Views: 17
Summary – Accelerated digitalization and the surge in cyberattacks require Swiss boards of directors to integrate cyber risk management on par with financial risks to avoid sanctions and personal liability. Governance, due diligence and traceability—via meeting minutes, key indicators and the Business Judgement Rule—ensure informed decisions and effective oversight. Solution: establish a top-level security policy, document every step and deploy a continuous evaluation and mitigation cycle with internal and qualified third-party experts.
In a context of escalating cyberattacks and accelerating digitalization, cyber risk management is becoming a legal obligation and a key governance challenge.
In Switzerland, the board of directors must incorporate information security into its risk management framework, on par with financial and operational risks. Any failure can expose individual board members to personal liability, even in cases of delegation. It is therefore essential to establish a documented, traceable process that is regularly reviewed to guard against sanctions and maintain stakeholder trust.
Fiduciary Responsibility and the Board’s Duty
The board of directors bears legal responsibility for defining the security policy and assessing critical risks. Even if it delegates execution, it must demonstrate rigorous selection, ongoing information, and effective oversight.
Legal Mandate and Regulatory Framework
Under the Swiss Code of Obligations (Art. 716a), the board must ensure an adequate organization to identify, manage, and monitor risks, including those related to information security, and draw on transformational leadership to guide governance.
The security policy must be defined at the highest level of the company and approved by the board of directors. It sets out responsibilities, incident management procedures, and reporting processes to governance bodies.
In case of non-compliance, directors may be held liable for damages suffered by the company or for penalties imposed by regulatory authorities, underscoring the importance of adhering to Swiss legal requirements.
Non-delegation and Due Diligence
The board may assign implementation of the cyber strategy to management or external parties, but primary responsibility remains inalienable. To disclaim its liability, it must demonstrate that it selected competent experts, received regular updates, and exercised effective oversight.
Documenting these steps is crucial: minutes, audit reports, and tracking dashboards provide proof of adequate diligence. Without these elements, the board remains exposed in the event of a major incident.
Due diligence also involves evaluating the skills of service providers and establishing KPIs to measure the effectiveness of the security framework.
Example of Governance Under Scrutiny
In a mid-sized Swiss accounting services firm, the board of directors had engaged an external provider to develop its security plan. Following a major breach, it was found that the board had never approved or reviewed the quarterly reports provided by that provider. This case illustrates that delegation without documented oversight personally exposes directors, despite the involvement of a specialist.
Business Judgment Rule and Traceability of the Decision-Making Process
The Business Judgment Rule protects strategic decisions if they are based on a rigorous, informed process free of conflicts of interest. Traceability and documentation at each stage of the decision mitigate the risk of litigation in the event of failure.
Principle and Conditions of Application
The Swiss Business Judgment Rule recognizes that a board may make errors in judgment without being penalized, provided it acted in good faith, in the best interests of the company, and based on sufficient information. Absence of conflicts of interest is a sine qua non.
To benefit from this protection, the board must show it sought expert opinions, analyzed multiple scenarios, and documented the criteria considered. This rigor protects directors during an audit or dispute.
This principle encourages governance bodies to structure their decisions within a formal and transparent framework, including adopting agile practices to justify each strategic trade-off.
Documentation as a Legal Shield
Detailed minutes, risk assessments, legal and technical expert opinions, and workshop reports form a comprehensive dossier. This documentation is the foundation for demonstrating an impartial and methodical process.
In the absence of written records, courts may consider that the board failed to exercise diligence or did not grasp the stakes. The burden of proof then falls on the directors.
Digitizing these documents via a secure management system facilitates retrieval and ensures data integrity in audits.
Example of a Protected Process
A Swiss financial institution implemented an annual cyber risk review cycle, involving an interdisciplinary committee and external audits. Each meeting yielded a timestamped, digitally signed report. This case shows that rigorous traceability strengthens the board’s position, even after an incident affecting the security framework.
