On December 2, 2022, the Federal Council approved the Message on the amendment of the Information Security Act (ISG) adopted (Media release). The Draft law concerns the reporting obligation for operators of critical infrastructure to the National Cyber Security Center (NCSC). The NCSC thus replaces MELANI. – The ISG will then no longer be called the “Federal Act on Information Security at the Confederation”, but the “Federal Act on Information Security” (because it is no longer just about the Confederation). The Federal Council will still issue a concretizing ordinance.
Preliminary draft and consultation
This was preceded by a Preliminary draft of December 18, 2020 and a Consultation, which lasted from January 12 to April 14, 2022 (we have published on the ISG here, here, here and here reported). In the consultation process, 99 comments were received from cantons, operators of critical infrastructures and from research and industry. The reactions were positively positive (Consultation report). However, the main concerns were that the reporting obligation should be as unbureaucratic as possible and should not involve a great deal of additional work. In addition, the terms, the list of reportable areas and the exceptions to the reporting obligation should be specified, as should the definition of the cyberattacks to be reported and the modalities for submitting the report. The penalties for violating the reporting obligation and the handling of information from reports were also the subject of criticism and suggestions (incidentally, the FCO explicitly takes precedence here, and the NCSC, like the FDPIC and unlike the SNB or FINMA, is not exempt from the FCO).
A Deltaview between the consultation draft and the draft can be found here:
Reporting obligations according to the draft
The List of reportable areas was essentially adjusted as follows:
- the exemption for operators of nuclear facilities was deleted;
- instead of “hospitals”, the draft speaks of “health care facilities” (if they are on the hospital list);
- The obligation to notify manufacturers or distributors of medical devices was deleted;
- the linkage for transport companies was adjusted;
- airport operators were newly included;
- a restriction has been included in the utilities for daily needs;
- in the case of hardware and software manufacturers, the criteria for inclusion have been narrowed (use for the operation of medical devices or telecommunications equipment or IT security or encryption, etc. is no longer sufficient; security and trust service providers have been included instead).
Thus the List now simplified – we leave out details here, but they are important – the following companies and authorities:
- Universities;
- Federal, cantonal and municipal authorities as well as intercantonal, cantonal and intermunicipal organizations;
- Organizations with public tasks in the areas of Safety and rescue, drinking water supply, wastewater treatment and waste disposal (insofar as they act in a sovereign manner);
- Energy supplier and companies active in energy trading, energy metering or energy control;
- Banks, private insurance companies and financial market infrastructures – to this the message:
Companies in the financial sector are heavily affected by cyber attacks, as they are an attractive target for criminals due to the considerable financial resources they manage. It is important for the reliability of the Swiss financial center that such attacks are reported. The existing reporting obligation for cyber attacks to the Financial Market Supervisory Authority FINMA will remain in place in parallel to the new reporting obligation to the NCSC. FINMA and the NCSC will coordinate the reporting process to minimize the burden on those required to report.
- Healthcare Facilities on the cantonal hospital list (in addition to hospitals, also maternity hospitals and nursing homes);
- medical laboratories with a permit under the Epidemics Act;
- Companies that Drugs manufacture, place on the market or import;
- Social Security; in addition the message:
Organizations that provide benefits to cover the consequences of illness, accident, incapacity to work and disability, old age, disability and helplessness are also required to register. The term “social insurances” is not mentioned in the text of the law, as it is not defined by law.
The obligation to report is circumscribed on the basis of the benefits for risks covered by the General Provisions of the Federal Act of October 6, 200047F48 on the General Part of Social Insurance Law (ATSG) in order to cover as many branches of social insurance as possible. However, the obligation to report is not limited to social insurances that are subject to the ATSG. It has been decided not to enumerate individual laws (e.g. Federal Law of 19 June 195948F49 on Disability Insurance, Federal Law of 20 December 194649F50 on Old Age and Survivors’ Insurance) in order to cover not only statutory benefits but also non-compulsory benefits, such as occupational pensions or supplementary insurance to compulsory health insurance.
