Bill Toulas reports:
Switzerland’s National Cybersecurity Centre (NCSC) has announced a new reporting obligation for critical infrastructure organizations in the country, requiring them to report cyberattacks to the agency within 24 hours of their discovery. According to the NCSC announcement, this new requirement is introduced as a response to the increasing number of cybersecurity incidents and their impact on the country.
Examples of types of cyberattacks that will have to be reported include:
- Cyberattacks that jeopardize the operation of critical infrastructure
- Manipulation, encryption, or exfiltration of data
- Extortion, threats, and coercion
- Malware installed on systems
- Unauthorized access to systems
Read more at BleepingComputer.
The reporting obligation under section 74(B) applies to a broad swath of entities and sectors:
a. Universities according to Article 2 paragraph 2 of the Higher Education Promotion and Coordination Act of 30 September 2011 10 ;
b. Federal, cantonal and municipal authorities and intercantonal, cantonal and intercommunal organisations, with the exception of the Defence Group, when the army provides assistance service under Article 67 or active service under Article 76 of the Military Law of 3 February 1995 11 ;
c. Organisations with public-law tasks in the areas of security and rescue, drinking water supply, wastewater treatment and waste disposal;
d. Companies active in the fields of energy supply pursuant to Article 6 paragraph 1 of the Energy Act of 30 September 2016 12 , energy trading, energy measurement or energy control, with the exception of licence holders under the Nuclear Energy Act of 21 March 2003 13 , if a cyberattack occurs on a nuclear installation;
e. Companies subject to the Banking Act of 8 November 1934 14 , the Insurance Supervision Act of 17 December 2004 15 or the Financial Market Infrastructure Act of 19 June 2015 16 ;
f. Health care establishments that are included on the cantonal hospital list pursuant to Article 39 paragraph 1 letter e of the Federal Act of 18 March 1994 17 on health insurance;
g. medical laboratories authorised under Article 16(1) of the Epidemics Act of 28 September 2012 18 ;
h. Companies that have a licence under the Therapeutic Products Act of 15 December 2000 19 for the manufacture, marketing and import of medicinal products ;
i. Organisations that provide benefits to protect against the consequences of illness, accident, incapacity for work and earning a living, old age, disability and helplessness;
j. the Swiss Broadcasting Corporation;
k. news agencies of national importance;
l. Providers of postal services registered with the Postal Commission in accordance with Article 4(1) of the Postal Services Act of 17 December 2010 20 ;
m. Railway undertakings pursuant to Article 5 or 8c of the Railways Act of 20 December 1957 21 and cable car, trolleybus, bus and shipping undertakings holding a concession pursuant to Article 6 of the Passenger Transport Act of 20 March 2009 22 ;
n. Civil aviation companies that hold a licence from the Federal Office of Civil Aviation, as well as the state airports in accordance with the Aviation Infrastructure Plan;
o. Companies that transport goods on the Rhine in accordance with the Maritime Navigation Act of 23 September 1953 , as well as companies that carry out registration, loading or unloading in the port of Basel;
p. Companies that supply the population with essential daily goods and whose failure or disruption would lead to significant supply bottlenecks;
q. Providers of telecommunications services registered with the Federal Office of Communications pursuant to Article 4 paragraph 1 of the Telecommunications Act 24 ;
r. Registry operators and registrars of Internet domains according to Article 28 b FMG;
s. providers and operators of services and infrastructures that serve the exercise of political rights;
t. Providers and operators of cloud computing, search engines, digital security and trust services and data centers, provided they are based in Switzerland;
u. Manufacturers of hardware or software whose products are used by critical infrastructures, provided that the hardware or software has remote maintenance access or is used for one of the following purposes:1. Control and monitoring of operational systems and processes,
2. Ensuring public safety.
A cyber attack must be reported if it:
a. the functionality of the affected critical infrastructure is endangered;
b. has resulted in manipulation or leakage of information;
c. remained undetected for a long period of time, especially if there are indications that it was carried out in preparation for further cyberattacks; or
d. involves blackmail, threats or coercion.
The new obligations also state (English machine translation): “By reporting a cyber-attack, the authorities and organisations required to report shall be entitled to the assistance of the NCSC in incident management in accordance with Article 74(3).”
It is not (yet) clear to DataBreaches exactly what types and scope of assistance in incident management will be available to entities.