Basic Cybersecurity Responsibilities for Swiss Companies: Legal Requirements

If your company suffers a data breach tomorrow, could you prove to regulators that you took reasonable precautions? For many Swiss SMEs, the honest answer is no. Cybersecurity is not just good practice; it is legally mandated in several areas. Swiss companies have concrete obligations regarding data security, data protection, and technical safeguards.

This article provides a practical overview of the basic obligations that apply to Swiss companies, regardless of size or industry. It covers what is legally required, which measures must be implemented, and what liability risks exist.

Legal Foundations: Which Laws Apply?

Multiple laws and regulations create cybersecurity obligations for Swiss companies.

1. Revised Data Protection Act (revDSG)

The revised Data Protection Act (revDSG), in force since September 1, 2023, is the central foundation for data protection and data security.

Scope:

• Applies to all companies processing personal data
• Applies to Swiss companies and foreign companies processing personal data in Switzerland
• No thresholds, no exceptions for SMEs

Core obligations:

• Adequate data security (Art. 8 revDSG)
• Notification obligation for data breaches (Art. 24 revDSG)
• Register of processing activities (Art. 12 revDSG)
• Privacy by Design and Privacy by Default (implicit)
• Data protection impact assessment for high risks (Art. 22 revDSG)

2. Code of Obligations (OR)

The Code of Obligations creates duty of care obligations for corporate bodies.

Relevance for cybersecurity:

• Art. 716a OR: Management must exercise supreme management, which includes risk management
• Art. 754 OR: Organ liability for breaches of duty
• Cybersecurity risks are part of corporate duty of care

3. FINMA Regulation

For financial institutions (banks, insurance companies, asset managers, fund management companies), additional requirements apply.

Relevant circulars:

• FINMA Circular 2008/21: Operational Risks Banks
• FINMA Circular 2023/1: Cyber Risks
• FINMA Circular 2008/7: Outsourcing (relevant for cloud usage)

Core obligations:

• Consider cyber risks in risk management
• Incident response plans
• Business continuity management
• Notification obligations for significant incidents

4. Other Industry-Specific Regulations

• Therapeutic Products Act: Requirements for medical technology and pharmaceutical companies
• E-commerce legislation: Requirements for online shops
• Contractual obligations: Customer requirements, industry standards

Data Security: What is “Adequate”?

Art. 8 revDSG requires “adequate technical and organisational measures” to protect personal data.

What Does “Adequate” Mean?

“Adequate” is not rigidly defined but context-dependent. The following factors are relevant:

• Type of data: Sensitive data (health, finance, biometric) requires higher protection measures
• Scope of processing: Large data volumes require stronger security
• Risks: The higher the risk to those affected, the higher the requirements
• State of the art: What is technically possible and common today?
• Costs: Measures must be proportionate, but costs are not a free pass for inaction

Minimum Technical Measures

The following technical measures are considered minimum standards:

1. Access Protection

• Strong passwords: At least 12 characters, complexity requirements
• Multi-factor authentication (MFA): For all access to systems with personal data
• Authorization concept: Users only get access to data they need (need-to-know principle)
• Regular review: Permissions are revoked when roles change or employees leave

Practical tip: MFA is technically easy to implement (e.g., via authenticator apps) and massively increases security.

2. Encryption

• Encryption at rest: Databases, backups, local storage
• Encryption in transit: HTTPS, VPN, encrypted emails
• Mobile work: Laptops and mobile devices must be encrypted

Practical tip: Modern operating systems (Windows BitLocker, macOS FileVault) offer simple full disk encryption.

3. Backups

• Regular backups: At least daily for critical data
• Offline backups: At least one backup offline or immutable to ensure ransomware protection
• Recovery testing: Regularly test whether data can be restored

Practical tip: Follow the 3-2-1 rule: 3 copies, 2 different media, 1 copy offsite.

4. Updates and Patch Management

• Regular updates: Operating systems, software, firmware
• Timely installation: Security patches within days, not weeks
• Avoid end-of-life software: Don’t use software without security updates (e.g., Windows 7)

Practical tip: Activate automatic updates where possible.

5. Antivirus and Endpoint Protection

• Antivirus software: On all endpoints
• Regular updates: Keep virus definitions current
• Endpoint Detection and Response (EDR): For larger companies, advanced threat detection

6. Network Security

• Firewall: Separate network from the internet
• Network segmentation: Separate critical systems from the rest of the network
• WLAN security: WPA3 or at least WPA2, strong passwords

7. Logging and Monitoring

• System logs: Log access, changes, errors
• Retention: Keep logs for at least 6 months
• Monitoring: Detect anomalies and suspicious activities

Minimum Organisational Measures

Technical measures alone are not sufficient. Organisational measures are equally required.

