Gastbeitrag von Tobias Ellenberger, COO Oneconsult in Inside IT: “Die andere Sicht: Ver­waltungs­räte stehen bei Cyber­attacken in der Verant­wortung”

Tobias Ellenberger ist COO bei Oneconsult AG und Vice Chairman der Oneconsult International AG.

Die bekannt gewordenen Cyberangriffe auf Gesundheitsinstitutionen und die Gemeinde Rolle haben gezeigt, dass die Cyber-Bedrohungslage weiter steigt. Ganze Netzwerke und zugehörige Systeme wurden kompromittiert, Daten entwendet sowie Firmen und Gemeinden lahmgelegt und erpresst. Der Spitalbereich ist beispielsweise besonders exponiert. Die Systemumgebungen sind sehr heterogen, die sich im Betrieb befindlichen Systeme haben lange Lebensdauern und sind entsprechend begrenzt aktualisierbar aufgrund spezifischer Komponenten. Zudem kommt hinzu, dass im Health-Umfeld beispielhaft für viele andere Branchen sehr viele unterschiedlich sensibilisierte und ausgebildete Anspruchsgruppen mit am Netz angehängten Systemen umgehen: Pflege, Administration, Technik und Ärzteschaft. Oft kommen hohe Fluktuationsraten hinzu. Das trifft auch für viele andere Branchen wie Tourismus oder Hotellerie zu.

Zivilrechtliche Klagen gegen Verwaltungsräte sind möglich

Es stellt sich die Frage, wer schlussendlich für adäquate Vorsorge gegen das Eintreten derartiger Geschäftsrisiken verantwortlich ist. Das Gesetz ist hierzu klar: Gemäss Artikel 716a des Obligationenrechts hat der Verwaltungsrat einen Katalog an Aufgaben, die er weder an die Generalversammlung noch an die Geschäftsleitung übertragen kann, sie sind also unübertragbar und unentziehbar. Dies bedeutet, dass jeder Verwaltungsrat gesetzlich dazu verpflichtet ist, ein integrales Risikomanagement auszugestalten, es zu implementieren und zu überwachen.

Wenn also eine Firma aufgrund von Schwächen im Dispositiv gegen Cyberattacken in Schwierigkeiten gerät, haftet in letzter Konsequenz der Verwaltungsrat dafür, weil er seine Risikovorsorgepflicht nicht im notwendigen Ausmass wahrgenommen hat. Kommt es wegen dieser Attacken im äussersten Fall zum Firmenkonkurs, kann das rechtliche Folgen für die Organe haben – beispielsweise zivilrechtliche Klagen gegen Verwaltungsratsmitglieder.

Das Risiko “Mensch” wird zur Firewall “Mensch”

Wie können Verwaltungsräte vorbeugen? Sie müssen sich periodisch mit Cyberrisiken befassen und die operative Firmenleitung auf dem Thema “challengen”. Der VR darf sich nicht durch Fachpräsentationen blenden lassen. Ist unverständlich, was die operative Leitung für Massnahmen zur Adressierung der Risiken erlässt, soll sich der Verwaltungsrat das Thema im Detail erklären oder durch eine externe Organisation aufzeigen lassen. Darüber hinaus ist wichtig, dass sich das Audit Comittee des Verwaltungsrats mehrmals pro Jahr mit dem Thema befasst. Der VR – und das veranlasst in der Regel das Audit Committe – muss ausreichende (Risk) Assessments für spezifische Cyberrisiken anordnen sowie die Wirksamkeit der vom Management eingesetzten Massnahmen und Systeme periodisch überprüfen (lassen). Zusätzlich sollte das oberste Firmenorgan Notfallszenarien sowie Prozesse und Abläufe im Falle eines Falles nicht nur anordnen und überwachen, sondern auch dafür sorgen, dass sie eingeübt werden und sich die Organisation kontinuierlich verbessert.

Am allerwichtigsten ist es, dass die grösste Schwachstelle in jeder Firma – die einzelnen Mitarbeiterinnen und Mitarbeiter – regelmässig und ausreichend sensibilisiert und geschult werden. So wird aus dem Risiko “Mensch” die Firewall “Mensch”. Dafür sind die nötigen Ressourcen zu bewilligen. Diese personellen Vorkehrungen werden damit zur Chance, firmenweit Angriffe ins Leere laufen zu lassen oder als Organisation besser auf Cyberangriffe zu reagieren. Denn “Gouverner c’est prévoir.”

Über den Autor

Tobias Ellenberger ist COO bei Oneconsult AG und Vice Chairman der Oneconsult International AG. Als Spezialist für Incident Response und Incident Management ist er Vizepräsident der Public Privat Partnership Swiss Cyber Experts (SCE) und Mitglied der Cyber-Kommission von Digitalswitzerland.

Your contact for
IT security emergencies

To be able to provide you with the best possible support, we would first like to ask you for the following information:

– What and who is affected?

– Who discovered and reported the incident

– How and when was the incident detected?

– What did you observe?

– What are you most concerned about?

– Which measures have been initiated so far?

Your contact for
IT security emergencies

To be able to provide you with the best possible support, we would first like to ask you for the following information:

– What and who is affected?

– Who discovered and reported the incident

– How and when was the incident detected?

– What did you observe?

