Will VENOM’s strike poison your shared infrastructure?

The fangs of a newly-found security vulnerability in virtual computing systems were revealed by security researchers at CrowdStrike last week. Named “VENOM” its announcement calls attention to a previously unrecognized risk that may impact millions of systems around the world, as well as disrupt normal business as IT organizations scramble to patch affected systems.

VENOM stands for Virtualized Environmental Neglected Operations Manipulation. It affects some, but not all, virtualization management systems in use within organizations and cloud service providers today. It highlights a weakness in some virtual systems where a hacker after gaining access to one company’s secure network could then jump to other independent companies that just happen to share virtual server space.

This new vulnerability appears to be of a similar scale to the Heartbleed vulnerability discovered in OpenSSL last year; however, this new issue has the potential to impact across organizational and company boundaries. Most organizations use server virtualization in some form today. The use of “cloud” servers crested the 50% mark this last year and is expected to hit 86% adoption by 2016, according to CIO Insights.

Read more…

If you have any questions, please contact us.

When data hinders, not helps

Many organizations operate a dedicated department specifically for combatting Cyber Security threats. These are typically called “SOCs”, or Security Operation Centres.

The SOC collates information from across the organization and from external agencies to form a strategy to prevent, detect and respond to cyber attacks and security issues. The more data the SOC has access to, the more accurate a security picture they can obtain, and more detailed analysis can be performed, either to investigate issues or help prevent them from occurring. But more access means more data to analyse.

The nature of security threats has changed significantly in recent years and the “security in depth” principle has led to the implementation of numerous security-specific technologies into the organization. Which creates yet more data for the SOC to monitor and react to.

This creates a new problem; how much data is too much data?

Let’s examine a fictional 250-person company, and watch what happens to the amount of data the SOC has to process.

In 2005, this organization would have had a number of servers, a firewall, some first generation anti-virus programs, a basic network, and some basic web services. It typically generated around 6.5gb of log data per day; all of which the SOC would examine for specific signs of security issues. With a small team, and in a 2005 threat landscape, this was achievable.

However, in 2015, that same organization has doubled in size. It has new offices, it has VPN and mobile devices, it has new business applications, it has additional security technology such as malware filters, data loss analysers and intrusion detection systems. It has the latest generation of web technology. The threat profile is now very different and much more advanced. The resulting log data per day is now 30gb per day.

The net effect? An increase in log volume of over 450%

When data hinders

Chances are, the organization has not invested in resources for the SOC for financial reasons after the financial crisis, so the existing team is now overstretched and in danger of not being able to correctly detect and prevent security issues.

In addition there is a heightened awareness of cyber risks at senior levels in organisations and increased regulatory scrutiny of how cyber risks are being managed, creating additional expectations and pressure on the SOC.

This combination of factors makes managing a SOC and meeting the increasing expectations of key stakeholders a challenge. There are however some useful strategies that can help to address this very modern problem. I will discuss them in more detail in future blogs, but here is a quick overview:

  1. Know the Enemy
    The SOC is responsible for detecting and preventing security issues from occurring, but it can only do this effectively if it knows what it is supposed to be detecting. Leading SOCs invest in external intelligence sources to help prioritise SOC spend and resource to focus on the threat detection and mitigation with the greatest risk.
  2. Know the business
    Often a large organization will operate in silos, with departments not necessarily communicating its activities to other areas. This can have a dramatic affect on the SOC, as something as simple as an application upgrade can suddenly increase log data with no warning. An effective SOC will establish a two-way dialog with key business areas regarding security trends, recent findings, and upcoming business activities.
  3. Know the assets
    A good SOC knows where all the important assets are, and focuses its energies on monitoring and protecting those assets. Each asset has a formal security rating, and the rating will dictate the security precautions required. For example, protecting customer data is far more important than protecting the stationery ordering service.
  4. Know the data
    Knowing the difference between a message and a warning is a key skill of the SOC, and it makes sense to invest in a working framework and SIEM applications which help filter and prioritise messages. Create dashboards which show only security-specific information. For example if there were 10,000 successful logons on to an e-banking service this is not really a security concern; however, if a customer logs on from 3 countries at the same time, that is an issue that needs a SOC reaction.
  5. Know your staff
    Managing the SOC often involves lots of repetitive activity watching data. This can quickly lead to complacency and missed signals. Just as important, it can result in demotivation, burn out, reduced performance and even loss of staff. One way SOCs are overcoming this is to rotate staff around functions, so every member of the team is required to spend 25-30% of their time working on new dashboards, on new filters, improving forensic performance, trend analysis, attending security events and interacting with the other departments.

