The case

The number of threats of companies by cyber-attacks has been increasing. Cyber-attacks target companies of all sectors and all over the world. In a study published by KPMG in May 88 % of the Swiss companies that were interviewed stated that they had been the victims of cyber-attacks in the past twelve months. Link.
Cyber-attacks pose operative risks as well as legal risks, as e.g. the loss of intellectual property (company data, client lists and data, know-how) and there have also been fines because data protection laws were violated or claims for damages because of breach of contract. If a financial institution has been the victim of a cyber-attack the regulator starts investigations, which ties up administrative resources, causes costs and entails loss of trust. According to a study a cyber-attack results in costs amounting to about USD 860,000 for a company.
(…)

Source: Tino Gaberthüel, Lenz & Staehelin in today’s NZZ.

The commentary

Cyber-Security has become a strategic company risk and is the responsibility of the management. The liability of the board asks for thorough consideration with cyber security. Regulatory bodies have been increasing the pressure on boards, demanding that appropriate diligence and caution be applied when dealing with cyber security. On 1 July FINMA published a revised version of the circulation letter on operational risks for banks when dealing with cyber risks: see RZ 135.6* to 135.12* and footnotes. (in German, French and Italian).
PDf

The rules ask for an analysis and the implementation of a risk management when dealing with cyber risks. Further risk and vulnerability analyses have to be carried out. Still, cyber security does not form part of the current revision of the corporate law.

This publication has been prepared solely for information purposes and is does not constitute a recommendation, a solicitation, or an offer. The information on which this publication is based has been obtained from sources that we believe to be reliable and in good faith, but we have not independently verified such information and no representation or warranty, express or implied, is made as to its accuracy. All expressions of opinion are made as of the date of publication and may be subject to change without notice. k-flash and all related affiliates accepts no liability or responsibility whatsoever for any consequential loss of any kind arising out of the use of this publication or any part of its contents. The use of this publication should not be regarded as a substitute for the exercise by the recipient of his or her own judgment. This publication is not directed to any person in any jurisdictions that prohibit such publication.