– What are you most concerned about?

– Which measures have been initiated so far?

Data Protection Policy – Cyber Incident Hub

1 Privacy
Cyber Incident Hub takes the protection of your privacy very seriously. Please read the following data protection regulations carefully.

2 Scope of application
Cyber Incident Hub collects, processes, stores, and protects the data of persons who access its website (data subjects). These data protection regulations apply to this website and all its applications and functions, such as chat, newsletters, events, etc.

3 Legal grounds
This Data Protection Policy is based on the Swiss Federal Act on Data Protection (FADP) and, to the extent applicable, the European General Data Protection Regulation (GDPR).

4 Name and address of the controller and its representative
The controller within the meaning of the data protection laws is:

Cyber Incident Hub
Löwenstrasse 2
8001 Zurich
Switzerland

Phone: +41 44 266 67 67
E-mail: info@cyber-incident-hub.ch

Responsibility for all legal data protection issues at Cyber Incident Hub is held by the controller: Daniel Heller, Partner & Co-Head Startup Desk at Farner Consulting AG.

Our EU data protection representative with respect to processing to which we as controller are subject under the GDPR is:

VSG Datenschutzpartner UG
Am Kaiserkai 69
20457 Hamburg
Germany

E-mail: info@datenschutzpartner.eu

5 Use of information
In principle, it is possible to visit the Cyber Incident Hub website without providing any personal data. No conclusions about you are drawn when we evaluate non-personal data such as an IP address, browser used, date, time, etc.

Visitors to our website can also activate the “do not track” option so that only the process of logging in itself will be tracked.

Personal data will be collected and processed strictly in accordance with the applicable laws and regulations and then only with your explicit consent.

6 Disclosure of personal data
We treat your personal data confidentially and disclose them only if you have expressly consented to it, we are legally obligated or entitled to do so, or if this is necessary for the purpose of enforcing our rights, including the enforcement of claims under the contractual relationship. In addition, we disclose your personal data to third parties if this is necessary or expedient in connection with use of the website or possible provision of services that you requested.

We disclose your personal data to the following categories of recipients:

  • Business partners
  • Service providers
  • Service companies
  • Governmental authorities, to the extent this is required or necessary

In doing so, we of course comply with the legal requirements concerning the disclosure of personal data to third parties. If we make use of third parties to provide our services, we take appropriate legal precautions and corresponding technical and organisational measures in order to ensure the protection of our personal data in accordance with the relevant statutory requirements.

If the level of data protection in a country in which the data are processed is not in conformity with the applicable data protection provisions, we ensure by contract that the protection of your personal data corresponds at all times to that in Switzerland or the European Economic Area (EEA).

7 Contact options via the website
If you contact Cyber Incident Hub via our website, the personal data you submit will be saved automatically. This data which you submit on a voluntary basis will be used for processing purposes or for contacting you. Such data submitted on a voluntary basis are stored exclusively for the purposes of processing your enquiry or contacting you. Our legitimate interest consists of processing your contact enquiries. No personal data will be transferred to third parties.

The services of Intercom are used for making contact through our live chat. You can find further information at https://www.intercom.com/legal/privacy.

You may object to this data processing at any time. Please send your objection to info@cyber-incident-hub.ch. In such case, your data will be erased, and your enquiry will not be processed further, unless this is prevented by statutory retention obligations.

8 Function for commenting and debating
Our website has interactive forums such as chat, blog, message board and other platforms. You can leave individual comments on contributions from other visitors and debate certain topics. In turn, these comments can themselves be commented on by third parties.

If a data subject leaves a comment on an article or comment published on this website, the details about the time the comment was made and the name of the data subject (“real name obligation” under German law) will be saved and published in addition to this comment. The IP address assigned by the data subject’s internet service provider will also be logged. This IP address is saved for security reasons and in case a submitted comment infringes the rights of a third party or illegal content is posted. These personal data are therefore stored in our own interest so that we can provide proof if necessary in the event of a legal violation. None of this collected personal data is passed on to third parties unless the law requires it to be or if it is used to defend the rights of the controllers.

If you would like to object to the processing of your personal data transmitted through the commenting and debating function, please send your objection to info@cyber-incident-hub.ch.

9 Routine erasure and blocking of personal data
Unless expressly indicated as part of this Data Protection Policy, Cyber Incident Hub processes and stores the personal data of data subjects only for the period of time necessary for achieving the storage purpose or where this was provided for by statutory requirements to which Cyber Incident Hub is subject.

If the storage purpose is not applicable, or if any storage period provided by law expires, the personal data is routinely blocked or erased in accordance with legal requirements.

