Cyber Risk in Switzerland
Switzerland is a remarkably stable and economically strong country, a direct democracy with frequent referendums, a unique place that invests more in the health, education and talent of its people than any other country in the world.
Authority is shared between the Confederation, the cantons and the communes. The Confederation’s authority is restricted to the powers expressly conferred on it by the Federal Constitution. All other tasks are the responsibility of the cantons, which thus enjoy considerable autonomy.
Citizens love the extensive cantonal and local autonomy that is based on the idea of subsidiarity, but even the best system has weaknesses as well. While direct democracy is one of the most efficient government systems ever, it is, however, not without any downsides. The rule of the people, by the people, and for the people, requires citizens that can make decisions in areas they do not always understand, like the area of cyber risk management. There is only one solution to this problem, cyber risk awareness and training. According to Johann Wolfgang von Goethe, Es ist nichts schrecklicher als eine tätige Unwissenheit (nothing is more terrible than to see ignorance in action). When citizens understand the risks, they will be able to protect themselves, their organization and their commune, canton and country.
The political system in Switzerland is not based on confrontation between a government and its opposition, but is dependent on consensus between political factions. This is of course great in many respects, but it is also true that it takes time to reach consensus and to respond in a rapidly changing environment. It is difficult for the Confederation to enforce strict cyber-security policies in every corner of the country.
Having said that, Switzerland has an excellent cyber risk management plan. The Federal Council adopted the national strategy for the protection of Switzerland against cyber risks (NCS) on 27 June 2012 and its implementation plan (IP NCS) on 15 May 2013.
According to the strategy, acting with personal responsibility, national cooperation between the private and public sector, and cooperation with foreign countries are all essential for reducing cyber risks. Digital networking exposes information and communication infrastructure to criminal, intelligence, politico-military or terrorist abuse or functional impairment. Disturbances, manipulation and specific attacks carried out via electronic networks are the risks that an information society entails. It is to be expected that these risks will tend to increase in the future.
The rationale underlying the national strategy is that every organisational unit, be it political, economic or social, bears responsibility for identifying these cyber aspects, addressing the risks entailed in their particular processes and reducing them insofar as possible. The decentralised structures in the public and private sector are to be strengthened for these tasks, and existing resources and processes are to be used consistently.
We must not forget that cybersecurity is a difficult and complex field. The board of directors and senior management of every organization of the public and the private sector must understand that cyber risks are not an IT problem, but an enterprise risk management challenge. Cyber risks have to do with reputation management, the protection of intellectual property and sensitive employee and customer information, financial loss and liability in the event of a data breach. Cyber-risk management should be given regular and adequate time on the board meeting agenda.
Cyber insurance policies may help reduce a company’s financial liability risk, but they do not prevent cyberattacks and they are unlikely to cover the full financial impact of brand damage and loss in shareholder value. According to Forrester Research, at least 88% of the S&P’s market value consists of goodwill and intangible assets, such as reputation, brand, innovation, processes, know-how, and customer experience.
Cyber Risk GmbH has a clear mission statement: We will support with all our means the Federal Council’s national strategy for the protection of Switzerland against cyber risks and its implementation plan, by embedding cyber risk awareness in organizational culture.