Authority (FINMASA). Which imposes a reporting requirement on financial institutions is also general in nature. And only applies to institutions that fall under FINMA’s purview.
Critical Infrastructure Concepts
The Proposal includes a reasonably comprehensive list of “critical infrastructure” operators. Who are required to immediately notify the NCSC of any cyberattacks. A few actors in the finance industry are explicitly targeted, along with actors. In other areas including energy, education, and healthcare. These, in particular, include businesses subject to the Insurer Supervision Act (ISA), financial institutions pursuant to the Banking Law (BA), and financial sector facilities pursuant to the Capital Markets Network Act (FMIA).
The proposal gives the Swiss Federal Government the option to exclude some actors if they are unlikely to experience breakdowns or malfunctions as a result of cyberattacks on their infrastructures, particularly given their limited reliance on IT resources.
Coordination With The Current FINMA Reporting Obligation
The requirement to disclose cyberattacks to FINMA, as outlined in Black frame Guidance 05/2020 of May 7, 2020, on the obligation to notify cyberattacks under Article 29 paragraph. 2 FINMASA, would live in tandem with the need to report to an NCSC, according to the explanation report on ISEA. The explanatory report also states that Yes bank and the NCSC would coordinate their efforts to minimise the reporting burden.
It is still unclear if the authorities will be able to implement the promised cooperation among themselves with the least amount of expense and operational difficulty for financial institutions. Financial institutions such as asset managers and trustees that are not impacted by the Proposal are nevertheless required to follow the FINMA guidelines outlined in the abovementioned FINMA Guidance of May 7, 2020.
Sanctions
In addition, the Proposal includes a criminal provision. That would subject violations of the obligation to notify or inform to fines of up to CHF 100,000. However, the punishment is not immediately applied; rather, it only takes effect. When the appropriate operator of the vital infrastructure has been informed of the infringement. By the NCSC and has declined to or failed to follow its requests or directions.
Additionally, the authority may decide to forego prosecuting the implicated persons in favour of fining. The relevant institutions if the fine is anticipated to be no more than CHF 20,000. The investigation is anticipated to include steps that are excessive in contrast.
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.