10 Legal grounds for processing
No data will be processed unless there are legal grounds for doing so. The following are such grounds:

  • consent
  • the conclusion or performance of a contract or the enquiry of data subjects in advance thereof (pre-contract)
  • legal obligations
  • protection of a legitimate interest of Cyber Incident Hub or a third party
  • where applicable, vital interests

11 Rights of the data subject
a) Right of access to information

Every data subject has the right to obtain confirmation as to whether or not personal data concerning him or her are being processed and to free access to these data and further information and a copy of the data in accordance with statutory requirements.

b) Right to rectification
Every data subject has the right to obtain without undue delay the rectification of inaccurate personal data concerning him or her and to have incomplete personal data completed.

c) Right to erasure (right to be forgotten)
Pursuant to statutory requirements, every data subject has the right to obtain the erasure of personal data concerning him or her without undue delay.

d) Right to restriction of processing
Pursuant to statutory requirements, every data subject has the right to obtain restriction of processing.

e) Right to data portability
Pursuant to statutory requirements, every data subject has the right to receive the personal data concerning him or her, which he or she has provided to Cyber Incident Hub, in a structured, commonly used and machine-readable format and to demand their transmission to another controller.

f) Right to object
Each person whose data is processed has the right to object at any time to the processing of personal data concerning him or her. This also applies to profiling based on these provisions.

Cyber Incident Hub can no longer process the personal data in the event of the objection, unless compelling legitimate grounds for the processing can be demonstrated which override the interests, rights and freedoms of the data subject, or the processing serves the establishment, exercise or defence of legal claims.

g) Automated individual decision-making, including profiling
Pursuant to statutory requirements, every data subject has the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning him or her or similarly significantly affects him or her.

h) Right to withdraw data protection consent
Every data subject has the right to withdraw his or her consent to the processing of personal data at any time with prospective effect. The withdrawal of consent does not affect the lawfulness of processing based on consent before its withdrawal.

i) Right to lodge a complaint with a supervisory authority
Depending on the applicable data protection legislation, the data subject may have the right to lodge a complaint with a competent data protection authority.

Please be aware that there are exceptions to these rights. In particular, Cyber Incident Hub must in some cases process and store personal data of data subjects in order to perform a contract with you, safeguard its own vital interests, such as the assertion, exercise or defence of legal claims, or comply with statutory obligations. To the extent legally permissible, Cyber Incident Hub may therefore also refuse your demands relating to data protection or meet them to only a limited extent.

In the event of questions in connection with the data protection practised by Cyber Incident Hub and for information with respect to the rights of data subjects and for asserting them, the data subject can get in touch with Cyber Incident Hub at any time using the contact details listed at the start of this Data Protection Policy. If necessary, Cyber Incident Hub reserves the ability to request the identification of data subjects for the processing of enquiries in a suitable manner.

12 Links to other websites
The Cyber Incident Hub website links to other websites that are not operated by Cyber Incident Hub and are not covered by this Data Protection Policy. After clicking on the link, Cyber Incident Hub no longer has any influence over the processing of any data transferred to third parties (such as the IP address), since the conduct of third parties is naturally outside of our control. Therefore, Cyber Incident Hub also cannot assume any liability for this outside content. The respective provider or operator of the sites is always responsible for the content of the linked sites.

The linked sites were examined at the time the links were created for possible legal violations and discernible infringements of the law. No unlawful content was discernible at the time the links were created. However, absent specific indications of a legal violation, permanent control and review of content cannot be reasonably expected. If we become aware of legal violations, such links will be promptly removed.

13 Collection, processing and use of personal data
13.1 Personal data
Personal data is information about the factual or personal circumstances of an identified or identifiable natural person. This includes, for example, your name and your email address.

13.2 Use of your data for marketing purposes
Besides using your data for sending out newsletters, we may also use your information to display personalised advertising to you.

You can object at any time to the use of your personal data for marketing purposes. Please send your objection to info@cyber-incident-hub.ch.

13.2.1 Newsletter
If you subscribe to our newsletter, the personal data you transmit will be stored for the purpose of sending you the newsletter. The newsletter provides you with information about us and our offers.

If you would like to subscribe to our newsletter, the (self-declared) details marked with a * are required.

We use the double opt-in procedure for sending the newsletter. This means that we will first send you a newsletter by email after you have expressly confirmed that you consent to the sending of the newsletter. We will then send you a notification email and ask you to confirm that you wish to receive our newsletter by clicking on a link contained in this email. If at a later stage you decide you do not want to receive any newsletters from us, you can unsubscribe at any time. An unsubscribe link can be found in each newsletter sent out. Alternatively, you can send your withdrawal to the following email address: info@logicare.ch.

13.2.2 Service recommendations by email
As a customer of Cyber Incident Hub, you will receive product or service recommendations from us by email from time to time. You will receive these recommendations from us regardless of whether or not you have subscribed to a newsletter. This is because we want to provide you with information about products from our range that you might be interested in based on the last services you have used. In doing so we act strictly in accordance with legal requirements. If you no longer wish to receive product recommendations or any marketing messages from us, you can object at any time, without incurring a fee except the dispatch costs as set out in the basic tariffs. In that case please send an email to info@cyber-incident-hub.ch. You can also of course find an unsubscribe link in every email.

13.2.3 Personalised advertising for you
The information we receive from you helps us to continually improve your service experience and structure it in a customer-friendly manner that is personalised for you. The information you have submitted and automatically generated will be used to personalise advertising for you and your interests. For this purpose we use existing information, such as delivery and read receipts of emails, information on a computer and connection to the internet, operating system and platform, your service history, the date and time of a visit to the homepage, articles, topics and content you have viewed.

