Establish appropriate cyber risk management

In our blog article We have presented various procedures with examples that illustrate how companies and public institutions were massively damaged by cybercrime. Companies must file for bankruptcy following a successful attack, hospitals pay ransom for handing over patient records, and public funds are transferred to criminal organizations via bank transfer and can no longer be recuperated. Given the scope and frequency, a significant business impact of these risks can no longer be denied.

What is appropriate? The liability of management bodies

Establishing appropriate cyber risk management for defense is urgent. In Switzerland, the board of directors of a company consists of Commitment to company-wide, integrated risk management. When delegating executive functions, the Board of Directors is liable for damage caused by the third party unless it proves that it has taken due care under the circumstances in selecting, informing and monitoring the third party. Defining the security policy and assessing the most important risks remains an inalienable duty of the Board of Directors, which may not be delegated within the company. Accordingly, the members of the responsible body are personally liable for their actions.

”With the prevailing doctrine, the Federal Supreme Court acknowledges that the courts must impose restraint on themselves when assessing business decisions retrospectively.” (quoted from judgment 4A_74/2012 of the Swiss Federal Court). According to the so-called Business Judgement Rule In Switzerland, decisions that have been made in an impeccable decision-making process based on an appropriate information base and free of conflicts of interest and which subsequently turn out to be an incorrect decision are not regarded as a breach of duty.

Risk management is usually established and is also handled professionally. However, while know-how on legal and economic issues is usually represented on the Board of Directors and risks are thus identified in compliance or in the market, information security is often still insufficiently considered. Due to lack of awareness, risks are often simply ignored. Or, due to lack of competence, these are treated outside of integrated risk management and largely regarded as a task of internal IT. And where decisions are made, it is often questionable due to lack of expertise whether a sufficient basis of information has been created beforehand.

Decision-making process requirements

Specifically, there are the following requirements for a serious decision-making process:

1. The relevant risks must be identified in concrete terms.
2. The identified risks must be assessed (probability of occurrence and extent of damage).
3. Options for action must be developed and evaluated with regard to their effects (advantages and disadvantages).
4. The decision on the implementation of the options for action must be made appropriately.
5. The implementation of decisions must be monitored.
6. The residual risks following implementation of the decisions must be assessed and either accepted or mitigated by further measures.
7. A reassessment shall be carried out at appropriate intervals on an updated, sufficient basis of information.

The individual steps should definitely be adequately documented for traceability.

‍