.svg)
Although the Swiss Bankers Association (SBA) has thrown its support behind a new draft Cybersecurity Ordinance, it says that clearer, more proportionate, rules are necessary.
The SBA voiced its concerns in its response to the Federal Office for Cybersecurity’s consultation on the draft Cybersecurity Ordinance (E-CSV).
Along with the Swiss Financial Sector Cyber Security Center (Swiss FS-CSC), the association has highlighted areas where the ordinance could be improved to ensure the financial sector’s resilience against cyber threats.
The draft ordinance, which the Federal Council unveiled in May 2024, sets out the Swiss government’s plans to implement mandatory reporting of cyber attacks, establish the organisation for the National Cyber Strategy, and define the role of the new Federal Office for Cyber Security.
The ordinance also includes exemptions for authorities and companies where it feels cyber incidents will not directly affect the economy or public wellbeing.
Needs improvements
One significant issue raised by the SBA, which boasts members including key banking institutions such as UBS and PostFinance, is the broad scope of the reporting obligations.
The association argued that imposing strict reporting rules on all financial institutions, regardless of the scale of the cyber attack, would result in unnecessary regulatory burden.
"It is essential to establish 'De-minimis' exceptions for smaller institutions," the SBA noted in its consultation, translated from German, adding that only significant cyber attacks that have a substantial impact on operations should trigger mandatory reports.
“This distinction would help prevent an overload of minor incident reports that could obscure more critical threats,” according to the SBA.
Another point of concern for the lobby group is the current structure of the reporting system, as outlined in Article 15 of the draft, and the SBA is calling for a revision that would limit the scope of information shared among authorities to only what is necessary.
"Each authority should only have access to the data relevant to their mandate," the SBA explained, emphasising that unrestricted access to sensitive information across multiple agencies could pose risks, particularly regarding data privacy and compliance with other legal frameworks such as banking secrecy.
Extending the transition
The SBA also warned that the proposed timeline for implementing the ordinance is too short, urging the government to extend the transition period.
"A two-year transition is indispensable," the association stated.
According to the SBA, this additional time would allow financial institutions to fully integrate new reporting mechanisms into their existing governance and legal processes.
The SBA explained that "such a period is crucial to test the systems and ensure that they harmonise with existing frameworks like data protection and banking laws".
Beyond the borders
The SBA is also pushing for the inclusion of all institutions operating in Switzerland, even those without a Swiss headquarters, in the information sharing framework.
"For cybersecurity resilience to be truly effective, all entities with FINMA approval, including branches of foreign financial institutions, must be allowed to participate in the exchange of information," the association said.
Despite these reservations, the SBA has signalled its support for the federal government’s efforts to strengthen cybersecurity within the financial sector.
"We are fully aligned with the goal of enhancing cyber resilience in Switzerland, but it must be done in a way that balances security needs with the practical realities of the financial industry," it concluded.