We use this information exclusively in pseudonymised form. By analysing and evaluating this information, we are able to improve our web pages and our internet offering, and send you personalised advertising. This is advertising that recommends services that you might actually be interested in. Our goal is to make our advertising more useful and interesting for you. Therefore, the evaluation and analysis of the pseudonymised data collected from you helps us to avoid sending you random advertising but rather advertising, such as newsletters and service recommendations, that actually meet your areas of interest. For example, we will determine which of our promotional emails you open to avoid sending unnecessary emails to you.

If you do not wish to receive any personalised advertising, you can object at any time. Please send your objection to info@cyber-incident-hub.ch.

13.2.4 Competitions, market and opinion research
In the case of contests, we use your personal data that are necessary for holding the contest for the purpose of notifying winners and promoting our offers. In some cases, we may forward your personal data to our contest partners, e.g., in order to send you the prize. Participation in the contest and the associated data collection is of course voluntary. Detailed information can be found, where applicable, in our terms and conditions of participation for each contest.

In addition, we use your personal data for market and opinion research. We of course use them exclusively in anonymised form for statistical purposes and only for Cyber Incident Hub. You can find detailed information, where applicable, as part of the respective survey or at the location where you provide your data. Your responses to surveys will not be forwarded to third parties or published. Cyber Incident Hub uses and processes your personal data for market and opinion research solely for its own purposes.

You can object at any time to the use of data for contests and market and opinion research. Please send your objection to info@cyber-incident-hub.ch.

14 Cookies
This website uses cookies. Cookies are small text files that are stored permanently or temporarily when you visit this site. The main purpose of cookies is to analyse the use of this website for statistical evaluation and to make continuous improvements.

You can disable cookies completely or partially at any time in your browser settings. If you disable cookies, you will not be able to access all the functions of this website.

14.1 What are cookies?
Cookies are small files that are stored on your data carrier which hold certain settings and data for exchange with our system via your browser.

There are basically two different types of cookie: session cookies, which are deleted as soon as you close your browser, and temporary/permanent cookies, which are stored on your data carrier for a longer period or without limit. This type of storage helps us to design our web pages and our offers with you in mind and makes it easier for you to use these pages. For example, certain input from you can be stored so that you are not required to enter this repeatedly.

14.2 What types of cookies does Cyber Incident Hub use?
Most of the cookies we use are deleted again from your hard drive at the end of your browser session (i.e. session cookies). We also use cookies which remain on your hard drive. When you visit again we will automatically recognise that you have already visited us and what inputs and settings you prefer.

These temporary and permanent cookies (lifespan of 1 month to 10 years) will be stored on your hard drive and delete themselves after a specified period of time. These cookies are mainly used to make our range more user-friendly, effective and secure. Thanks to these files, it is possible, for example, to show you content on the page that is specially tailored to your interests.

The sole purpose of these cookies is to adapt our range to your wishes in the best possible way and to make it as easy and convenient as possible for you to surf on our site.

We use the following cookies:

Purpose Tool Provider
Necessary elementor WordPress
Necessary wp-wpml_current_language WordPress
Statistics Google Analytics Google
Advertising Google Ads Conversion Google
Advertising Facebook Pixel Meta
Advertising LinkedIn Insight Tag LinkedIn

14.3 What data is stored in the cookies?
Only pseudonymous data is stored in the cookies used by Cyber Incident Hub. The cookie is allocated an identification number when it is activated. Your personal data is not allocated to this identification number. Your name, your IP address and other such data that might allow the cookie to be traced to you directly are not placed in the cookie. We receive only pseudonymised information on the basis of the cookie technology, relating, for example, to which of our pages have been visited, what services, articles or cases have been viewed, etc.

14.4 What is onsite targeting?
The Cyber Incident Hub website uses cookie technology to collect data to optimise our advertising and entire online offering. This data is not used to identify you personally, but only to conduct a pseudonymous evaluation of how the homepage is used. Your data will at no time be combined with the personal data stored with us.

With this technology we can provide you with advertising and/or special offers and services whose content is based on the connection with the information obtained in the clickstream analysis (for example, advertising based exclusively on the content viewed in the past few days on topics such as digital marketing or media relations).

Our objective here is to make our online range as attractive for you as possible and show you advertising which corresponds to your areas of interest.

14.5 Are third party cookies also used?
Cyber Incident Hub uses some advertising partners that help make the internet offering and our website more interesting for you. Therefore, when visiting the website, cookies of partner companies are stored on your hard drive. These are temporary/permanent cookies that are automatically deleted after a specified period of time. These temporary and permanent cookies (lifespan of 14 days to 10 years) will be stored on your hard drive and delete themselves after a specified period of time.

The cookies of our partner companies only contain pseudonyms, mostly anonymous data. This is, for example, data about what products you have viewed, if something was purchased, what products you looked for, etc. Some of our advertising partners record information via the web pages about which pages you have visited before or which products you are interested in for example in order to show you advertising best suited to your interests.

This pseudonymous data is not combined with your personal data at any time. It is only used to allow our advertising partners to show you advertising you might actually be interested in.

14.6 Re-targeting
Our web pages use re-targeting technology. We use these technologies to make our internet offering more interesting for you. This technology makes it possible to target internet users who have already shown they are interested in our website and in our offers shown there with advertising on the websites of our partners.

We believe that personalised, interest-based advertising is generally more interesting to internet users than advertising with no such personal reference. Such advertising is displayed on the pages of our partners based on cookie technology and an analysis of previous usage behaviour. This form of advertising is completely pseudonymous. No usage profiles are combined with your personal data.

