Boss, our data is in Russia – a case-based study of employee criminal liability for cyber-attacks

The following position paper discusses the topic of employee criminal liability in the context of ransomware attacks. Through a series of case studies, it analyses whether, under Swiss law, employees who have facilitated the success of an attack can be qualified as co-authors or accomplices. After an overview of the applicable legal framework, this paper analyses three case studies inspired by actual ransomware attacks. It focuses in particular on the element of intent, which is a prerequisite in most cybercrime laws, and which can, under certain conditions, also be applied to behaviors that appear to be the result of "mistakes"; it also discusses the role that in-house cybersecurity training (or the lack thereof) can have in this context. Drawing from the results of the analyzed cases, this paper then presents a series of recommendations aimed at reinforcing cybercrime prevention within institutions, while also touching upon topics such as cyber-insurances and certification labels.