09 April 2024

Update to the new Information Security Act

  • Articles
  • Legal
  • Banking / Insurance
  • Data / Technology / IP
  • Health / Life Sciences
  • Real Estate

Cyber attacks on public authorities and private individuals have increased sharply in re-cent years. The existing gaps in the area of information security are to be closed by the new Information Security Act.

  • Dr. Martin Eckert

    Legal Partner
  • Noëlle Glaus

    Legal Associate

ISG – A new law that is already under revision

The Information Security Act (Informationssicherheitsgesetz, ISG) and the associated Ordinance on Information Security in the Federal Administration and the Armed Forces (Informationssicherheitsverordnung, ISV), the Ordinance on Personnel Security Checks (VPSP) and the Ordinance on Operational Security Procedures (VBSV) entered into force on 1 January 2024.

A revision of the ISG (obligation to report cyber attacks on critical infrastructure) has been adopted and is scheduled to enter into force on 1 January 2025. In addition, the former National Cyber Security Centre (NCSC), which was previously part of the Federal Department of Finance (FSF), has been transformed into the new Federal Office for Cyber Security (Bundesamt für Cybersicherheit, BACS). BACS has now been integrated into the Federal Department of Defence, Civil Protection and Sport (DDPS).

Objective

The ISG aims to regulate the security of federal information and IT resources uniformly for all federal authorities and organizations in order to strengthen the information security (cyber security) of the federal government as a whole. The focus here will be on critical information and systems as well as on the standardization of measures. As part of the revision of the ISG, a reporting obligation for cyber attacks will be introduced, which, due to the broad definition of the term, will particularly oblige the operators of critical infrastructures.

Who is subject to the Information Security Act?

The following obligated authorities and organizations of the federal government are subject to the ISG (art. 2 ISG): the Federal Assembly, the Federal Council, the federal courts, the Office of the Attorney General of Switzerland and its supervisory authority, the Swiss National Bank, the parliamentary services, the Federal Administration, the administration of the federal courts, the army, and the organizations pursuant to art. 2 paras. 3 and 4 of the Government and Administration Organisation Act (GAOA).

If the obligated authorities and organisations cooperate with third parties, they shall ensure that the requirements and measures provided for by law are set out in the corresponding contracts and agreements (art. 9 ISG). Third parties are all authorities, organisations and persons under public and private law who are not obligated authorities and organisations and who basically act independently of them.

An obligation to report cyber attacks is introduced for the operators of critical infrastructures. Critical infrastructures are authorities and organisations that are worthwhile targets for cyber attacks. These include, for example, universities, authorities, security and rescue organisations, drinking water supply, waste water supply, waste disposal, energy supply, banks, insurance companies, health care facilities, social insurance companies, the Swiss Radio and Television Company, postal services, public transport, civil aviation, essential goods for daily use, telecommunications services, political rights, digital services and manufacturers of hardware and software (exhaustive list in art. 74b ISG).

What are the new requirements and obligations?

The ISG contains requirements for obligated organisations and authorities regarding information security (art. 6-23 ISG). These include, among others:

  • Information Security Management System (ISMS): Obligated authorities and organisations must create and implement an ISMS that meets the requirements of the ISG. This includes the evaluation of the need for protection of information (art. 6 ISG) and, if necessary, its classification (art. 11-15 ISG), the identification and ongoing assessment of risks (art. 8 ISG), the definition of a security procedure and security measures in connection with IT resources (art. 16-19 ISG) and the guarantee of personnel and physical protection (art. 20-23 ISG).

  • Information: Obligated authorities and organisations must identify information they process, evaluate its need for protection (art. 6 ISG) and classify it (art. 11-15 ISG). Furthermore, it must be ensured that appropriate protective measures are taken to protect this information from unauthorised access, loss, disruption or misuse (art. 6-10 ISG).

  • Risk management: Obligated authorities and organisations must have the risks under control in their own area of responsibility as well as in cooperation with third parties. The most suitable measures for risk avoidance and reduction must be taken. Residual risks must be clearly identified, demonstrably accepted and borne accordingly (art. 8 ISG).

  • IT resources: Obligated authorities and organisations shall establish a security procedure to ensure information security when using IT resources. The IT resources must be assigned a security level, which is accompanied by minimum requirements and security measures (art. 16-19 ISG).

  • Personnel: Obligated authorities and organisations must ensure that persons who have access to information, IT resources, premises and other federal infrastructures are carefully selected and identified in accordance with the risks. They must be informed about the requirements of the ISG and the relevant security measures and be trained and educated at the appropriate level (art. 20 ISG).

  • Premises and areas: Obligated authorities and organisations must reduce those risks that arise from physical threats (human actions, natural hazards). Premises and areas can be assigned to security zones, which can be associated with appropriate controls (e.g. control of the bag, etc.) (art. 22-23 ISG).

  • Cooperation with third parties: When cooperating with third parties who are not subject to the ISG, the obligated authorities and organisations must ensure that the legal measures are complied with when placing and executing orders. The security measures are to be regulated contractually (art. 9 ISG).