The basis for processing your personal data with the aid of cookies depends on whether we ask you for consent. If we ask you for consent and you consent to the use of cookies, the basis for the processing of your data is your consent. If we do not obtain consent from you, we process the personal data processed with the aid of cookies on the basis of our legitimate interests (e.g. in the analysis and optimisation of our services and offers) or, if the use of cookies is necessary, in order to fulfil our contractual obligations.

14.7 How can you prevent cookies from being stored?
In your browser, you can specify that cookies can only be stored with your consent. If you only want to accept Cyber Incident Hub cookies and not the cookies from our service providers and partners, you can change the settings in your browser to block third-party cookies.

The help function in the menu bar of your web browser will usually show you how you can reject new cookies and deactivate those already received. Alternatively, you can visit https://www.aboutcookies.org. There you will find step-by-step instructions about how you can monitor and delete cookies in most browsers.

If using a shared computer set up to accept cookies and flash cookies, we recommend that you always log off completely when ending your session.

15 Log files
Each time you access Cyber Incident Hub’s web pages, usage data is transmitted by the respective internet browser and stored in server log files. The stored data records contain the following data: the date and time of access, the name of the page accessed, IP address, referrer URL (original URL from which you arrived at the web pages), the amount of data transferred, and the product and version information of the browser used.

The IP addresses of users are deleted or anonymised when you end your session on the website. When anonymising, IP addresses are modified so that the individual details about persons or factual circumstances can no longer be attributed to an identified or identifiable natural person or only if a significantly large amount of time, cost and labour is expended.

We evaluate these log file data records in an anonymous form in order to further improve our offering and make it more user-friendly, to find and correct errors more quickly and to manage server capacity. For example, we can determine what times the Cyber Incident Hub website is especially popular and make the relevant data volume available to ensure you can make a purchase as quickly as possible. We can also identify and correct any errors on the Cyber Incident Hub website more quickly by analysing the log files. These purposes also constitute our legitimate interest in data processing.

16 Web analysis
This website uses various services for the purpose of website analysis and tracking, which we explain to you in more detail in the following. In addition, we show you how you can prevent these services from analysing your usage behaviour on our website. If we ask you for your consent to the use of third-party services, the legal basis for this form of data processing is your consent. If we do not obtain your consent, your personal data are processed on the basis of our legitimate interests (i.e., for optimisation and marketing purposes and the appropriate design of our website).

16.1 Google Analytics
This website uses Google Analytics, a web analysis service of Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA, or, if you habitually reside in the European Economic Area (EEA) or in Switzerland, Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland (“Google”).

Google Analytics uses cookies. The information recorded by the cookie on the use of our web pages (including your IP address) can be transferred to a Google server in the USA and stored there.

We use Google Analytics only with activated IP anonymisation. As a result, your IP address is shortened by Google within Switzerland or the EU/EEA.

Only in exceptional cases is the full IP address transferred to a Google server in the USA and shortened there.

Google uses this information to evaluate your use of our web pages, to compile reports on the website activities and to provide further services associated with the use of web pages and the internet for us. In addition, Google will if necessary transmit this information to third parties if this is required by law or if third parties process these data on behalf of Google. The IP address that your browser transmits as part of Google Analytics will not be associated with any other data held by Google.

You can prevent the storage of cookies by selecting the corresponding setting in your browser software. However, please note that you may not be able to use all the functions on our web pages if you choose this option.

You can also prevent the collection and processing of data by Google by downloading and installing the browser plugin available at https://tools.google.com/dlpage/gaoptout?hl=de. This sets an opt-out cookie that prevents the future collection of your data when visiting our website.

You can find further information about Google Analytics and data protection at www.google.com/analytics/terms/de.html and https://policies.google.com/privacy

16.2 Hotjar
This website uses functions of the web service provider Hotjar, operated by Hotjar Ltd., Level 2, St Julians Business Centre, 3, Elia Zammit Street, St Julians STJ 1000, Malta. We use Hotjar in order to better understand the needs of our users and to optimise the offer on this website.

The Hotjar technology enables us to gain a better understanding of the experiences of our users (e.g. how much time users spend on certain pages, which links they click on, what they like and do not like, etc.), and that helps us to better understand our users and to optimise the offer on our website. Hotjar works with cookies and other technologies in order to collect information about the behaviour of our users and about their end devices (particularly, the IP address of the device (is recorded and stored only in anonymised form), screen size, device type (unique device identifiers), information about the browser being used, location (country only), for displaying our website in the preferred language). You can find further information in Hotjar’s Privacy Policy at https://www.hotjar.com/legal/policies/privacy/.

You can object at any time to data processing by Hotjar. Hotjar offers every user the ability to block the use of Hotjar’s tool with the aid of a “Do Not Track header”, so that no data about the visit to the respective website are recorded. You can find the opt-out option at https://www.hotjar.com/legal/compliance/opt-out.

You can object to the use of Hotjar. For instructions click on: https://www.hotjar.com/opt-out .

