Data protection and cybersecurity
Article 964a ff. Code of Obligations
Concept and due diligence
As Arbonia, we have set up an information security management system and operate it with a security program. Our security approach is continuously checked as part of the repeatedly adapted information security strategy.
Cyber risks are an integral part of the risk management process, which is why the risk is transferred to an insurance company. Arbonia has taken the necessary measures with regard to the Swiss Federal Act on Data Protection (DSG). Responsibility for information security throughout Arbonia essentially rests with the Chief Information Security Officer and the Chief Information Officer. The relevant topics are always coordinated with Group Management and the responsible people at the various companies, and they are presented to the Board of Directors if necessary. When it comes to implementing individual measures, the local IT teams and ICT security specialists provide support as interfaces to the sites and companies.
Measures including evaluation of effectiveness
The security awareness programme helps employees to recognise real threats and potential attacks and to react to them correctly, in accordance with the motto "THINK BEFORE YOU Click.Post.Type". The effectiveness of the awareness programme is checked on a regular basis; for example, by means of pretend phishing emails, a knowledge quiz, or test calls to employees.
In accordance with the General Data Protection Regulation (GDPR) of the European Union and Swiss law, all websites of Arbonia were updated with the current data protection requirements in 2024. Records of processing activities are maintained, and corresponding data processing agreements including the associated technical and organisational measures (TOMs) were concluded with service providers who collect personal data.
Material risks and how they are handled (own scope of business and, where applicable, business relationships)
Unauthorised parties may gain access to sensitive customer data as a result of insufficiently secured access and data connections (virtual and physical), or sensitive data may get into the wrong hands due to a lack of due diligence on the part of an employee. This will result in additional costs and criminal proceedings. An inadequate IT infrastructure (network, firewalls, servers, etc.), outdated ERP systems, incorrect use of IT (internally), or a cyber attack may impede digitisation and lead to an IT failure, data loss, and insufficient competitiveness. This may in turn result in operational restrictions, delivery delays, additional costs, and / or financial losses. The defined standards are checked for compliance and effectiveness with regular checks and audits in the framework of the general IT controls.
Key performance indicators
Various key figures give Arbonia an overview of the status of information security. Among other things, key figures on participation and phishing behaviour of the awareness programme. Other key figures such as malicious attack attempts, completed incidents, and the reaction to potential incidents are recorded in the Security Operations Center.
Together for more information security
As Arbonia, we can only maintain information security together with our employees. Our aim is to protect the operating activities and competitiveness of the Group against attacks on business and customer data. The employees of Arbonia are a central link in the security chain in the area of cybersecurity and are empowered by us to assume the corresponding responsibility. The most common attack tool for cyber attacks is e-mail – followed by social engineering (manipulating or influencing a person), the Internet, as well as weakly secured accesses and configuration errors.
Through measures to strengthen so-called cyber resilience, we at Arbonia are trying to reduce the risk of successful cyber attacks to a minimum. We are pursuing a comprehensive security approach with technical measures, processes, guidelines, and standards, the compliance with and implementation of which is checked by the Chief Information Security Officer and his or her team at Group level. Cyber attacks of any kind must be recognised early on and repelled. Accordingly, employees are increasingly being trained and made aware of this topic.
This involves a number of policies. The password policy describes and defines principles for the creation and use of passwords at Arbonia. The policy on information security requirements for third parties sets out the security standards and requirements that must be fulfilled by service providers and suppliers who come into contact with sensitive information or IT systems belonging to Arbonia. It aims to ensure that third parties implement appropriate security practices in order to protect the confidentiality, integrity, and availability of information. Arbonia has responded to the development of AI by issuing corresponding "Instructions for using AI-based tools". These instructions cover the benefits, risks, data protection, and restrictions regarding use of such tools. Furthermore, there is a "Data Privacy Statement for Employees", which provides information about the data Arbonia collects from employees and the purpose for which it is used.
On the basis of high cyber resilience and e-mail security, Arbonia’s general objective is not to experience any security-critical incidents and thus ensure a permanently smooth course of business. For this purpose, the results of the attack simulations are used to strengthen resilience. To control security, cyber maturity is also measured on the basis of defined standards. Further key figures are collected via the Security Operations Center (SOC) for all companies and are used to improve cyber defence. In this process (malicious) incidents and the reaction to them are continually recorded. The management system classifies these incidents according to their type and severity and evaluates the defence measures according to filter functions and existing use cases. As a further protection level, all network areas are monitored with an NDR (Network Detection and Response) and passed on to the SOC.
