You are here


Survey Answer:

Presently, no direct contractual standards or obligations regarding IT security have been es-tablished in Switzerland yet. Very often, rule sets or industry standards (e.g. ISO IT security standards are referenced in, and integrated into, IT agreements.

The following – primarily regulatory requirements and standards – are often reflected in IT agreements and may therefore be considered as indirect contractual obligations and stand-ards:

• Article 14 FMIA requires financial market infrastructures (i.e. stock exchanges, trading facilities, payment systems) to operate robust IT systems which are appropriate for its activities, provide for effective emergency arrangements and ensure the continuity of the business activity and to provide for measures to protect the integrity and confi-dentiality of information regarding its participants and their transactions. Article 3f Banking Act and Article 12 paragraph 4 of the Ordinance on Banks require banks to implement an appropriate risk management including an internal control system in order to detect, limit and monitor i.a. relevant operational risks. These requirements are specified in the recently updated FINMA-Circular 2008/21 "Operational Risks – Banks" where the minimum details of a cyber risk management concept to be imple-mented based on international standards are outlined (protection of processes/IT systems/sensitive data, detection and recording of cyber-attacks, remedial measures, recovery of normal operations, regular vulnerability analysis and penetrations test-ings). FINMA-circulars are not legally binding, but they elaborate the regulator's in-tended enforcement practice and are regularly accepted and complied with by the industry.
• On the basis of Article 96 paragraph 2 OTS, the OFCOM has published a currently non-binding "Guideline on Security and Availability of Telecommunications Infrastructures and Services" recommending telecommunications service providers to implement, monitor and update (i) an information security management system as described in international standards relating to information security, such as ISO/IEC 27001:2005 and ITU-T X.1051, (ii) a business continuity plan and (iii) a disaster recovery plan and to comply with international security recommendations in the ICT sector, such as the "ETSI White Paper No. 1 - Security for ICT" and the "ITU-T ICT Security Standards Roadmap". OFCOM has the competence to declare the mentioned guideline to be binding.
• In addition, there are further sector-specific requirements, particularly in connection with aviation, the railway industry and nuclear energy.

Provided By:
Roland Mathys, Schellenberg Wittmer and Clara-Ann Gordon, Niederer Kraft Frey