Edana: strategic digital partner in Switzerland
We support companies and organizations in their digital transformation
The Blind Spot of Information Security in Governance
Information security often remains underrepresented at board level, perceived as purely technical. This expertise gap exposes decision-making bodies to ill-informed decisions and unanticipated risks.
Underestimating Cyber Risk at the Strategic Level
In many organizations, cybersecurity is confined to IT teams and not discussed at the highest level. The board may then make decisions without understanding attack scenarios or properly assessing potential impacts on business continuity.
This governance gap leads to fragmented management, where technical priorities diverge from business and legal concerns. The lack of a holistic vision undermines the company’s resilience.
It is essential to integrate cybersecurity experts into the risk committee—recruiting a DevOps Engineer—and to regularly raise board awareness of emerging threats.
Consequences of Ill-Informed Decisions
A cybersecurity investment policy not aligned with the company’s strategy can lead to overinvestment in unsuitable tools or neglect of critical vulnerabilities. These choices increase overall costs and operational complexity without guaranteeing better protection.
In case of an incident, the board may be accused of deficient management for approving budgets or practices that did not consider real threat scenarios.
Close coordination between the CIO, business leaders, and directors is necessary to align budget, skills, and security objectives.
Example of a Competency Gap in Action
A Swiss healthcare provider suffered a ransomware attack. The board had never approved the crisis management plan nor received attack simulations. This case demonstrates that a board lacking awareness cannot effectively challenge mitigation plans, leaving the organization vulnerable to significant fines and loss of patient trust.
Towards Integrated and Documented Cyber Risk Management
Effective cyber risk management must rely on a continuous process of identification, assessment, mitigation, and monitoring. Periodic reassessment ensures adaptation to rapidly evolving threats.
Concrete Risk Identification
Start by mapping information assets, critical business processes, and data flows. This holistic view highlights potential entry points and external dependencies.
Threat modeling workshops, conducted with business teams and the CIO, help anticipate attack scenarios and identify high-criticality areas.
Such a structured approach aligns security strategy with the company’s operational and legal stakes.
Assessing Probability and Impact
Each risk must be evaluated per objective criteria: likelihood, financial, operational, and reputational impact. This prioritization guides budgetary trade-offs.
Using standardized risk matrices ensures comparability and consistency of assessments over time.
Involving business owners in this assessment strengthens ownership of the framework and the relevance of corrective actions.
Defining and Tracking Mitigation Options
For each major risk, formalize several mitigation measures: prevention, detection, correction, and recovery. Compare costs, benefits, and residual impacts for each option.
Document the chosen option, associated performance indicators, and implementation deadlines. A remediation plan with clear milestones facilitates reporting to the board.
A mix of open source solutions and custom developments, as appropriate, ensures flexibility, scalability, and no vendor lock-in.
Continuous Monitoring and Periodic Reassessment
The threat landscape evolves rapidly: monitoring indicators (SIEM, IDS/IPS, regular penetration tests) should feed into a review cycle. This feedback loop ensures measures remain effective.
Quarterly reviews involving the CIO, business teams, and directors enable reassessment of risks based on new incidents or lessons learned.
Integrated management implies updating documentation, adjusting the security policy, and aligning human and technical resources.
Example of a Successful Integrated Approach
Within a Swiss financial services group, the board adopted a risk management framework aligned with ISO 27005 and NIST standards. Each quarter, the risk committee validates a consolidated report combining penetration test results, detection indicators, and mitigation plan progress. This case demonstrates that integrating a formalized, documented process enhances resilience and compliance while optimizing resources.
Strategic Cyber Risk Management
Cyber risk management is not merely a technical measure but a continuous, structured, and traceable governance process. The board’s fiduciary duty, reinforced by the Business Judgment Rule, requires rigorous documentation and constant vigilance. Identifying, assessing, documenting, mitigating, and periodically reassessing are indispensable steps to secure information assets and maintain stakeholder trust.
To meet legal requirements and anticipate threats, our experts support your board of directors in defining robust security policies, selecting modular open source solutions, and implementing agile, scalable processes.
