Concept for the coordinated management of cyber incidents
Die umfassende Vernetzung digitaler Systeme führt dazu, dass sich Cybervorfälle unmittelbar auf eine Vielzahl von Organisationen auswirken können. Für eine erfolgreiche Bewältigung organisationsübergreifender Vorfälle braucht es ein koordiniertes Vorgehen aller betroffenen Akteure aus Wirtschaft, Kantonen und Bund. Das Bundesamt für Cybersicherheit (BACS) hat ein Konzept erarbeitet, welches aufzeigt, wie sich der Bund organisiert, um die koordinierte Vorfallbewältigung sicherzustellen.
Cyber incidents can have far-reaching consequences. In addition to the immediate consequences of functional failures and operational disruptions for the affected parties themselves, they can also jeopardize the cyber security of third parties. This is the case when data or IT resources are affected that are used by multiple stakeholders. In such cases, it is crucial that all affected parties are involved in incident management. Companies, the federal government and the cantons must work together quickly and in a coordinated manner. Clear responsibilities and a transparent approach play a key role here, because the sooner it is clear who is responsible for which tasks, the better the damage can be limited. With the entry into force of the Information Security Act (ISG) in 2024 and the Cybersecurity Ordinance (CSV) and the Ordinance on the Crisis Organization of the Federal Administration (KOBV) in 2025, a legal basis for clarifying tasks and responsibilities has been created.
Four-stage evaluation model provides clarity
Based on these legal foundations, the BACS has developed a concept that shows how coordinated incident management is structured. The core element of the concept is a four-stage model for classifying cyber incidents: low, moderate, significant and critical. The assessment is made from the perspective of society as a whole. The decisive factor is how many organizations in Switzerland are affected and what impact the cyber incident has on the economy and the population. Depending on the classification, different coordination processes are activated and specific organizations are involved in incident management. No coordination by the BACS is planned for incidents at the «low» level. In the case of «moderate» level incidents, the BACS provides subsidiary support to the organizations concerned and in the case of «major» level incidents, it takes on an active role in coordination. In the case of incidents that reach the «critical» level, a request is finally made to the Federal Council to set up a crisis unit in accordance with the processes provided for in the CCO. The system for classifying cyber incidents ensures that the measures are appropriate to the actual extent of the incident and that resources are deployed in a targeted manner. The classification remains flexible and can change during the course of an incident, as the extent of cyberattacks often only becomes fully apparent during the analysis.
Implementation of coordinated incident management
The processes for coordinated incident management are already in place. Incidents of the «minor» and «moderate» levels are part of everyday life and the cooperation between the BACS and operators of critical infrastructure and federal and cantonal authorities is well established. The processes for incidents at the «major» and «critical» levels are defined thanks to the existing legal basis. However, the responsibilities and tasks are not known to all players to the same extent and the processes still need to be better established. The present concept is intended to contribute to this. The BACS will use it to provide transparent information about the tasks and responsibilities involved in coordinated incident management.
Concept for the coordinated management of cyber incidents
