Data protection and cybersecurity
Article 964a ff. Code of Obligations
Concept and due diligence
At Arbonia, we have expanded the Information Security Management System, which contains a holistic security programme. In addition, further guidelines have been issued; for example, on general IT security, password security, or the information security requirements for third parties. Our comprehensive security approach is continually reviewed using audits and penetration tests in the context of the information security strategy. Cyber risks are an integral part of the risk management process, as is the risk transfer to insurance. Arbonia has taken the necessary measures with regard to the new Swiss Federal Act on Data Protection (DSG).
Responsibility for the information security of the entire Arbonia Group essentially rests with the Chief Information Security Officer and the IT Board, which consists of the Group CIO, the division CIOs and the Group CFO as well as IT representatives of both divisions and the Group. The relevant topics are always coordinated with the division officers and Group Management and are presented to the Board of Directors if necessary. When it comes to implementing individual measures, the local IT teams and ICT security specialists provide support as interfaces to the sites and companies.
Measures including evaluation of effectiveness
The security awareness programme helps employees to successfully recognise real threats and potential attacks in both their work and private lives and to react to them correctly, in accordance with the motto “THINK BEFORE YOU Click.Post.Type”. The effectiveness of the awareness programme is checked on a regular basis; for example, by means of pretend phishing emails or test calls to employees.
In 2023, to ensure compliance with the GDPR and Swiss law, Arbonia began to update its websites, maintain records of processing activities and enter into data processing agreements with service providers who collect personal data.
Material risks and how they are handled (own scope of business and, where applicable, business relationships)
Unauthorised parties may gain access to sensitive customer data as a result of insufficiently secured access and data connections (virtual and physical), or sensitive data may get into the wrong hands due to a lack of due diligence on the part of an employee. This will result in additional costs and criminal proceedings. Stakeholders are included in the further development of the IT security architecture by means of regular user surveys. An inadequate IT infrastructure (network, firewalls, servers, etc.), outdated ERP systems, incorrect use of IT (internally), or a cyber attack may impede digitisation and lead to an IT failure, data loss and insufficient competitiveness. This may in turn result in operational restrictions, delivery delays, additional costs and/or financial losses.
Key performance indicators
Various key figures give Arbonia an overview of the implemented security measures. For example, the company keeps a record of the number of training sessions held annually in order to teach employees about these sensitive topics as well as the rate of participation in these sessions. Further key figures are collected via SIEM incidents (security information and event management) for all companies.
As Arbonia, we can only maintain information security together with our employees. Our aim is to protect the operating activities and competitiveness of the Group against attacks on business and customer data. The employees of Arbonia are a central link in the security chain in the area of cybersecurity and must assume responsibility accordingly. The most common attack tool for cyber attacks is e-mail – followed by social engineering (manipulating or influencing a person) and the Internet. For this reason, it is extremely important to recognise, avoid and report suspicious sources.
Together for more information security
Through targeted measures to strengthen cyber resilience, we at Arbonia are trying to reduce the risk of successful cyber attacks to a minimum. We are pursuing an integrated security approach with technical measures, processes, guidelines and standards, compliance with and implementation of which is checked by the Chief Information Security Officer and his or her team at Group level. Cyber attacks of any kind must be recognised early on and repelled. Accordingly, employees are increasingly being trained and made aware of this topic.
This involves a number of policies. The password policy describes and defines principles for the creation, handling and use of passwords in the Arbonia Group. The policy on information security requirements for third parties sets out the security standards and requirements that must be fulfilled by service providers and suppliers who come into contact with sensitive information or IT systems belonging to Arbonia. It aims to ensure that third parties implement appropriate security practices in order to protect the confidentiality, integrity and availability of information. Furthermore, in 2023 Arbonia responded to the development of AI by issuing “Instructions for using AI-based tools”. These instructions cover benefits, risks, data protection and restrictions regarding use of such tools. Furthermore, a “Data Privacy Statement for Employees” was compiled, providing information about the data Arbonia collects from employees and the purpose for which it is used. Arbonia has also started to enter into agreements with service providers who process personal data from Arbonia. In addition, the privacy policy was updated on all Arbonia websites in line with the GDPR and Swiss law.
THINK BEFORE YOU Click.Post.Type.
The security awareness campaigns under the motto “THINK BEFORE YOU Click.Post.Type” contain various measures. In this context, employees are regularly invited to participate in various awareness and training units, whereby more in-depth training courses are pursued specially for IT administrators and other exposed persons. These courses provide information on the secure handling of data as well as information systems and aim to make everyday life more secure. The participation rate was 87% in the reporting year (previous year: 68%) and should increase to 100% by 2025.
On the basis of high cyber resilience and e-mail security, Arbonia’s general objective is not to experience any security- critical incidents and thus ensure a permanently smooth course of business. For this purpose, the results of the attack simulations are used to strengthen resilience. To control security, cyber maturity is also measured on the basis of defined standards. Further key figures are collected via SIEM incidents (security information and event management) for all companies and are used to improve cyber defence. In this process (malicious) incidents and the reaction to them are continually recorded. The management system classifies these incidents according to their type and severity and evaluates the defence measures according to filter functions and existing use cases. As a further protection level, a project for NDR (network detection and response) has been implemented.