Cyber attacks on public authorities and private individuals have increased sharply in recent years. The existing gaps in the area of information security are to be closed by the new Information Security Act.
At the legislative level, information security and cyber security are to be strengthened this year by the Information Security Act (Informationssicherheitsgesetz, ISG) and its revision. The effective date has not yet been determined.
The ISG aims to regulate the security of federal information and IT resources uniformly for all federal authorities and organizations in order to strengthen the information security (cyber security) of the federal government as a whole. The focus here will be on critical information and systems as well as on the standardization of measures. As part of the revision of the ISG, a reporting obligation for cyber attacks will be introduced, which, due to the broad definition of the term, will particularly oblige the operators of critical infrastructures.
The following obligated authorities and organizations of the federal government are subject to the ISG (art. 2 ISG): the Federal Assembly, the Federal Council, the federal courts, the Office of the Attorney General of Switzerland and its supervisory authority, the Swiss National Bank, the parliamentary services, the Federal Administration, the administration of the federal courts, the army, and the organizations pursuant to art. 2 paras. 3 and 4 of the Government and Administration Organisation Act (GAOA). If the obligated authorities and organisations cooperate with third parties, they shall ensure that the requirements and measures provided for by law are set out in the corresponding contracts and agreements (art. 9 ISG). Third parties are all authorities, organisations and persons under public and private law who are not obligated authorities and organisations and who basically act independently of them. An obligation to report cyber attacks is introduced for the operators of critical infrastructures. Critical infrastructures are authorities and organisations that are worthwhile targets for cyber attacks. These include, for example, universities, authorities, security and rescue organisations, drinking water supply, waste water supply, waste disposal, energy supply, banks, insurance companies, health care facilities, social insurance companies, the Swiss Radio and Television Company, postal services, public transport, civil aviation, essential goods for daily use, telecommunications services, political rights, digital services and manufacturers of hardware and software (exhaustive list in art. 74b ISG).
The ISG contains requirements for obligated organisations and authorities regarding information security (art. 6-23 ISG). These include, among others:
The revision of the ISG provides for new regulations regarding cyber security (art. 73a-79 revISG):
Freedom of Information Act (FoIA) takes precedence over the ISG (art. 4 para. 1 ISG). This means in principle that all persons have access to official documents and information of the government, provided there are no exceptions or weighing of interests. The revision of the ISG makes an exception to this rule insofar as information from third parties of which the NCSC becomes aware through the receipt and analysis of reports on cyber incidents is excluded from the right of access under the FoIA (art. 4 para. 1bis revISG).
This means that, in principle, the NCSC may not publish or forward information on cyber incidents that contain personal data or data of legal persons unless consent has been given (art. 73c revISG). Only in two exceptional cases may the NCSC forward information that allows conclusions to be drawn about the reporters or affected subjects without their permission (art. 73d revISG):
In order to further strengthen the trust, the law states that authorities and organisations subject to the reporting obligation do not have to provide any information that would incriminate him or her under criminal law (art. 74e revISG).
Cyber incidents and cyber threats, in particular vulnerabilities, can be reported to the NCSC not only by those affected, but also by third parties, and anonymously if desired (art. 73b revISG).
The regulation above does not constitute a permission norm in the sense of a whistle-blower offence. Contractual and statutory confidentiality obligations must continue to be observed even when reports are made to the NCSC. Also, the discovery of vulnerabilities through unauthorised intrusion into other people's IT resources («hacking») is still a punishable offence. Hackers should not be able to exempt themselves from criminal liability by reporting their actions to the NCSC.
The requirements resulting from the ISG include compliance with security practices and security policies, strict control and monitoring of activities as well as regular review and updating of security systems. The obligated authorities and organisations must ensure that third parties and providers with whom they work are contractually obligated to take measures in accordance with the ISG and to ensure a secure operating environment. These third parties and providers must take security measures to ensure the integrity, security and reliability of their services as well as to protect their customers' data and information and ensure that only authorised persons can access it.
In addition, cloud and service providers as well as manufacturers of hardware and software whose products are used by critical infrastructures can fall under the obligation to report cyber attacks as provided for in the revision of the ISG.
The ISG requires obligated authorities and organisations as well as operators of critical infrastructures to have a comprehensive and proactive information security. A summary, external cyber security assessment can evaluate the implementation of these requirements and determine whether the company has taken adequate measures to protect its information and IT resources, including against any cyber incidents. This assessment should also evaluate the company's ability to respond to incidents and emergencies, as well as to monitor and improve the effectiveness of the implemented protective measures. It is important that the assessment also takes into account compliance with industry-specific requirements and legal requirements – such as the ISG. A regular review of the assessment is also essential to ensure that the company remains up-to-date with the latest technology. This is a requirement for being able to protect itself as well as possible against threats. Last but not least, employees should be trained on information security, whereby they must be sensitised in particular to the topic of cyber security (keyword security awareness). Employees must understand how they can contribute to the protection of the company.
The ISG and its revision place high demands on information security, with operators of critical infrastructures in particular being held accountable in the area of cyber security. These requirements must be met in order to ensure the security of critical information and systems for the population and the economy. The ISG and its revision ensure that the obligated authorities and organisations as well as the operators of critical infrastructures fulfil their responsibilities and thereby minimise potential risks and threats.
The necessity of these measures is understandable and long overdue, whereby their implementation can confront companies with various, very individual challenges. MME and InfoGuard can support you with the adaptations to the new legal requirements, both legally and technically, especially in the event of an incident.
ISG revision: consequences & obligations for critical infrastructure operators Part 1 | Part 2
Authors: Dr. Martin Eckert (MME), Noëlle Glaus (MME), Markus Limacher (InfoGuard), March 2023