Cyber attacks on public authorities and private
individuals have increased sharply in re-cent years. The existing
gaps in the area of information security are to be closed by the
new Information Security Act.
ISG – A new law that is already under revision
The Information Security Act (Informationssicherheitsgesetz,
ISG) and the associated Ordinance on Information Security in the
Federal Administration and the Armed Forces
(Informationssicherheitsverordnung, ISV), the Ordinance on
Personnel Security Checks (VPSP) and the Ordinance on Operational
Security Procedures (VBSV) entered into force on 1 January
2024.
A revision of the ISG (obligation to report cyber attacks on
critical infrastructure) has been adopted and is scheduled to enter
into force on 1 January 2025. In addition, the former National
Cyber Security Centre (NCSC), which was previously part of the
Federal Department of Finance (FSF), has been transformed into the
new Federal Office for Cyber Security (Bundesamt für
Cybersicherheit, BACS). BACS has now been integrated into the
Federal Department of Defence, Civil Protection and Sport
(DDPS).
Objective
The ISG aims to regulate the security of federal information and
IT resources uniformly for all federal authorities and
organizations in order to strengthen the information security
(cyber security) of the federal government as a whole. The focus
here will be on critical information and systems as well as on the
standardization of measures. As part of the revision of the ISG, a
reporting obligation for cyber attacks will be introduced, which,
due to the broad definition of the term, will particularly oblige
the operators of critical infrastructures.
Who is subject to the Information Security Act?
The following obligated authorities and organizations of the
federal government are subject to the ISG (art. 2 ISG): the Federal
Assembly, the Federal Council, the federal courts, the Office of
the Attorney General of Switzerland and its supervisory authority,
the Swiss National Bank, the parliamentary services, the Federal
Administration, the administration of the federal courts, the army,
and the organizations pursuant to art. 2 paras. 3 and 4 of the
Government and Administration Organisation Act (GAOA).
If the obligated authorities and organisations cooperate with
third parties, they shall ensure that the requirements and measures
provided for by law are set out in the corresponding contracts and
agreements (art. 9 ISG). Third parties are all authorities,
organisations and persons under public and private law who are not
obligated authorities and organisations and who basically act
independently of them.
An obligation to report cyber attacks is introduced for the
operators of critical infrastructures. Critical infrastructures are
authorities and organisations that are worthwhile targets for cyber
attacks. These include, for example, universities, authorities,
security and rescue organisations, drinking water supply, waste
water supply, waste disposal, energy supply, banks, insurance
companies, health care facilities, social insurance companies, the
Swiss Radio and Television Company, postal services, public
transport, civil aviation, essential goods for daily use,
telecommunications services, political rights, digital services and
manufacturers of hardware and software (exhaustive list in art. 74b
ISG).
What are the new requirements and obligations?
The ISG contains requirements for obligated organisations and
authorities regarding information security (art. 6-23 ISG). These
include, among others:
- Information Security Management System (ISMS): Obligated
authorities and organisations must create and implement an ISMS
that meets the requirements of the ISG. This includes the
evaluation of the need for protection of information (art. 6 ISG)
and, if necessary, its classification (art. 11-15 ISG), the
identification and ongoing assessment of risks (art. 8 ISG), the
definition of a security procedure and security measures in
connection with IT resources (art. 16-19 ISG) and the guarantee of
personnel and physical protection (art. 20-23 ISG). - Information: Obligated authorities and organisations must
identify information they process, evaluate its need for protection
(art. 6 ISG) and classify it (art. 11-15 ISG). Furthermore, it must
be ensured that appropriate protective measures are taken to
protect this information from unauthorised access, loss, disruption
or misuse (art. 6-10 ISG). - Risk management: Obligated authorities and organisations must
have the risks under control in their own area of responsibility as
well as in cooperation with third parties. The most suitable
measures for risk avoidance and reduction must be taken. Residual
risks must be clearly identified, demonstrably accepted and borne
accordingly (art. 8 ISG). - IT resources: Obligated authorities and organisations shall
establish a security procedure to ensure information security when
using IT resources. The IT resources must be assigned a security
level, which is accompanied by minimum requirements and security
measures (art. 16-19 ISG). - Personnel: Obligated authorities and organisations must ensure
that persons who have access to information, IT resources, premises
and other federal infrastructures are carefully selected and
identified in accordance with the risks. They must be informed
about the requirements of the ISG and the relevant security
measures and be trained and educated at the appropriate level (art.
20 ISG). - Premises and areas: Obligated authorities and organisations
must reduce those risks that arise from physical threats (human
actions, natural hazards). Premises and areas can be assigned to
security zones, which can be associated with appropriate controls
(e.g. control of the bag, etc.) (art. 22-23 ISG). - Cooperation with third parties: When cooperating with third
parties who are not subject to the ISG, the obligated authorities
and organisations must ensure that the legal measures are complied
with when placing and executing orders. The security measures are
to be regulated contractually (art. 9 ISG).
