You are here


Survey Answer:

At present, a general and comprehensive obligation for businesses to mitigate cyber risks does not exist under Swiss law. However, based on their general duty to direct the corpora-tion (Article 716a Code of Obligations; CO), members of the Board of Directors have a duty to implement adequate measures (risk management and internal controls) to mitigate cyber risks (see also Article 20 of the Swiss Code of Best Practice for Corporate Governance). Fail-ure to do so can constitute a breach of director's duties which may ultimately result in civil liability both for the corporation and the respective director (notably Article 754 CO). Fur-ther, anyone whose personality rights were violated by a data breach may bring civil actions against those responsible (Article 15 para. 1 DPA in conjunction with Articles 28, 28a and 28l Civil Code; CC). Finally, it should be noted that serious incidents relating to IT-security of listed companies may trigger relevant reporting duties under stock exchange laws and regu-lations.

Provided By:
Roland Mathys, Schellenberg Wittmer and Clara-Ann Gordon, Niederer Kraft Frey