In the case of occupational pension plans (in the sense of the 2nd pillar), all registered and non-registered pension plans (including supplementary institutions), vested pension plans and the security fund are included.
Voluntary personal pension plans (pillars 3a and 3b) are generally offered by banks and insurance companies, which in turn are subject to the reporting obligation.
At the ordinance level, the Federal Council may also impose restrictions on the group of persons subject to the reporting obligation in the case of social insurance schemes and, for example, restrict the group of addressees of the pension and vested benefits institutions subject to the reporting obligation by means of suitable criteria (cf. Art. 74c and the explanations under 4.3.3).
- the SRG and News Agencies of national importance (currently only Keystone-SDA);
- Postal Service Provider;
- Railroad company and Cable car, trolley bus, bus and shipping companies;
- Company of the Civil Aviation and National Airports according to the infrastructure sectoral plan;
- Shipping companies that transport goods on the Rhine and companies that operate registration, loading or unloading in the Port of Basel;
- Companies that provide the population with indispensable goods of the daily need supply and whose failure or impairment would lead to significant supply bottlenecks – this is what the message is about:
A large number of players are involved in supplying the population with essential goods for daily use, especially food. In addition to producers and importers, processors, distribution centers and retailers also play an important role. Not all of these players are equally important for the security of supply in Switzerland. For this reason, a restriction has already been made at the legislative level to companies whose failure or impairment would lead to significant supply bottlenecks.
The obligation to report cyberattacks should thus apply only to those actors who are important in this respect. The Federal Council will therefore restrict the reporting obligation in the area of the supply of essential goods of daily use at ordinance level in accordance with the criteria of Article 74c.
- registered Telecommunications service providers;
- Registrars;
- Providers and operators of services and infrastructures that serve the Exercise of political rights (e‑voting, systems for keeping voting registers and for determining and transmitting the results of ballots, electronic signature collection, printing of voting material);
- Providers and operators of Cloud Computing, Search engines, digital security and trust services as well as Data centers based in Switzerland; in addition, the message:
The notification requirement applies to providers and operators of cloud computing (e.g. software-as-a-service, SaaS), search engines, digital security and trust services, and data centers, provided they have a registered office in Switzerland.
By analogy with EU law,62F 63 the term “trust service” covers services in the areas of electronic signatures, seals and time stamps, delivery of electronic registered mail, certificates for authentication, and (preservation) services for electronic signatures, seals and certificates. The e‑ID, for example, is thus also considered a trust service.
By security service is meant, in particular, solutions for the encryption of information or serve the IT means of protection against cyber attacks (spam filters, antivirus programs, firewalls).
- Manufacturer from Hardware or software, whose products are used by critical infrastructures and have remote access or are used to control and monitor operational systems and processes or to ensure public safety. In addition, the message:
Cyber attacks on critical infrastructures via their supply chains have become a relevant threat. In particular, the suppliers of hardware and software are in the focus. The attackers manipulate the IT resources before they are delivered to the end customers so that they can later gain access to the systems. Cyber attacks on the manufacturers of hardware and software for critical infrastructures are therefore of great importance for cyber security.
Cyber attacks on manufacturers are particularly relevant if they have remote maintenance access to the systems. Remote maintenance access allows manufacturers who have the appropriate authorization to access IT and OT components in the local network from outside – i.e., usually via the Internet – for the purpose of maintenance or troubleshooting. Attackers can attempt to penetrate critical infrastructure systems directly via such legitimate access points.
In addition to the criterion of remote maintenance access, manufacturers of hardware and software are also required to report if their products are used in particularly sensitive areas. This applies to hardware and software for controlling and monitoring physical devices, processes and events (so-called operational technology). In particular, this includes industrial control systems and automation solutions that perform control and regulation functions of all kinds. Other examples are laboratory equipment, e.g. automated microscopes or analysis tools, logistics systems, such as barcode scanners with small computers, or building management systems (item 1).