1. Security Policies

• Written policies: Clear rules for handling data, passwords, devices
• Communication: Employees must know policies
• Enforcement: Policies must be lived, not just exist on paper

Typical policies:

• Password policy
• Acceptable Use Policy (permitted use of IT resources)
• Bring Your Own Device (BYOD) policy
• Incident response policy

2. Authorization Management

• Role-based access: Access by function, not by person
• Regular reviews: Review at least annually who has access to what
• Exit management: Immediate revocation of all access when employees leave

3. Data Protection Organisation

• Responsible person: Someone must be responsible for data protection (not necessarily full-time)
• Processes: Clear procedures for data subject requests, data breaches, data deletion

4. Data Processor Management

When external service providers process personal data (e.g., cloud providers, hosting, SaaS), special measures are required.

Obligations:

• Data processing agreement (DPA): Written contract regulating security measures and responsibilities
• Selection: Only service providers with adequate security measures
• Monitoring: Regular review of whether service providers comply with obligations

Practical tip: Many cloud providers (Microsoft, Google, AWS, Dropbox) offer standard DPAs.

Notification Obligation for Data Breaches

Art. 24 revDSG requires that data breaches must be reported if they are likely to pose a high risk to those affected.

What is a Data Breach?

A breach of data security that unintentionally or unlawfully leads to destruction, loss, alteration, or unauthorized disclosure or unauthorized access to personal data.

Examples:

• Ransomware attack where data was encrypted and exfiltrated
• Data leak where customer data became publicly accessible
• Loss of an unencrypted laptop with personal data
• Unauthorized access to databases by hackers

When Must It Be Reported?

Condition: There is likely a high risk to the personality or fundamental rights of those affected.

High risk means:

• Discrimination
• Identity theft
• Reputation damage
• Financial losses
• Disclosure of particularly sensitive personal data (health, religion, biometric, etc.)

Practical example:

• Public data leak with names and emails: Probably not high risk
• Public data leak with health data: High risk, notification required
• Exfiltration of encrypted data: Depending on encryption strength, possibly not high risk
• Exfiltration of unencrypted financial data: High risk, notification required

How and When to Report?

Deadline: “As soon as possible” after becoming aware of the breach. There is no fixed deadline as with GDPR (72 hours), but speed is required.

To whom: Federal Data Protection and Information Commissioner (FDPIC).

How: Online form on the FDPIC website.

Content of notification:

• Type of breach
• Affected data categories and approximate number of affected persons
• Consequences and possible damages
• Measures taken or planned
• Contact details of the responsible party

Information to Data Subjects

If a high risk exists, the data subjects must also be informed, unless:

• The company has already taken measures before the breach that eliminate the risk (e.g., encryption)
• Subsequent measures were taken that eliminate the risk
• The information would be disproportionately burdensome (then public announcement)

Sanctions for Non-Reporting

• Fine up to CHF 250,000 for intentional non-reporting
• Reputational damage
• Civil liability towards data subjects

Employee Training: Obligation or Optional?

Employees are the weakest link in the cybersecurity chain. Most attacks succeed through human error.

Is Training Legally Required?

Not explicitly, but implicitly.

Justification:

• Art. 8 revDSG requires “adequate” measures. If employees are not trained, technical measures alone are not adequate.
• OR duty of care: Management must ensure employees can perform their tasks properly. This includes knowledge of cybersecurity.

Practical recommendation: Employee training is de facto mandatory, even if the law doesn’t explicitly mention it.

What Training Content?

Minimum content for all employees:

1. Recognise phishing:

   • What is phishing?
   • How to recognise suspicious emails?
   • What to do if suspicious?

2. Password security:

   • Create strong passwords
   • Don’t reuse passwords
   • Use password managers
   • Multi-factor authentication

3. Handling data:

   • Which data is confidential?
   • How to store, send, delete data?
   • What may/may not be shared?

4. Physical security:

   • Lock screens
   • Don’t leave confidential documents lying around
   • Access control

5. Incident reporting:

   • How to recognise a security incident?
   • Who to report to?

Special Training for Executives

Executives are particularly at risk from targeted attacks (CEO fraud, whaling).

Additional content:

• CEO fraud: Fake emails requesting transfers
• Social engineering: Manipulation by attackers
• Responsibility: Liability risks and legal obligations

How Often to Train?