16.3 Facebook pixel
We use the Facebook pixel of Meta Platforms, Inc., 1601 Willow Avenue, Menlo Park, CA 94025, USA, or, if you habitually reside in the European Economic Area (EEA) or in Switzerland, Meta Platforms Ireland Ltd., 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland (“Facebook”).

The Facebook pixel makes it possible to track the behaviour of users after they were forwarded to our website by clicking on a Facebook advertisement. This enables us to analyse the effectiveness of Facebook advertisements for statistical and market research purposes and to optimise future advertising efforts. The data collected in this way are anonymous to us, meaning that they do not allow us to draw any conclusions about your identity. However, the data are stored and processed by Facebook, making it possible to link to the respective user profile, and Facebook can use the data for its own advertising purposes in accordance with the Facebook Data Policy (https://www.facebook.com/about/privacy/). As a result, Facebook can enable the placement of advertisements on Facebook pages as well as outside of Facebook. We have no influence over the use of the data.

Through the use of cookies, Facebook can subsequently recognise you in the Facebook members area and optimise the efficiency of advertisements, e.g. offer advertisements aimed at target groups, in accordance with the Facebook Data Policy. This affects you only if you have a Facebook account and are logged in to the Facebook members area. If you are not a member of Facebook, you are not affected by this data processing.

You can find general information about the use of data by Facebook, your rights in this respect, and options for protecting your privacy in the Facebook Data Policy at https://www.facebook.com/about/privacy/. You can find specific information and details about the Facebook pixel and the way it works in the help section of Facebook https://www.facebook.com/business/help/651294705016616. If you would like to object to collection by the Facebook pixel, you can do this at https://www.facebook.com/settings?tab=ads. To do so, you must be logged in to Facebook.

If you do not have a Facebook account, you an further opt-out of the use of cookies used for reach measurement and advertising purposes via the Network Advertising Initiative opt-out page (https://optout.networkadvertising.org/) and additionally the US website (https://www.aboutads.info/choices) or the European website (https://www.youronlinechoices.com/uk/your-ad-choices/).

Further information on Facebook’s data protection can be found at: https://www.facebook.com/policy.

16.4 Google Remarketing
We use the Google Remarketing function to show you ads on Google Ads, Google Display Network and YouTube that are tailored to your interests based on your activities on our website via re-targeting. This is done by means of cookies stored in your browser, which are used by Google to record and evaluate your usage behaviour when visiting various websites. In this way, Google can determine your previous visit to our website. According to its own statements, Google does not combine the data collected in the course of remarketing with your personal data, which may be stored by Google. In particular, according to Google, pseudonymisation is used in remarketing.

According to its own statements, Google does not collect any personal data during this process. If you do not wish to use Google’s remarketing function, you can deactivate it by making the appropriate settings at http://www.google.com/settings/ads. Alternatively, you can deactivate the use of cookies for Google. Alternatively, you can deactivate the use of cookies for interest-based advertising via the advertising network initiative by following the instructions at http://www.networkadvertising.org/managing/opt_out.asp.

If you still do not wish to use Google’s remarketing function, you can deactivate it in principle by making the corresponding settings at https://adssettings.google.de. Alternatively, you can disable the use of cookies for interest-based advertising via the advertising network initiative by following the instructions at https://optout.networkadvertising.org/?c=1.

Further information on Google Remarketing data protection can be found at https://policies.google.com/privacy?hl=de and https://services.google.com/sitestats/de.html.

16.5 Google Ads
We use Google Ads, an online advertising programme from Google. Google Ads uses cookies to analyse website usage. A cookie is set if you have accessed our website via a Google ad. Cookies of this type have a limited validity, do not contain any personal data and are therefore not used for personal identification. If you visit certain Cyber Incident Hub web pages and the cookie has not yet expired, we and Google will be able to recognise that you clicked on the ad and were redirected to that page.

You can generally prevent cookies from being stored by deactivating the storage of cookies in your browser. Furthermore, you have the option to object to interest-based advertising by Google Ads by making the appropriate settings at https://adssettings.google.de.

Further information on the data protection of Google Ads can be found at https://policies.google.com/privacy?hl=de and https://policies.google.com/technologies/ads?hl=de.

16.6 Google Marketing Platform
We use the online marketing tool Google Marketing Platform (“GMP”) from Google. GMP uses cookies to serve ads that are relevant to users, to improve campaign performance reports, or to prevent a user from seeing the same ads more than once. Google uses a cookie ID to record which ads are shown in which browser and can thus prevent them from being shown more than once.

In addition, GMP can use cookie IDs to record so-called conversions, i.e. whether a user sees a GMP ad and later visits the advertiser’s website and makes a purchase there. According to Google, GMP cookies do not contain any personal information.

Your browser automatically establishes a direct connection with Google’s server. We have no influence on the scope and further use of the data collected by Google through the use of this service. According to Google, the integration of GMP provides Google with the information that you have accessed the relevant part of our website or clicked on one of our advertisements. If you are registered with a Google service, Google can assign the visit to your user account. Even if you are not registered with Google or have not logged in, it is possible for the provider to obtain and store your IP address. The use of GMP may also result in the transmission of personal data to Google servers in the USA.

You may refuse the use of cookies by selecting the appropriate settings on your browser, or by disabling Google’s interest-based advertising by clicking on the appropriate link on https://adssettings.google.com. Please note that in this case you may not be able to use the full functionality of this website.