The focus is also on hardware and software used to ensure public safety (item 2). This includes, in particular, the communications of emergency organizations or systems for police investigations.
However, no obligation to report arises simply because a cyber attack affects the IT resources of the companies’ customers. Internet service providers are therefore generally not responsible for reporting incidents involving their customers, according to the message.
With the Exceptions from the reporting requirement will be regulated by the Federal Council, including through thresholds; however, the subject of the exceptions in the law has been clarified (it concerns cases where cyberattacks have only a minor impact).
Since some ambiguities remain, even with a specification at the ordinance level, the NCSC is to provide information (e.g., through FAQ) as to whether borderline cases are covered. If this classification is disputed or doubted, the NCSC must, according to the message, issue an appealable order. This is likely to involve not only subordination orders, but also non-subordination orders.
Mandatory reporting of cyber attacks
At the Obligation to report in a specific case the requirements have been streamlined. Cyberattacks on the information technology assets of covered entities must be reported. “Cyberattacks” are to be reported if they are.
- jeopardizes the functionality of the affected critical infrastructure;
- led to tampering (e.g., data encryption in a ransomware attack) or information leakage;
- remained undetected for an extended period of time, especially if there are indications that it was carried out in preparation for further cyberattacks; or
- is connected with extortion, threats or coercion, i.e. in the case of accompanying circumstances relevant under criminal law. However, according to the message, this presupposes that the extortion, threat or coercion has a connection to the company subject to the reporting requirement and can have a negative impact on its business activities.
Content information on the reporting authority or organization, the type and execution of the cyber attack (e.g. IP addresses or DNS records of known attack infrastructures such as botnets or command and control servers, URL to suspicious pages, hash values of malware, virus signatures, anomalies in network traffic or suspicious behavior of software, according to the message), its effects, measures taken and, if known, the planned further action. However, an obligation to report information that would lead to the reporting party being criminally charged is expressly excluded. This will be mentioned in the reporting form.
Also specified was the Reporting deadline: The notification must no longer be made as soon as possible, but – as is the case, for example, after the FINMA supervisory notice on cyberattacks or the new circular Operational Risks and Resilience – within 24 hours of the discovery of the cyber attack. Within this period, however, only the information known up to that point must be reported; the report can be supplemented later.
The NCSC According to the Federal Council, it wants to introduce an electronic Registration form with which messages can be recorded and, if desired, transmitted to other offices. This will also describe what is meant by the individual pieces of information. The message:
The NCSC already uses an electronic reporting form to receive voluntary reports. The electronic reporting system of the NCSC can also be used for the receipt of reports in fulfillment of the reporting obligation. The necessary coordination with other bodies that also accept reports (e.g. FDPIC, Swiss Financial Market Supervisory Authority [FINMA], Swiss Federal Nuclear Safety Inspectorate [ENSI]) and the configuration of the reporting form will require an initial outlay that can, however, be absorbed by the existing resources of the NCSC. However, in order to implement the template, the NCSC must be able to ensure that reports received in fulfillment of the reporting requirement are correctly recorded, acknowledged, and documented, and that the resulting cyber threat information is forwarded to the proper parties for early warning purposes. This additional effort must be considered as the NCSC continues to expand.
For coordination purposes, the reporting system is designed in such a way that reports can be transmitted in whole or in part to other authorities, and additional information can also be recorded for such further reports. In this case, the notifying parties alone decide on such further notifications.
Penal provisions
In contrast, the contents of the Penal provisions. As before, only a violation of an order of the NCSC (i.e., after an initial less formal contact by the NCSC) is punishable, not the failure to report, and continues to be punishable by a fine of up to CHF 100,000. In analogy to the nDSG, the person who “should have ensured within the critical infrastructure that the order of the NCSC was complied with” would be punishable. The threshold for a subsidiary burden on the company in the case of disproportionate investigation efforts remains at CHF 20,000 (i.e., as with the nDSG, at 20% of the fine limit). To ensure that the reports are nevertheless made, the law creates an incentive: those obliged to report are entitled to the support of the NCSC following a report that complies with the law.
