Establish an appropriate cyber risk management system

In our blog article we have presented various procedures with examples that illustrate how companies and public institutions have been massively damaged by cybercrime. Companies have to file for bankruptcy after a successful attack, hospitals pay ransom for the release of patient files, and public funds are transferred to criminal organizations by bank order and can no longer be recuperated. A significant business impact of these risks can no longer be denied given their scope and frequency.

What is appropriate? The liability of management bodies

The establishment of appropriate cyber risk management for defense is urgent. In Switzerland, the board of directors of a company is required to have a company-wide, integral risk management system. In the case of delegation of board duties, the board of directors is liable for the damage caused by the third party if it fails to prove that it exercised due diligence in selecting, informing and monitoring the third party under the circumstances. The determination of the safety policy and the assessment of the most important risks remains a non-transferable duty of the board of directors, which may not be delegated within the company. Accordingly, the members of the responsible body are personally liable for their actions.

"The Federal Supreme Court recognizes with the prevailing doctrine that the courts must exercise restraint in the subsequent assessment of business decisions." (quoted from judgment 4A_74/2012 of the Swiss Federal Supreme Court). According to the so-called Business Judgement Rule, in Switzerland decisions that were reached in a flawless decision-making process based on adequate information and free of conflicts of interest and subsequently turn out to be a wrong decision are not considered a breach of duty.

Risk management is usually established and handled professionally. However, while expertise on legal and economic issues is usually represented on the board of directors and risks in compliance or in the market are thus identified, information security is often still insufficiently taken into account. Due to a lack of awareness, risks are often simply ignored. Or, due to a lack of expertise, they are dealt with outside of integral risk management and are largely seen as a task for internal IT. And where decisions are made, it is often questionable whether a sufficient basis of information has been created beforehand due to a lack of expertise.

Requirements for the decision-making process

In concrete terms, therefore, there are the following requirements for a serious decision-making process:

1. The relevant risks must be specifically identified.
2. The identified risks must be assessed (probability of occurrence and extent of damage).
3. Options for action are to be developed and evaluated with regard to their effects (advantages and disadvantages).
4. The decision on the implementation of the options for action must be made appropriately.
5. The implementation of the decisions is to be controlled.
6. The residual risks after the implementation of the decisions must be assessed and either accepted or dampened by further measures.
7. At appropriate intervals, a reassessment shall be made on an updated, sufficient information basis.

It is essential that the individual steps are documented in an appropriate manner for the purpose of traceability.

‍