Further information on the data protection of Google Marketing Platform can be found at https://marketingplatform.google.com/.

16.7 LinkedIn Pixel
We use the LinkedIn Pixel of the LinkedIn Corporation 1000 W. Maude Avenue Sunnyvale, CA 94085, USA, or if you are a resident of the European Economic Area (EEA) or Switzerland, LinkedIn Ireland Unlimited Company, Wilton Place, Dublin 2, Ireland (“LinkedIn”).

In particular, the LinkedIn pixel allows us to track users’ actions after they have seen or clicked on a LinkedIn advertisement. This allows us to evaluate the effectiveness of LinkedIn ads for statistical and market research purposes and to optimise future advertising measures. The data collected in this way is anonymous for us, so it does not allow us to draw any conclusions about your identity. However, the data is stored and processed by LinkedIn, so that a connection to the respective user profile is possible and LinkedIn can use the data for its own advertising purposes, in accordance with the LinkedIn data protection policy: https://www.linkedin.com/legal/privacy-policy. This allows LinkedIn to enable the placement of advertisements on LinkedIn pages as well as outside of LinkedIn. We cannot influence this use of data.

LinkedIn members can control the use of their personal data for advertising purposes in their account settings at the following link https://www.linkedin.com/psettings/advertising/actions-that-showed-interest. To do this, you must be logged in to LinkedIn. To do this, you must be logged in to LinkedIn.

If you are not a member of LinkedIn, you can object to the use of cookies used for reach measurement and advertising purposes via the Network Advertising Initiative deactivation page (http://optout.networkadvertising.org/) and additionally the US website (http://www.aboutads.info/choices) or the European website (http://www.youronlinechoices.com/uk/your-ad-choices/).

Further information on data protection at LinkedIn can be found at https://www.linkedin.com/legal/privacy-policy.

16.8 Twitter Pixel
We use the Twitter Pixel of Twitter Inc., 1355 Market Street, Suite 900, San Francisco, CA 94103, USA, or if you have your habitual residence in the European Economic Area (EEA) or Switzerland, Twitter International Company, One Cumberland Place, Fenian Street, Dublin 2, D02 AX07 Ireland (“Twit-ter”).

In particular, the Twitter pixel allows us to track users’ actions after they have seen or clicked on a Twitter ad. This allows us to evaluate the effectiveness of the Twitter ads for statistical and market research purposes and to optimise future advertising measures. The data collected in this way is anonymous for us, so it does not allow us to draw any conclusions about your identity. However, the data is stored and processed by Twitter so that a connection to the respective user profile is possible and Twitter can use the data for its own advertising purposes in accordance with the Twitter data protection policy: https://twitter.com/privacy. This enables Twitter to display advertisements on Twitter pages and outside of Facebook. We cannot influence this use of the data.

If you wish to object to the collection by the Twitter pixel, you can do so by making the appropriate settings at https://twitter.com/settings/account/personalization. You can change your data protection settings and consent for Twitter in the account settings at https://twitter.com/account/settings.

You can also deactivate (all) cookies that are used for range measurement and advertising purposes via the following link: https://www.aboutads.info/choices.

Please note that this setting will be deleted when you delete your cookies.

Further information on Twitter’s data protection can be found at: https://twitter.com/de/privacy.

17 Google Maps
This website uses the Google Maps service provided by Google LLC (“Google”). This enables us to show you interactive maps directly on the website and allows you to use the map function conveniently. By using Google Maps, information about your use of our website (including your IP address) may be transmitted to a Google server in the USA and stored there. Google may store this data as usage profiles for the purpose of tailoring its services, advertising and market research. If you are logged in to Google, your data will be directly assigned to your account. If you do not wish this, you must log out beforehand. If you do not agree to the processing of your data, you have the option of deactivating the Google Maps service and thus preventing the transfer of data to Google. To do this, you must deactivate the Java Script function in your browser. However, we would like to point out that in this case you will not be able to use Google Maps or only to a limited extent.

You can find further information on the data protection of Google Maps at http://www.google.com/intl/de_de/help/terms_maps.html or at https://policies.google.com/privacy.

18 Social plugins
Our website uses social plugins (“plugins”) from various social networks. With the help of these plugins you can, for example, share content or recommend products. The plugins are activated by default on cyber-incident-hub.ch.

The content of the plugin is transmitted directly to your browser by the social network and integrated into the website by it. By integrating the plugins, the social network receives the information that you have accessed the corresponding page of our website. If you are logged in to the social network, it can assign the visit to your account. If you interact with the plugins, for example by clicking the Facebook “Like” button or posting a comment, the corresponding information is transmitted directly from your browser to the social network and stored there.

Even if you are not logged in to the social networks, data can be sent to the networks by websites with active social plugins. An active plugin sets a cookie with an identifier every time the web page is called up. Since your browser sends this cookie with every connection to a network server without being asked, the network could in principle use it to create a profile of which web pages the user belonging to the identifier has called up. If necessary, it would then be possible to assign this identifier to a person again later – for example, when logging on to the social network later.

If you do not want social networks to collect data about you via active plug-ins, you can select the function “Block third-party cookies” in your browser settings; your browser will then not send any cookies to the respective server of the social network. However, with this setting, in addition to the plugins, other cross-page functions of other providers may also no longer function.

