The National Centre for Cybersecurity (NCSC) compiles data on cyberattacks reported by individuals and businesses. It's important to note that these statistics encompass not only cyberattacks resulting in damage but also those successfully thwarted. Since only reported cyberattacks are included in the statistics, there are likely a significant number of unreported incidents. This raises the question of whether Switzerland has mandatory reporting requirements after a cyberattack.
The European Parliament, in collaboration with the Council and based on the Commission's proposal, introduced the General Data Protection Regulation (GDPR). This regulation marked a significant advancement in European data protection law. Its objective is to safeguard the fundamental right to protection of personal data by imposing transparency obligations n companies that process personal data, particularly through information, reporting, and disclosure duties for the victims of cyberattacks. Regulations are directly applicable in EU Member States, meaning no national implementation measures are required. Although Switzerland is not an EU Member State, the GDPR is relevant to Swiss companies:
If a Swiss company falls under the scope of the GDPR, it must report incidents such as data breaches, data encryption, and unauthorized data access – in short, any cyberattack – to affected individuals and the relevant data protection authority.
Switzerland has also introduced a similar reporting obligation with the revised Federal Data Protection Act (revDSG) 2023, which will come into effect on September 1, 2023. When personal data is affected by a cyberattack, the affected individuals must be notified. This obligation is explicitly stipulated in cases where the Federal Data Protection and Information Commissioner (EDÖB) requires it or when it is necessary to protect the affected individuals (Article 24, Paragraph 4, revDSG 2023). However, the reporting obligation is not unlimited. There is no reporting obligation if the conditions specified in Article 24, Paragraph 5, lit. a-c, revDSG 2023 are met. For example, if the information has been made publicly available in the same way, or if notifying the affected individuals would be impossible or disproportionately time-consuming. If there is a high risk of a breach of personal privacy or the protection of fundamental rights for the affected individuals, reporting to the EDÖB is mandatory (Article 24, Paragraph 1, revDSG 2023). Furthermore, there is no general obligation to inform the public, but such an obligation may arise from Article 4, Paragraph 1 and 2, DSG or Article 6, Paragraph 1 and 2, revDSG 2023. The possibility of public disclosure is explicitly addressed in Article 24, Paragraph 5, revDSG 2023.
In addition, Article 29, Paragraph 2, of the Financial Market Infrastructure Act (FINMAG) imposes a reporting and disclosure obligation on companies under the supervision of the Swiss Financial Market Supervisory Authority (FINMA) in the event of a cyberattack. This obligation is tempered by the requirement that only incidents that are "of significant importance" to FINMA's supervisory activities must be reported (see also FINMA Circular 08/25 and FINMA Supervisory Announcement 05/2020).
Article 96 of the Federal Data Protection Ordinance (FDV) establishes a reporting obligation for providers of telecommunications services when cyberattacks can affect at least 10,000 customers. Such reports must be made to the National Alarm Centers, which in turn inform the Federal Cyber Security Centre (NCSC). In the healthcare sector, there are also reporting obligations for communities, such as medical practices and hospitals, when patient records are affected by cyberattacks (Article 12, Paragraph 3, EPDV). For companies with publicly traded securities, there is an obligation to disclose information regarding price-sensitive facts. This obligation is commonly known as ad hoc publicity and is defined in Article 53 of the SIX Exchange Regulation, published by SIX Swiss Exchange. In addition to legal requirements, contractual reporting obligations may exist. For example, insurance policies may require policyholders to report cyberattacks to the insurance company. Other contracts may also include such clauses. Voluntary reports can be made to the Coordination Center for Cybercrime Control Switzerland (KOBIK), the National Cyber Security Centre (NCSC), and of course, law enforcement authorities. Foreign law can also serve as a source of reporting obligations. To determine the applicability of such obligations, each case must be assessed individually.
Companies in Switzerland may, therefore, already be subject to reporting obligations, particularly if they fall under the scope of the GDPR or are supervised by FINMA. With the implementation of the revDSG 2023 on September 1, 2023, all companies in Switzerland will be subject to reporting obligations. Additionally, there are sector-specific, contractual, voluntary, and foreign reporting requirements.