Recommendation:

• Initial training: Upon entry
• Regular refresher: At least annually
• Event-based: For new threats or after incidents

Effectiveness Testing

Training alone is not enough. Effectiveness must be tested.

Methods:

• Phishing simulations: Regularly send test emails, measure click rate
• Tests/quizzes: Check knowledge
• Incident analysis: Were incidents reported in time?

Incident Reporting: Internal Processes

In addition to the legal notification obligation externally (FDPIC), it must be clear internally how to proceed with security incidents.

Incident Response Plan

A written plan should regulate the following points:

1. Detection: How are incidents detected and reported?
2. Assessment: Who assesses the incident and classifies severity?
3. Containment: Immediate measures to limit damage
4. Investigation: Root cause analysis, forensics
5. Recovery: Restore systems and data
6. Communication: Internal, external, authorities, customers
7. Post-processing: Lessons learned, improvement measures

Responsibilities

Clearly define:

• Who leads incident response?
• Who informs management?
• Who contacts external partners (forensics, communication, legal)?
• Who reports to FDPIC/FINMA?

External Partners

For larger incidents, external experts are required:

• IT forensics: Root cause analysis, evidence preservation
• Legal advice: Legal assessment, notification obligations
• Communication consulting: Media work, crisis communication

Practical tip: Identify and prepare partners before an incident. In an emergency, there’s no time to search for providers.

Testing the Plan

A plan that has never been tested won’t work in an emergency.

Recommendation:

• Tabletop exercises: At least annually run through the plan theoretically
• Simulations: Realistic exercises with external experts

Minimum Security Standards by Industry

Different requirements apply depending on the industry.

All Industries (Minimum Standard)

• Access protection (MFA, passwords)
• Encryption
• Backups
• Updates
• Antivirus
• Firewall
• Security policies
• Employee training
• Incident response plan

Financial Service Providers (FINMA-Regulated)

Additionally:

• Cyber risks in risk management
• Business continuity management
• Regular penetration tests
• Documented incident response plans
• Notification obligations to FINMA for significant incidents

Healthcare

Additionally:

• Particularly sensitive personal data (health data)
• Higher requirements for access protection
• Encryption mandatory
• Data protection impact assessment often required

E-Commerce / Online Shops

Additionally:

• PCI-DSS for credit card payments
• SSL/TLS encryption for website
• Secure payment processing (ideally external)

Cloud Users (All Industries)

Additionally:

• Data processing agreements with cloud providers
• Review of data location (where is data stored?)
• Access control to cloud resources

Liability: Who is Liable for What?

In cybersecurity incidents, the question arises: Who is liable?

Companies

The company is liable to:

• Data subjects: Compensation for data breaches (civil law)
• Contractual partners: Breach of contract (e.g., delivery delay after ransomware)
• Authorities: Fines for violations of revDSG, FINMA regulations

Management and Board of Directors

According to Art. 754 OR, management and board of directors are personally liable for breaches of duty.

Requirements:

• Breach of duty (e.g., inadequate cybersecurity measures)
• Damage
• Causality
• Fault (intent or negligence)

Practical example:

A company becomes victim of ransomware. There are no backups, no incident response plan, employees were never trained. The damage is CHF 2 million.

Consequence: Management could be held personally liable for violating its duty of care.

Employees

Employees are only liable for gross negligence or intent.

Practical example:

An employee clicks on a phishing link. This is not gross negligence if they were not trained. If they click despite training and warnings, it could be different.

D&O Insurance

Directors and Officers (D&O) insurance covers liability risks.

Important:

• Not all risks are covered
• Intentional breaches of duty are excluded
• Deductibles can be high

A D&O insurance does not replace the obligation to take adequate measures.

Cyber Insurance

Cyber insurance covers damages from cyber attacks.

Typical services:

• Costs for IT forensics
• Costs for recovery
• Legal costs
• Communication costs
• Ransom payments (controversial)
• Third-party claims for damages

Important:

• Insurers often require minimum measures (MFA, backups, etc.)
• Not all damages are covered
• No substitute for prevention

Checklist: Implementing Basic Obligations

Phase 1: Assessment

• Which personal data do we process?
• Where is it stored?
• Which systems are critical?
• Which external service providers do we use?

Phase 2: Technical Measures

• Access protection: MFA activated?
• Encryption: Devices, backups, transmission encrypted?
• Backups: Regular, offline, tested?
• Updates: Automatic or regular?
• Antivirus: Installed and current?
• Firewall: Active and configured?
• Logging: System logs retained?