For more information on the purpose and scope of data collection and the further processing and use of your personal data, please refer to the data protection notices of the respective networks. There you will also find further information on your rights in this regard and setting options for protecting your privacy as well as your right to object to the creation of user profiles: We currently use the following plugins of the following social networks on our website:

18.1 Facebook
We use plugins from the social network facebook.com, which is operated by Facebook Inc., 1601 Willow Road, Menlo Park, CA 94025, USA, or if you have your habitual residence in the European Economic Area (EEA) or Switzerland, Facebook Ireland Ltd, 4 Grand Canal Square, Grand Canal Har-bour, Dublin 2, Ireland (“Facebook”). The link to Facebook’s privacy policy can be found here: Facebook privacy policy.

18.2 Twitter
We use plugins from the social network Twitter, which is operated by Twitter Inc., 1355 Market Street, Sui-te 900, San Francisco, CA 94103, USA or, if you are a resident of the European Economic Area (EEA) or Switzerland, Twitter International Company, One Cumberland Place, Fenian Street Dublin 2, D02 AX07, Ireland (“Twitter”). The link to Twitter’s privacy policy can be found here: Twitter Privacy Notice.

18.3 LinkedIn
We use plugins of the social network LinkedIn, which is operated by LinkedIn Corporation 1000 W. Maude Avenue Sunnyvale, CA 94085, USA, or if you have your habitual residence in the European Economic Area (EEA) or Switzerland, LinkedIn Ireland Unlimited Company, Wilton Place, Dublin 2, Ireland (“LinkedIn”). You can find the link to LinkedIn’s privacy policy here: LinkedIn data protection notice.

18.4 Intercom
We use the chat solution of Intercom, which is operated by Intercom Inc., 55 2nd Street, 4th Floor, San Francisco, CA 94105, USA (“Intercom”). The link to Intercom’s privacy policy can be found here: Privacy Notice of Intercom.

18.5 Instagram
We use plugins of the social network Instagram, which is operated by Facebook Inc., 1601 Willow Road, Menlo Park, CA 94025, USA, or, if you have your habitual residence in the European Economic Area (EEA) or Switzerland, Facebook Ireland Ltd, 4 Grand Canal Square, Grand Canal Har-bour, Dublin 2, Ireland (“Facebook”). You can find the link to Instagram’s privacy policy here: Privacy Policy of Instagram.

18.6 YouTube
We use plugins from YouTube, which is operated by Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA, or if you have your habitual residence in the European Economic Area (EEA) or Switzerland, Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland (“Google”). You can find the link to Google’s privacy policy here: Google Privacy Notice.

19 Version
Version 07.02.2022. Subject to change or adaptation at any time.

© 2021 Cyber Incident Hub

Imprint & contact details - Cyber Incident Hub

Responsible for this website:

Cyber Incident Hub
represented by:
Farner Consulting AG
Dr. Daniel Heller

Address
Löwenstrasse 2
8001 Zurich
Switzerland

Phone: +41 44 266 67 67
E-mail: info@cyber-incident-hub.ch
Web: www.cyber-incident-hub.ch

UID number: CHE-105.833.189

You can find out what data is processed when you visit our website in our privacy policy. Please also note the terms of use of this website.

Terms of use – Cyber Incident Hub

Copyright
Unless indicated otherwise, the copyright for all content on this website is held by Cyber Incident Hub or one of its contracting partners. It is prohibited to use the content (especially images and graphics) without obtaining prior permission from Cyber Incident Hub.

User Rights and Obligations
Users of this website have the option of starting a dialogue with Cyber Incident Hub via the chat function. The corresponding posts/questions are published on the Cyber Incident Hub website together with the comments/answers. You must provide your email address or Twitter username to be able to use the chat function. Cyber Incident Hub reserves the right to delete and/or not respond to indecent or illegal posts/questions.

Disclaimer
All texts and links have been checked carefully and are continually updated. We endeavour to provide correct and complete information on this website, but we do not assume responsibility, liability or make any warranty whatsoever that the information supplied through this website is correct, complete, or up to date. All liability is excluded for damages of any nature that are incurred in connection with accessing, using, or retrieving the website or information contained on it. We reserve the right to alter information on this website at any time and without prior notice, and we are under no obligation to update the information contained on it. All links to external providers were checked for accuracy at the time of their inclusion; we are nevertheless not liable for the content and availability of any websites reached via hyperlinks. Such websites are accessed and used at one’s own risk. The provider of the website to which the link was made is solely responsible for illegal, incorrect, or incomplete content, and especially for damages arising from the content of linked pages. This applies irrespective of whether the damage is direct, indirect, or financial in nature, or whether it is some other kind of damage that could occur as a result of data loss, loss of use, or any other reason.

Severability clause
If individual provisions of these Terms of Use should be or become ineffective, this does not affect the content and validity of the remaining provisions, and the ineffective provision is to be replaced by an effective provision that most closely approximates the purpose of the ineffective provision.

Governing Law, Jurisdiction
These Terms of Use are governed exclusively by Swiss law. The exclusive jurisdiction is Zurich.

Version 07.02.2022. The right to change or adapt the content at any time is expressly reserved.

© 2021 Cyber Incident Hub