Confederation examining introduction of cyberincident reporting duty
Bern, 13.12.2019 - During its meeting on 13 December 2019, the Federal Council approved the report entitled "Options for critical infrastructure reporting duties in the case of serious security incidents". This report describes the core issues with regard to the introduction of reporting duties and illustrates possible models for their implementation. Based on these findings, the Federal Council intends to make fundamental decisions on the introduction of reporting duties by the end of 2020.
Switzerland does not have a general reporting duty for cyberincidents. Information on cyberincidents concerning critical infrastructures such as the energy supply, telecommunications or finance and insurance is exchanged on a voluntary basis via the Reporting and Analysis Centre for Information Assurance (MELANI). In view of the rapid development of cyber-risks, it is necessary to consider whether this voluntary exchange is sufficient to identify threats at an early stage and across sectors. The national strategy for the protection of Switzerland against cyber-risks (NCS) therefore states that the introduction of reporting duties has to be examined. Moreover, Parliament has submitted a postulate (17.3475 Graf-Litscher) which requires the Federal Council to demonstrate how reporting duties can be introduced for security incidents concerning critical infrastructures.
The initial findings of this review are now available in the report "Options for critical infrastructure reporting duties in the case of serious security incidents". It summarises the results of the work carried out to date and proposes options for the introduction of reporting duties, developed on the basis of the existing reporting duties for security incidents, the findings from interviews with specialists and the analyses of reporting duties in other countries. The key question for the possible options is whether cyberincidents should be reported to a separate body or whether the reporting offices for security incidents that already exist in some sectors should be supplemented. Depending on this organisational structure, it will be necessary to define the magnitude of incidents to be reported, the reporting timeframes, whether reports can be submitted anonymously and whether sanctions are defined for failure to report.
Fundamental decision by the end of 2020The Federal Council has instructed the newly created National Cybersecurity Centre in the Federal Department of Finance (FDF), together with the Federal Office for Civil Protection (FOCP), to clarify these issues with the competent cantonal and federal authorities, as well as the business community. They also have to examine whether the general reporting duties for disruptions to critical infrastructures should be extended. By the end of 2020 at the latest, a proposal that will enable fundamental decisions to be made on the critical infrastructure reporting duties is to be submitted to the Federal Council.
Address for enquiries
Tel. +41 58 462 60 33