Transforming the SOC to meet the challenges of today requires an intelligent approach to how companies manage cyber security and its own critical information assets. To discuss how PwC can help you improve the effectiveness of your cyber security management, please contact Euan Ramsay.

The impact of Swiss Corporate Tax Reform III (CTR III)

Position paper of PwC Switzerland


CTR III is a consequence of the tax dispute between Switzerland and the EU and a response to the internationalisation of tax competition. In the face of increasing pressure, Switzerland relented and reached an agreement with the EU, under which it must align its corporate taxation with international standards. Specifically, this involves the equal treatment of foreign and domestic income, the abolition of tax benefits for certain types of companies and the reconsideration of tax reliefs.


With CTR III, the Swiss Federal Council has laid the foundations for Switzerland as an attractive business location. The new system is intended to strengthen Switzerland’s position as a competitive tax location and a reliable partner for domestic and international groups and Swiss SMEs. This should help to create and maintain attractive jobs and to consolidate the prosperity of Swiss society. In addition, the system seeks compliance with international standards and the safeguarding of a balanced corporate tax base.

Read more in our position paper.

If you have any further questions please contact:

Andreas Staubli
Partner, Leader Tax & Legal
+41 58 792 44 72
Armin Marti
Partner, Leader Corporate Tax
+41 58 792 43 43
Laurenz Schneider
Director Corporate Tax
+41 58 792 59 38
Claude-Alain Barke
Partner Tax & Legal Romandie
+41 58 792 83 17
Remo Küttel
Director Tax & Legal
+41 58 792 68 69
Gil Walser
Senior Manager Tax & Legal Romandie
+41 58 792 67 81
Benjamin Koch
Partner, Leader Transfer Pricing and
Value Chain Transformation
+41 58 792 43 34

Moving HR to the Cloud?

Navigate key barriers to boost success.

It’s no surprise that more and more companies are moving their HR applications to the cloud to boost innovation, increase flexibility and control costs. The shift, now at a frenzied pace, is fueling tremendous growth in the HR technology space. It is also creating uncertainty for HR business and technology leaders who are struggling with important questions such as:

  • Is the cloud right for my organization?
  • Does it make sense to move everything to the cloud or just certain process areas?
  • Is the move paying off for the early adopters?
  • What challenges are organizations facing with their migrations to cloud?

PwC’s 2014 HR Technology Survey of nearly 270 US-based companies, including a range of industries and company sizes, provides insight into these and other important issues facing today’s HR business and technology leaders. Clearly, the shift from on-premise Human Capital Management (HCM) to cloudbased HCM applications is a significant trend that cannot be ignored. Yet, despite high levels of satisfaction, HR business and technology leaders are finding that moving to the cloud requires a transformational mindset — one that many seem to undervalue and oversimplify.

The HR technology options to enable today’s business and people strategies can be overwhelming. In this paper, we’ll first look at the industry landscape, including the types of organizations moving to the cloud, top HR technology investments, and major trends driving HR cloud adoption. Next, we’ll look at primary challenges that HR business and technology leaders are encountering along the way. We’ll also provide key considerations to help smooth the transition and help make the journey worthwhile.

Download the survey results here.

If you have any further questions please contact me.

Swiss Federal Supreme Court rules in Withholding Tax Case for Danish banks

The Swiss Federal Supreme Court has delivered two judgements regarding Swiss withholding tax refund cases for two Danish banks involved in derivative transactions over dividend ex-date with Swiss equities. In both cases, the Swiss Federal Supreme Court ruled in favour of the Federal Tax Authority (FTA) and overruled the previous decisions taken by the Federal Administrative Court

The cases under scrutiny

In the first case, a Danish bank entered into various total return swap transactions with counterparties in the EU and the US relating to Swiss equities. To hedge the exposure from the total return swaps, the Danish bank bought the necessary Swiss equities from various parties. Upon the maturity of the total return swaps, the shares were sold to different parties than those from whom the bank had previously sourced the shares. Under the swaps the Danish bank had to pay to the counterpart an amount equivalent to the dividend received.

The second case relates to a subsidiary of a Danish bank that had entered into derivative transactions by selling (OTC) SMI futures through Eurex and a broker and that had hedged this short position by buying the necessary Swiss equities from a different platform/broker. Upon the maturity of the SMI futures, the derivative positions were either closed (and the Swiss equities sold) or rolled into further SMI future contracts.

In both cases, dividends received during the maturity of the trade were subject to 35% Swiss withholding tax for which a full refund was claimed under the former Swiss-Danish double tax treaty (the current amended treaty only provides for a partial refund on portfolio holdings). In both cases, the FTA had denied the refund of Swiss withholding tax and was then overruled in the Federal Administrative Court.

