Best practice

Increased protection

Do the authorities recommend additional cybersecurity protections beyond what is mandated by law?

MELANI has adopted recommendations for small and medium-sized enterprises with regard to best practices for removing malware, cleaning up websites, protecting industrial control systems and content management systems, secure e-banking and countering distributed denial-of-service attacks. They are partially based on recommendations issued by the US Industrial Control Systems Cyber Emergency Response Team.

How does the government incentivise organisations to improve their cybersecurity?

Apart from the services provided by MELANI, the federal government also has a stake in the public-private partnership Swiss Cyber Experts, which is an alliance of cybersecurity experts in the ICT industry, the private and public sector, and science. The Swiss Internet Security Alliance is a similar project, which aims to reduce the infection rate of devices within Switzerland. Further, cybersecurity projects occasionally receive a grant from the Commission for Technology and Innovation, which is a federal innovation promotion agency responsible for encouraging science-based innovation in Switzerland by providing financing, professional advice and networks. Apart from these examples, no other meaningful incentive schemes exist.

Identify and outline the main industry standards and codes of practice promoting cybersecurity. Where can these be accessed?

The pertinent industry norms, such as ISO 27001:2013, can be obtained from the Swiss Association for Standardization against payment (www.snv.ch). Further, MELANI provides some additional guidance (www.melani.admin.ch).

Are there generally recommended best practices and procedures for responding to breaches?

Victims of cyberattacks are encouraged to share information and to report incidents to the supporting units maintained by the federal government (see question 17).

Information sharing

Describe practices and procedures for voluntary sharing of information about cyberthreats in your jurisdiction. Are there any legal or policy incentives?

Victims of cyberattacks are encouraged to notify incidents to MELANI. The report can be made by a simple message on MELANI’s website and may be submitted anonymously. If the victim is also interested in a criminal investigation, a complaint may be filed with the Cybercrime Coordination Unit Switzerland (CYCO). CYCO is Switzerland’s reporting channel for illegal subject matter on the internet. Complaint forms are available on its website. CYCO will forward the complaint to the competent prosecution authority in the country.

How do the government and private sector cooperate to develop cybersecurity standards and procedures?

The national strategy for the protection of Switzerland against cyber risks, which was first adopted by the federal government in 2012 and updated in 2018 (see question 1), has identified a desire within the industry for intensified cooperation between the public authorities, the private sector and operators of critical infrastructure in order to mitigate cyber risks. Stakeholders expect increased consistency in the elaboration of standards and procedures to be devised in a cooperative manner. The federal government also holds that the primary responsibility to fight cyberattacks lies with each responsible organisational unit individually, and the authorities are only supposed to interfere if public interests are at stake or if the relevant risks cannot be addressed at the competent subordinate level. In line with this strategy, the government is a stakeholder in private initiatives dedicated to the enhancement of cybersecurity awareness and defence schemes (see question 14).

Insurance

Is insurance for cybersecurity breaches available in your jurisdiction and is such insurance common?

At the beginning of 2013, the first insurance company started to offer insurance for cybersecurity in Switzerland. Since then, several Swiss insurance companies have followed this example and offered coverage for cyber risks. The risks insured by those insurances vary significantly and include, for example, the loss or theft of data, unwanted publication of data, damage resulting from hacking and malware, or costs ensuing from investigations or crisis management as a result of cybercrime.