Phase 3: Organisational Measures

• Security policies: Written, communicated?
• Authorization management: Who has access to what?
• Responsibilities: Who is responsible for data protection/cybersecurity?
• Incident response plan: Exists in writing?
• Data processors: DPAs available?

Phase 4: Training

• Employee training: When last done?
• Executives: Specifically trained?
• Effectiveness: Phishing tests conducted?

Phase 5: Documentation

• Register of processing activities: Available?
• Data protection impact assessment: Required? Conducted?
• Incident log: Incidents documented?

Phase 6: Tests

• Backup recovery: Tested?
• Incident response plan: Practiced?
• Penetration tests: Conducted (if relevant)?

Penetration testing is increasingly viewed as part of the due diligence obligation for Swiss companies. Engaging a CREST-certified firm such as RedTeam Partners provides documented evidence that your company is taking reasonable steps to identify and address vulnerabilities, which strengthens your legal position should a breach occur.

Costs: What Does Compliance Cost?

Costs vary by company size and complexity.

Small SME (5-20 Employees)

Initial costs:

• External consulting for assessment: CHF 5,000 - CHF 15,000
• Technical measures (MFA, backups, etc.): CHF 2,000 - CHF 10,000
• Employee training: CHF 1,000 - CHF 3,000

Ongoing costs:

• Annual training: CHF 1,000 - CHF 2,000
• Software licenses (backup, antivirus): CHF 1,000 - CHF 5,000
• External review: CHF 3,000 - CHF 8,000 (every 2 years)

Total first year: CHF 10,000 - CHF 30,000

Ongoing per year: CHF 5,000 - CHF 15,000

Medium Company (50-200 Employees)

Initial costs:

• External consulting: CHF 20,000 - CHF 50,000
• Technical measures: CHF 20,000 - CHF 100,000
• CISO (external, part-time): CHF 30,000 - CHF 80,000 per year

Ongoing costs:

• Training: CHF 5,000 - CHF 20,000
• Software/licenses: CHF 10,000 - CHF 50,000
• Penetration tests: CHF 10,000 - CHF 30,000 (annually)
• CISO: CHF 30,000 - CHF 80,000

Total first year: CHF 80,000 - CHF 300,000

Ongoing per year: CHF 50,000 - CHF 180,000

ROI: Avoided Costs

These investments avoid:

• Ransomware damages: CHF 500,000 - CHF 2,000,000
• FDPIC fines: up to CHF 250,000
• Reputational damage: unquantifiable
• Production downtime: depending on company CHF 10,000 - CHF 100,000 per day

Conclusion: Compliance is cheaper than non-compliance.

Avoid Common Mistakes

Mistake 1: “We’re too small for cyber attacks”

Reality: SMEs are preferred targets because they’re often less protected.

Mistake 2: “IT handles it”

Reality: Cybersecurity is leadership responsibility, not just IT task.

Mistake 3: “We have antivirus, that’s enough”

Reality: Antivirus is one measure among many, but not sufficient.

Mistake 4: “We don’t have personal data”

Reality: Employee or customer email addresses are personal data.

Mistake 5: “We’ll do it next year”

Reality: The threat is today, not next year. And legal obligations apply now.

Cybersecurity: Mandatory, Not Optional

Swiss companies have clear legal obligations regarding cybersecurity and data protection. These obligations apply regardless of size or industry.

Core obligations:

1. Data security: Adequate technical and organisational measures (revDSG Art. 8)
2. Notification obligation: Report data breaches with high risk (revDSG Art. 24)
3. Employee training: Implicitly required by duty of care
4. Incident response: Preparation for security incidents
5. Documentation: Register of processing activities, policies
6. Liability: Personal liability of management for breaches of duty

Minimum measures:

• Access protection (MFA, strong passwords)
• Encryption (devices, backups, transmission)
• Backups (regular, offline, tested)
• Updates (timely, automatic)
• Antivirus and firewall
• Security policies
• Employee training
• Incident response plan

The costs of compliance are manageable compared to the costs of a cyber attack. Investments in cybersecurity are not only legally required but also economically sensible.

Next steps:

1. Assessment: Where are we today?
2. Gap analysis: What’s missing?
3. Prioritization: What’s most urgent?
4. Implementation: Implement measures step by step
5. Documentation: Document everything
6. Testing: Regularly review measures

Cybersecurity compliance is not a one-time project but a continuous process. But the foundations can be created in a few months.

---

Transparency Note: This article was created with the support of AI technology and reviewed, supplemented, and finalized by the Alpine Excellence editorial team. All content meets Alpine Excellence editorial standards.