Decisions of the Swiss Supreme Court

In its public hearing of 5 May 2015, the Swiss Supreme Court overruled the decisions taken by the Federal Administrative Court and decided in favour of the FTA.

Regarding the first case, the court was of the opinion that the Danish bank should not be regarded as being the beneficial owner of the dividends. This ownership was given up at the moment in time where the funds received as dividends were paid out to the counterparty of the swap agreement as there was, in the view of the Swiss Supreme Court, an on-payment obligation under the total return swap agreements entered into by the Danish bank. Further to this obligation, the bank was no longer in a position to freely dispose of the dividend proceeds received and, in addition, the total return swap entered into put the bank in a position of being fully relieved of any risk associated to the underlying long position in Swiss equities. Hence, the bank had given up its beneficial ownership of the underlying Swiss equities.

In the second case, the underlying facts were more abstract and, in the view of some judges, insufficiently established by the FTA. Nevertheless, the Swiss Supreme Court was of the opinion that it would have been the Danish claimant’s call to assist the FTA in establishing the right facts and circumstances. Hence, the majority of the judges were of the view that the volumes of SMI futures traded and the fact that only a limited number of parties were involved in the transaction were sufficient evidence to conclude that the bank had given up its beneficial ownership and had to forward the dividend proceeds, the prices for which had been partially pre-determined in the sold (OTC) SMI futures.

Appraisal of the decisions

The Swiss Supreme Court has now issued two leading decisions with regard to the question of beneficial ownership which will have an important impact on the numerous other cases pending with the Swiss courts and the FTA. Although the Swiss Supreme Court’s exact line of argumentation will only be available in a couple of weeks, after the entire decisions including the motivation have been published, these decisions are effectively increasing the hurdles for a refund of Swiss withholding tax for derivative transactions with underlying Swiss equities – not only in an international but also in a domestic context.

It is now clear that the Swiss Supreme Court is of the view that anyone transferring a received dividend to a counterpart of a derivative instrument while not being in a risk-taking position will most likely have relinquished their beneficial ownership to the underlying Swiss equity and with this their right to claim Swiss withholding tax.

Pending claims as well as new derivative transactions that may give rise to a Swiss withholding tax refund claim should carefully be evaluated on the basis of the recent decisions of the Swiss Supreme Court once the written decision is available.

Victor Meyer
Partner Corporate Tax
+41 58 792 43 40
Martin Büeler
Partner Corporate Tax
+41 58 792 43 92
Dieter Wirth
Partner Corporate Tax
+41 58 792 44 88
Luca Poggioli
Director Corporate Tax
+41 58 792 44 51

The most extraordinary technology of all

The role of people in a digital world

Capture In the digital world, everyone can be heard and everyone can contribute. We live in an age where Twitter has created an army of frontline news reporters at major events and disasters and where community forums such as tripadvisor and glassdoor roar the opinions of millions. The omnipresence of mobile devices has accelerated this trend; last year we reached the point where the number of mobile-connected devices in circulation exceeds the world’s population. Digital success is not about securing the best technology; the true value comes from the way your people use it.

During a transformation as rapid and life-altering as the digital age, the most dangerous thing an organisation can do is lose sight of the value of its people. The best, most innovative technology in the world won’t create value on its own. Success in the digital age doesn’t come down to securing the latest technology or by cutting costs through automation; it comes down to striking the right balance between digital and human innovation. A people strategy for the digital age.

Read more here.

The Federal Court rules against the FTA’s 25/75% practice

PwC_PC_France_Paris_MB_081Impact on non-profit organisations

In an explicit manner, the Swiss Federal Court has ruled against the Federal Tax Administration’s (FTA) so-called 25/75% practice regarding VAT liability and the right to register for VAT purposes in Switzerland.

The case related to a foundation operating a museum which covered less than 25% of its costs by revenues generated from supplies of goods and services, respectively more than 75% of its costs were financed by non-considerations, such as donations, subsidies, capital contributions, etc. In accordance with the 25/75% practice, the FTA claimed that the foundation cannot be considered taxable person and cancelled the VAT registration of the foundation retroactively from 1 January 2010.

In its judgement 2C_781/2014, dated 19 April 2015, the Swiss Federal Court has decided that this practice is inconsistent with the VAT Law. Even if, as in the case at hand, the foundation’s costs are covered far below 25% by considerations for supplies of goods or services, the VAT registration cannot be denied.

