MilesGuard
DE
Board of DirectorsLiabilityCyber GovernanceSME

Cyber Risks on the Board: Liability and Duties in Switzerland

24 April 2026|7 min read

The board of directors bears ultimate responsibility for risk management, including cyber risks. In the event of an incident, board members can be held personally liable. What board members need to know and do.

A ransomware attack cripples your company for two weeks. The business interruption costs CHF 800,000, plus forensics, communications and reputational damage. At the next board meeting, a shareholder asks: did the board fulfil its duty of care? Was there a documented risk management system? Were adequate protective measures approved? If the answer is no, personal liability is on the table.

Legal Basis of Board Liability

Art. 716a CO (Swiss Code of Obligations) assigns the board of directors the non-transferable and inalienable duties of ultimate management and the organisation of accounting, financial control and financial planning. Swiss Federal Court case law increasingly interprets this to mean that risk management, including cyber risks, forms part of this ultimate management responsibility. Art. 754 CO governs liability: board members are personally and jointly liable for damages caused by a breach of their duties. Liability persists even where duties are delegated, if supervision was inadequate.

What the Board Must Do

Three measures are the minimum. First, have the board briefed at least twice a year on the cyber risk posture, documented in the board minutes. The report should cover the current threat landscape, the status of protective measures, open risks and the residual risk. Second, approve an information security budget and ensure it is proportionate to the risk. A rule of thumb is 5 to 10% of the IT budget for security. Third, ensure an incident response plan exists and is tested annually.

Delegation and Supervisory Duty

The board may delegate the operational implementation of cybersecurity to management or a CISO. The supervisory duty, however, remains with the board. In practice, this means the board must verify the qualifications of the person entrusted, issue clear mandates, monitor regularly and act when deficiencies are identified. FINMA has also tightened cyber governance requirements since 2025: Supervisory Notice 05/2025 requires regulated institutions to maintain documented disruption tolerances and conduct stress tests. These standards radiate as best practice to non-regulated companies as well.

Personal Protection for Board Members

A D&O insurance policy (Directors and Officers) covers personal liability but does not replace the duty of care. In the event of a claim, the insurer will examine whether the board fulfilled its duties. Documented resolutions, regular risk reports and demonstrable measures are the best protection. MilesGuard prepares cyber governance documentation for boards of directors: risk assessment, measures overview, reporting templates for board meetings and an annual cyber briefing. This allows you to demonstrably fulfil your duty of care.

Quellen

  • [1] CO Art. 716a / Art. 754 (fedlex.admin.ch)
  • [2] FINMA Supervisory Notice 05/2025
  • [3] BACS s-u-p-e-r.ch
Share:LinkedIn

Weitere Beiträge

CISO as a Service: Does My SME Need a Security Officer?

5 February 2026

ISG Reporting Obligation: What Swiss Companies Need to Know Now

6 April 2026

Cybersecurity for Fiduciaries: How to Protect Client Data

20 April 2026

Related Services

CISO as a Service →Security Audits →
Miles Strässle

Miles Strässle

Founder, MilesGuard GmbH

Security questions? Talk to us.

Our blog posts are continually updated on the original site. For individual advice, we are available at any time.

Schedule a Consultation