The revision of the ISG (BBI 2023 84 – Botschaft zur Änderung
des Informationssicherheitsgesetzes – Einführung einer
Meldepflicht für Cyberangriffe auf kritische
Infrastrukturen) provides for new regulations regarding cyber
security (art. 73a-79 revISG):
- Voluntary reporting of cyber incidents and vulnerabilities:
Reports of cyber incidents (incl. cyber threats) and
vulnerabilities in IT resources can still be voluntarily reported
to the Federal Office for Cyber Security (BACS, previously:
National Cyber Security Centre, NCSC). This possibility is not
limited to operators of critical infrastructures but is open to any
person – even anonymously (art. 73b revISG). - Removal of vulnerabilities: The BACS informs the manufacturers
of the affected software or hardware about reported vulnerabilities
and sets them an appropriate deadline for their removal. Failure to
rectify or to comply with the deadline may be sanctioned under
creation law (art. 73b revISG). - Obligation to report cyber attacks: Authorities and
organisations subject to the reporting obligation must report cyber
attacks to the BACS within 24 hours of their discovery if they have
serious consequences (art. 74a-e revISG). - Violation of the obligation to report: If an authority or
organisation subject to the obligation to report fails to comply
with its obligation, it may – after having been set a
deadline twice – be punished with a fine of up to CHF
100’000.– (art. 74g-74h revISG).
Parliament adopted the amendments to the ISG on 29 September
2023. The implementing regulations have not yet been issued. It is
currently planned that the reporting obligation will come into
force on 1 January 2025.
How is the trust between BACS and reporters ensured?
Freedom of Information Act (FoIA) takes precedence over the ISG
(art. 4 para. 1 ISG). This means in principle that all persons have
access to official documents and information of the government,
provided there are no exceptions or weighing of interests. The
revision of the ISG makes an exception to this rule insofar as
information from third parties of which the BACS becomes aware
through the receipt and analysis of reports on cyber incidents is
excluded from the right of access under the FoIA (art. 4 para.
1bis revISG).
This means that, in principle, the BACS may not publish or
forward information on cyber incidents that contain personal data
or data of legal persons unless consent has been given (art. 73c
revISG). Only in two exceptional cases may the BACS forward
information that allows conclusions to be drawn about the reporters
or affected subjects without their permission (art. 73d
revISG):
- Forwarding to the Federal Intelligence Service (FIS) is
permissible if the information is relevant for the assessment of
the threat or the early warning of critical infrastructures. - Forwarding to the criminal justice authorities is permitted if
the report contains information on serious criminal offences.
However, forwarding is solely at the discretion of the head of the
BACS, as the obligation to report criminal offences has been waived
for BACS employees.
In order to further strengthen the trust, the law states that
authorities and organisations subject to the reporting obligation
do not have to provide any information that would incriminate him
or her under criminal law (art. 74e revISG).
Attention: No privileging of reporting third parties
Cyber incidents and cyber threats, in particular
vulnerabilities, can be reported to the BACS not only by those
affected, but also by third parties, and anonymously if desired
(art. 73b revISG).
The regulation above does not constitute a permission norm in
the sense of a whistle-blower offence. Contractual and statutory
confidentiality obligations must continue to be observed even when
reports are made to the BACS. Also, the discovery of
vulnerabilities through unauthorised intrusion into other
people’s IT resources («hacking») is still a
punishable offence. Hackers should not be able to exempt themselves
from criminal liability by reporting their actions to the BACS.
Comprehensive ISG requirements – also for third parties
and providers
The requirements resulting from the ISG include compliance with
security practices and security policies, strict control and
monitoring of activities as well as regular review and updating of
security systems. The obligated authorities and organisations must
ensure that third parties and providers with whom they work are
contractually obligated to take measures in accordance with the ISG
and to ensure a secure operating environment. These third parties
and providers must take security measures to ensure the integrity,
security and reliability of their services as well as to protect
their customers’ data and information and ensure that only
authorised persons can access it.
In addition, cloud and service providers as well as
manufacturers of hardware and software whose products are used by
critical infrastructures can fall under the obligation to report
cyber attacks as provided for in the revision of the ISG.
Cyber security assessment for proactive information
security
The ISG requires obligated authorities and organisations as well
as operators of critical infrastructures to have a comprehensive
and proactive information security. A summary, external cyber
security assessment can evaluate the implementation of these
requirements and determine whether the company has taken adequate
measures to protect its information and IT resources, including
against any cyber incidents. This assessment should also evaluate
the company’s ability to respond to incidents and emergencies,
as well as to monitor and improve the effectiveness of the
implemented protective measures.
It is important that the assessment also takes into account
compliance with industry-specific requirements and legal
requirements – such as the ISG. A regular review of the
assessment is also essential to ensure that the company remains
up-to-date with the latest technology. This is a requirement for
being able to protect itself as well as possible against threats.
Last but not least, employees should be trained on information
security, whereby they must be sensitised in particular to the
topic of cyber security (keyword security awareness). Employees
must understand how they can contribute to the protection of the
company.
Summary
The ISG and its revision place high demands on information
security, with operators of critical infrastructures in particular
being held accountable in the area of cyber security. These
requirements must be met in order to ensure the security of
critical information and systems for the population and the
economy. The ISG and its revision ensure that the obligated
authorities and organisations as well as the operators of critical
infrastructures fulfil their responsibilities and thereby minimise
potential risks and threats.
The necessity of these measures is understandable and long
overdue, whereby their implementation can confront companies with
various, very individual challenges. MME and InfoGuard can support you with the adaptations
to the new legal requirements, both legally and technically,
especially in the event of an incident.
ISG: https://www.fedlex.admin.ch/eli/oc/2022/232/de
revISG: https://www.newsd.admin.ch/newsd/message/attachments/74217.pdf
The content of this article is intended to provide a general
guide to the subject matter. Specialist advice should be sought
about your specific circumstances.
#Update #Information #Security #Act #Security