The Federal Court dismissed the argument of the FTA in relation to the 25% threshold stating in its judgement that: “within a business activity there cannot be a non-business area. A nonbusiness activity, which is not entitled to input VAT deduction, cannot be simply presumed, but must be clearly and unequivocally independent to the business activity”. As a result, the foundation will be reinstated in the VAT Register with retroactive effect as of 1 January 2010 and will likely be reimbursed a significant (six figure) VAT amount from the FTA.

For non-profit organisations this judgement has significant consequences:

  1.  If a non-profit organisation performs business activities, it is liable for the VAT and must register, when its turnover from such business activities exceeds the threshold of CHF 150,000 (for cultural, sport or other organizations pursuing goals in the public interest) or CHF 100,000 (for organisations not falling under the previous category). In case the organisation’s turnover is below the threshold, the possibility for opting for voluntary VAT registration should be investigated.
  2. Where the organisation does not perform non-business activities which are clearly and unequivocally independent from its business activities, it should be entitled to full input VAT deduction, unless the organisation carries out supplies of goods and services exempt from tax without credit or receives subsidies.
  3. If an organisation has been de-registered for VAT purposes due to the discussed practice of the FTA as of 1 January 2010, it is worth analysing the possibility of the organisation to claim retroactive VAT registration and the related input tax.
  4. If the organisation has, besides its business activity, a clearly independent non-business area of activity, the allocation and therefore the input VAT deduction right should be examined.

In any event the FTA will have to revise its current practice and take a decision which is already overdue. Taking into account the Swiss Federal Court’s clear judgement it is worthwhile to act proactively and take the opportunity to analyse the VAT position of your organisation and submit your proposed solution to the FTA.

Download this document


Olivier Comment

Gergana Chalakova

Senior Manager
PwC Switzerland
Tel. +41 58 792 81 74
Assistant Manager
PwC Switzerland
Tel. +41 58 792 92 02

FRTB Case Study: Overcapitalisation Due to Data Insufficiencies

Under the upcoming regulation discussed in a series of consultative papers titled ”Fundamental review of the trading book” the methodology for calculating capital requirements is going to change significantly. The required capital will be driven by the risk factors the trading book is exposed to. One interesting aspect of this new method is that risk factors are associated with certain buckets and diversification effects between those buckets are taken into account. However, in cases where it is not possible to allocate a position to a bucket due to insufficient data, these positions are mapped to the so-called residual bucket, to which the maximum risk weight is assigned and no diversification effects are recognised.

Here we are going to look at a sample equity portfolio to learn about how the data quality influences the amount of required capital. Let us start with a Swiss market portfolio whose asset allocation is based on the SMI. The required capital due to equity risk for this sample is 18.7% of the portfolio value. But we additionally determined the degree of overcapitalisation, i.e. the percentage increase of required capital, for all scenarios of insufficient data. The results can be seen in the histogram below.

Histogram of overcapitalisation due to data insufficiency for an SMI stock portfolio


Note that most scenarios yield an overcapitalisation of more than 50%. In fact, assuming data error scenarios are uniformly distributed, the overcapitalisation will be above 50% at a confidence level of 99%! And the expected value of overcapitalisation is 167%, i.e., insufficient data can be expected to more than double the capital requirements in this sample.

Of course, one can say that it is more reasonable to expect that single data errors are quite common, while it is rather improbable that they cluster. So instead of taking the data error scenarios to be uniformly distributed, we should assume a exponential decay with the number of data errors in the scenario. The decay rate is then a measure of data quality directly associated with the number of expected data errors. The graphic below illustrates how a decrease in data quality yields an increase in required capital for our sample SMI portfolio.

Expected overcapitalisation by data quality for SMI portfolio


It is interesting to see that a low data error ratio of 12.5%, that is 2.5 expected data errors for our sample portfolio, already doubles the required capital.

OK, let us look at a bigger sample equity portfolio based on the EuroStoxx 50. Apart from 15% required capital for FX risks (assuming the reporting currency is CHF), the capital charge for equity risk is 19.5% of the portfolio value. Since the portfolio contains more than twice as many assets, it is tough to consider every data error scenario. But we can specify the data quality (10% expected ratio of data errors) and perform a Monte Carlo simulation. Below the results:

Overcapitalisation of a portfolio based on the EuroStoxx allocation due to data insufficencies assuming an expected ratio of data errors of 10%.


The expected overcapitalisation for this sample portfolio and data quality is 48% with a standard deviation of 20%.