Amendments to other enactments (incl. nDSG)
Adjustments are also to be made to the Public Procurement Act, at the Nuclear Energy Act, at the Electricity Supply Act and at the Financial Market Supervision Actbut also with the nDSG would be inserted in Art. 24 (notification of data security breaches) a new paragraph 5bis, which would essentially replace Art. 41 of the FDPO corresponds:
1 The controller shall notify the FDPIC as soon as possible of a data breach that is likely to result in a high risk to the personality or fundamental rights of the data subject.
2 The notification shall at least specify the nature of the data breach, its consequences and the measures taken or envisaged.
3 The Order Processor shall report a data breach to the Responsible Party as soon as possible.
4 The data controller shall inform the data subject if it is necessary for his or her protection or if the FDPIC so requests.
5 It may limit, postpone or waive the information to the data subject if:
a. there is a reason pursuant to Article 26(1)(b) or (2)(b) or a statutory duty of confidentiality prohibits this;
b. the information is impossible or requires a disproportionate effort; or
c. the information of the data subject is ensured by a public announcement in a comparable manner.
5bis The FDPIC may, with the consent of the responsible party, forward the notification to the National Cyber Security Center for analysis of the incident. The notification may contain personal data, including particularly sensitive personal data about administrative and criminal prosecutions or sanctions concerning the responsible party.
6 A report made pursuant to this article may be used in criminal proceedings against the person required to make the report only with that person’s consent.
In addition, the message:
In order for the FDPIC to be able to involve the technical specialists of the NCSC in the analysis of a data breach which has occurred and which has been reported to him by the data controller on the basis of Article 24 nDSG and Article 19 FADP, Article 24 paragraph 5bis nDSG provides, That the FDPIC may forward a data breach notification to the NCSC..
The forwarding may contain any information pursuant to Article 19(1) DPA, but at the same time must refer to the information necessary for the NCSC to analyze the incident. Limit necessary data. In this context, the communication of the FDPIC to the NCSC may also contain personal data, including particularly sensitive personal data on administrative and criminal prosecutions or sanctions of the responsible party subject to the reporting obligation. The information necessary for the analysis of an incident is selected on a case-by-case basis, However, under certain circumstances, this may also indirectly provide information to the NCSC about an ongoing proceeding. Therefore, a legal basis for the disclosure of personal data requiring special protection must be created.
The prerequisite is that the person responsible, who is obliged to report to the FDPIC, has given his or her prior consent to the forwarding of the information. Furthermore, the forwarding must not lead to the circumvention of Article 24 (6) nDSG, according to which the report may only be used in the context of criminal proceedings with the consent of the person required to report. This means that a person responsible will be able to invoke the prohibition of exploitation under data protection law even in the event that its report is forwarded to the NCSC. The new paragraph 5bis in Article 24 nDSG does not allow the FDPIC to systematically forward reports to the NCSC. Rather, the FDPIC may only make use of this possibility in individual cases where the technical expertise of the NCSC is necessary for the clarification of an incident.
This right to forward information from the FDPIC to the NCSC is limited to a one-way exchange of information. For its part, the NCSC does not provide the FDPIC with information from notifications, even if they involve data breaches. However, the NCSC provides an electronic system that allows reporters to forward the report or parts of it. The reporting person is thus given the opportunity to use the cyberattack notification form also to report a data breach to the FDPIC.
The revised Data Protection Act is expected to enter into force in September 2023, i.e. shortly after the ISG enters into force (without this bill). From that date until the entry into force of the revised Chapter 5 ISG (this bill) at the end of 2023 at the earliest, the rule provided for in Article 24(5bis) will already apply at the ordinance level (cf. Art. 41 para. 1 of the Data Protection Ordinance of 31 August 2022). Upon entry into force of this bill, the Federal Council will repeal that provision of the ordinance.