The revision of the ISG (BBI 2023 84 – Botschaft zur Änderung des Informationssicherheitsgesetzes – Einführung einer Meldepflicht für Cyberangriffe auf kritische Infrastrukturen) provides for new regulations regarding cyber security (art. 73a-79 revISG):

  • Voluntary reporting of cyber incidents and vulnerabilities: Reports of cyber incidents (incl. cyber threats) and vulnerabilities in IT resources can still be voluntarily reported to the Federal Office for Cyber Security (BACS, previously: National Cyber Security Centre, NCSC). This possibility is not limited to operators of critical infrastructures but is open to any person – even anonymously (art. 73b revISG).
  • Removal of vulnerabilities: The BACS informs the manufacturers of the affected software or hardware about reported vulnerabilities and sets them an appropriate deadline for their removal. Failure to rectify or to comply with the deadline may be sanctioned under creation law (art. 73b revISG).
  • Obligation to report cyber attacks: Authorities and organisations subject to the reporting obligation must report cyber attacks to the BACS within 24 hours of their discovery if they have serious consequences (art. 74a-e revISG).
  • Violation of the obligation to report: If an authority or organisation subject to the obligation to report fails to comply with its obligation, it may – after having been set a deadline twice – be punished with a fine of up to CHF 100’000.– (art. 74g-74h revISG).

Parliament adopted the amendments to the ISG on 29 September 2023. The implementing regulations have not yet been issued. It is currently planned that the reporting obligation will come into force on 1 January 2025.

How is the trust between BACS and reporters ensured?

Freedom of Information Act (FoIA) takes precedence over the ISG (art. 4 para. 1 ISG). This means in principle that all persons have access to official documents and information of the government, provided there are no exceptions or weighing of interests. The revision of the ISG makes an exception to this rule insofar as information from third parties of which the BACS becomes aware through the receipt and analysis of reports on cyber incidents is excluded from the right of access under the FoIA (art. 4 para. 1bis revISG).

This means that, in principle, the BACS may not publish or forward information on cyber incidents that contain personal data or data of legal persons unless consent has been given (art. 73c revISG). Only in two exceptional cases may the BACS forward information that allows conclusions to be drawn about the reporters or affected subjects without their permission (art. 73d revISG):

  • Forwarding to the Federal Intelligence Service (FIS) is permissible if the information is relevant for the assessment of the threat or the early warning of critical infrastructures.
  • Forwarding to the criminal justice authorities is permitted if the report contains information on serious criminal offences. However, forwarding is solely at the discretion of the head of the BACS, as the obligation to report criminal offences has been waived for BACS employees.

In order to further strengthen the trust, the law states that authorities and organisations subject to the reporting obligation do not have to provide any information that would incriminate him or her under criminal law (art. 74e revISG).

Attention: No privileging of reporting third parties

Cyber incidents and cyber threats, in particular vulnerabilities, can be reported to the BACS not only by those affected, but also by third parties, and anonymously if desired (art. 73b revISG).

The regulation above does not constitute a permission norm in the sense of a whistle-blower offence. Contractual and statutory confidentiality obligations must continue to be observed even when reports are made to the BACS. Also, the discovery of vulnerabilities through unauthorised intrusion into other people's IT resources («hacking») is still a punishable offence. Hackers should not be able to exempt themselves from criminal liability by reporting their actions to the BACS.

Comprehensive ISG requirements – also for third parties and providers

The requirements resulting from the ISG include compliance with security practices and security policies, strict control and monitoring of activities as well as regular review and updating of security systems. The obligated authorities and organisations must ensure that third parties and providers with whom they work are contractually obligated to take measures in accordance with the ISG and to ensure a secure operating environment. These third parties and providers must take security measures to ensure the integrity, security and reliability of their services as well as to protect their customers' data and information and ensure that only authorised persons can access it.

In addition, cloud and service providers as well as manufacturers of hardware and software whose products are used by critical infrastructures can fall under the obligation to report cyber attacks as provided for in the revision of the ISG.

Cyber security assessment for proactive information security

The ISG requires obligated authorities and organisations as well as operators of critical infrastructures to have a comprehensive and proactive information security. A summary, external cyber security assessment can evaluate the implementation of these requirements and determine whether the company has taken adequate measures to protect its information and IT resources, including against any cyber incidents. This assessment should also evaluate the company's ability to respond to incidents and emergencies, as well as to monitor and improve the effectiveness of the implemented protective measures.

It is important that the assessment also takes into account compliance with industry-specific requirements and legal requirements – such as the ISG. A regular review of the assessment is also essential to ensure that the company remains up-to-date with the latest technology. This is a requirement for being able to protect itself as well as possible against threats. Last but not least, employees should be trained on information security, whereby they must be sensitised in particular to the topic of cyber security (keyword security awareness). Employees must understand how they can contribute to the protection of the company.

Summary

The ISG and its revision place high demands on information security, with operators of critical infrastructures in particular being held accountable in the area of cyber security. These requirements must be met in order to ensure the security of critical information and systems for the population and the economy. The ISG and its revision ensure that the obligated authorities and organisations as well as the operators of critical infrastructures fulfil their responsibilities and thereby minimise potential risks and threats.

The necessity of these measures is understandable and long overdue, whereby their implementation can confront companies with various, very individual challenges. MME and InfoGuard can support you with the adaptations to the new legal requirements, both legally and technically, especially in the event of an incident.

ISG: https://www.fedlex.admin.ch/eli/oc/2022/232/de

revISG: https://www.newsd.admin.ch/newsd/message/attachments/74217.pdf

Authors: Dr. Martin Eckert (MME), Noëlle Glaus (MME), Markus Limacher (InfoGuard)