What do we get from this? Well, due to the structure of the new approach to capital requirements where assets that cannot be assigned to a specific bucket are mapped to the residual bucket, required capital can substantially increase due to insufficient data quality. This is mainly due to the fact that in the residual bucket no diversification effects are taken into account. Additionally, the risk weight in the residual bucket coincides with maximum risk weight of the standard buckets. Since all companies represented in the SMI are located in an advanced economy, their risk weights are usually low. Being forced to map them, the residual bucket thus increases the assumed stress significantly. It is therefore important to check and update your data infrastructure early on to avoid unnecessarily bound capital.

Any questions? Do not hesitate to contact us and check out your previous blog entry.

New European Union Implementing Regulation for company vehicles registered in Switzerland

Do you provide company vehicles for the use of your crossborder employees? These new rules could affect you!

New regulation for company vehicules

The entry into force of the new European Union Implementing Regulation (EU) 2015/234 as of 1 May 2015 means that company vehicles registered in Switzerland and placed at the disposal of employees resident in the EU will be subject to customs duties if they are used for private purposes.

In cases of non-compliance with European customs regulations, the user, i.e. the employee, becomes liable for the corresponding import duties and taxes as well as any fines for not clearing the vehicle through customs.

Company vehicles registered in Switzerland and used by employees residing in Switzerland are not affected by this change. However, for cross-border commuters, companies have to distinguish between those who use such vehicles purely for professional purposes and those who use them for professional and personal ends.

(i) In the first case, a cross-border commuter using a vehicle only for the journey to and from home to the place of work and to carry out professional activities specified in the employment contract may continue as before under the current rules (temporary admission procedure, which suspends customs duties and import tax). It is essential for companies to amend employment contracts and other internal regulations, where necessary, to reflect the intended use of vehicles. Moreover, a copy of the employment contract should be kept in the vehicle at all times.

(ii) The second case is more challenging because the employers must decide whether to continue to allow personal use of the vehicle.

If the employer were to prohibit the personal use of the vehicle, the employment contract would have to be modified, This has consequences, especially in terms of compensation, social security contributions and the tax regime of both the employee and the company.

If personal use is allowed to continue, the vehicle must be cleared through customs (10% customs duty, 20% non-refundable VAT) and several issues have to be resolved:

  • What is the value of the vehicles to be declared as there is no sale? The customs recommend Argus value but based on the French regulations in force and our experience it could be reduced.
  • What measures can be taken to reduce the customs duties? Is there an alternative to the temporary admission procedure to reduce the customs duties owed?
  • What formalities have to be respected?

Urgent action is needed, therefore, to ensure the use of company vehicles complies with European Union law. Our teams in France and Switzerland are at your disposal to assist you through the steps of the two approaches:

1. Clearing the vehicle through customs with the aim of maintaining stable employment contracts for cross-border commuters

Our teams can support you to:

(i) Minimise the impact of customs clearance of vehicles currently placed at the disposal of employees (clearance for personal use vs. other regime, determining the customs valuation);

(ii) Accelerate customs clearance (i.e. EORI registration, support in instructing customs agents as well as training HR teams to deal with the customs expenses now inherent when providing a company vehicle and with ‘crisis situations’ (e.g. if an employee’s vehicle is confiscated by French customs officers, negotiations over fines levied by customs, etc.).

2. Adapt current practices: prohibiting any purely personal use of the vehicle.

Our Swiss team supports you in making the required changes to employment contracts, internal regulations and other relevant documents while ensuring they comply with the other fiscal and social obligations of the company (the valuation of fringe benefits, social security contributions as well as personal and corporate tax).
Whatever the situation, we study the specific needs of your organisation and help you implement solutions tailored to your company’s fleet management.

Download this document

Megatrend financial centre – Opinion paper on insurance industry

Revision of insurance supervision legislation: overview of key factors

Current insurance supervision rules date back to 2005. Countless new regulations have since been created worldwide, which is why Switzerland must adapt its regulations to meet international standards. A key aspect of the revision is the adaptation of Swiss standards to the requirements of the EU’s Solvency II guidelines that take effect in 2016. The revision’s aim is to ensure that Swiss insurance companies have the same opportunities as their European competitors. The new regulations are to be introduced in Switzerland with effect from 1 July 2015. The Swiss Financial Market Supervisory Authority (FINMA) will determine the implementation dates of their individual aspects. The key changes affect the following points:


Read more in our opinion paper.

Please find additional information in the article published in the Handelszeitung with Morgan Shaeffer.

If you have any further questions please contact:

Stephen O’Hearn
Global Insurance Leader
Tel. +41 58 792 20 11

Thomas Hull
Partner, Leader Actuarial Services
Tel. +41 58 792 25 10

Morgan Schaeffer
Director, Actuarial Services
Tel. +41 58 792 24 27