Regulatory and legal handling of ICT risks gains importance

The website is unavailable. Access to the system is blocked and sales can no longer be processed. Unknown persons demand that the company pay a ransom to prevent the publication of the stolen manufacturing plans and customer master data.

Unfortunately, such terrifying scenario has recently become reality for many companies. All companies in all industries are fundamentally susceptible to ICT-related incidents. Such incidents can occur within the company itself (e.g., due to technical inadequacies or negligence) or due to external causes (e.g., hackers, organized crime).

The good news: ICT incidents can be prevented, if not completely, then at least to a large extent through appropriate preventive measures. In addition, a well-prepared company is significantly less affected by the consequences in the event of an emergency.

In addition to appropriate technical measures (suitable hardware and software, backup, network monitoring, etc.), the regulatory and legal handling of ICT risks (Cyberlaw) is of great importance both before and after an incident. 

What regulatory and legal measures should a company take, and how can this mitigate risks associated with ICT incidents?

Cyberlaw can be used pragmatically and efficiently, providing a 360° protection framework for the company before, during and after an ICT incident:

• Analysis of company-specific ICT risks based on the industry, size and contractual relationships of a company. This enables the creation of a pragmatic and efficient defense plan.
• Creation of a defense plan by defining responsibilities and processes for dealing with ICT risks in terms of prevention and response. This enables ICT incidents to be prevented and, in the event of an emergency, to react quickly and thus avert damage. The defense plan includes, for example:
  o Creation of an “Incident Response Plan” and appointment of a "Computer Incident Response Team" ("CIRT") for serious incidents
  o Implementation of employee training
  o Review and minimize legal risks in licenses and contracts with third parties
• Continuous monitoring and updating of the protection concept and the ICT used. This enables planned or already initiated attacks to be detected quickly and the defense plan to be activated.
• Rapid and effective incident response, specifically:
  o Reporting to supervisory and other authorities (e.g. FINMA, etc.)
  o Coordination with forensic authorities to preserve evidence
  o Communication with affected parties and externally (publication, media)
  o Dealing with ransomware attacks
  o Initiation of criminal or disciplinary proceedings and handling of asserted claims

In addition, the reporting obligations to authorities and affected parties will gain in importance in the future. Already today, certain regulated or listed companies are subject to a regulatory reporting obligation. In the future, all Swiss companies will be subject to a reporting obligation in certain cases. For example, with the imminent entry into force of the revised Data Protection Act, data security breaches are expected to be reported to the Federal Data Protection and Information Commissioner (FDPIC) from the middle/end of this year if certain requirements are met.

In addition, the Federal Council recently opened the consultation process on the introduction of a reporting obligation in the event of attacks on ICT systems for operators of critical infrastructures to the National Cyber Security Center (NCSC). Operators of critical infrastructure include banks, insurance companies and other financial intermediaries, certain providers of cloud computing, online marketplaces and other digital services, manufacturers of pharmaceuticals and medical devices, public transport companies and others.

PwC supports companies in all industries regarding regulatory and legal aspects of ICT risks and the effective and pragmatic implementation of a protection concept.