Case study: “We got encrypted” — timeline of a Swiss SME facing a ransomware attack

Case study: “We got quoted” — timeline of a small business in French-speaking Switzerland

Introduction

One Monday morning, the director of a small business in French-speaking Switzerland discovered that his servers were inaccessible. The files were encrypted. A ransom note appeared.

According to the Federal Office of Cybersecurity, ransomware attacks are among the incidents regularly reported by Swiss companies (Federal Office of Cybersecurity FOCS, Semi-annual Report, https://www.ncsc.admin.ch ).

What exactly happens in the first few hours? What decisions fall to the manager? What is the role of the insurer? And what are the typical costs of such an event?

Here is a structured timeline, based on practices observed in incident management.

1. Hours 0 to 4: Detection and initial decisions

1.1 Observation of the infection

The systems are blocked. The workstations are displaying a ransom message. Production has stopped.

Immediate decisions:

• Isolate the systems from the network

• Suspend remote access

• Inform management

1.2 Activate the crisis cell

The leader must designate:

• A technical manager

• A communications manager

• An insurance contact person

The OFCS recommends reporting cyber incidents and provides reporting channels (OFCS, Incident Reporting, https://www.ncsc.admin.ch ).

2. Hours 4 to 24: Experts and insurer

2.1 Notification to the cyber insurer

If cyber insurance is in place, rapid notification is essential. It allows for activation:

• Forensic experts

• Specialist lawyers

• Crisis communication consultants

2.2 Forensic Intervention

Experts analyze:

• Entry point

• Scope of encryption

• Possible data exfiltration

The objective is to determine whether personal data has been compromised. In the event of a data breach presenting a high risk, the Federal Data Protection Act requires notification to the Federal Data Protection Commissioner (FDPIC, Art. 24 nDPA, https://www.fedlex.admin.ch ).

Mini case study 1

The SME discovers that customer data was exfiltrated before encryption. The lawyer appointed by the insurance company assesses the obligation to notify the Data Protection Authority (DPIA) and to communicate with the customers.

3. Days 2 to 5: Strategic trade-offs

3.1 To pay or not to pay?

Swiss authorities advise against paying ransoms, particularly because it offers no guarantee of full recovery (OFCS, Ransomware – recommendations, https://www.ncsc.admin.ch ).

The leader must arbitrate:

• Ability to restore via backups

• Impact of a prolonged interruption

• Reputational risk

3.2 Gradual resumption

The technical teams proceed as follows:

• Restoring backups

• During the reinstallation of the workstations

• To strengthen access

Business interruption losses are becoming a central issue.

4. Typical costs of a ransomware incident

The observed cost items include:

• Forensic intervention

• Legal assistance

• Crisis communication

• Business interruption

• System restoration

According to IBM Security's "Cost of a Data Breach" report (IBM, 2023, https://www.ibm.com/reports/data-breach ), data breach incidents generate multiple costs, including investigation, notification, and business interruption. These costs vary significantly depending on company size and sector; no specific average for SMEs in French-speaking Switzerland has been published by an official Swiss source to date.

It is therefore prudent to approach the issue methodically rather than relying on a generic figure.

Mini case study 2

The SME hasn't tested its backups for several months. Restoration is taking longer than expected. The business interruption is prolonged, generating a significant financial impact. The cyber business interruption insurance is activated.

5. Insurer relationship and governance

5.1 Role of the insurer

Cyber insurance is not just financial reimbursement. It often coordinates:

• Technical experts

• Specialist lawyers

• Communication consultants

5.2 Role of the leader

The leader remains the decision-maker:

• Strategic arbitration

• Internal communication

• Prioritizing the recovery

Governance responsibility can also concern directors, particularly from a D&O perspective.

Box – What needs to be documented

• Precise chronology of events

• Logs and technical elements

• Decisions made and reasons behind them

• Exchanges with the insurer

• Communication with stakeholders

Actionable benchmarks and checklist

Key Action Phase - Responsible Party

IT System Isolation Detection

Notification to insurer and authorities if required. Management

Forensic Mandate Analysis - Insurer/IT

Decision: Pay or Restore Direction

Controlled IT Catering Resumption

Post-mortem Analysis and Improvement Management

Common mistakes and how to avoid them

1. Wait before isolating the systems.

2. Do not notify the insurer immediately.

3. Underestimating the actual recovery time.

4. Neglecting internal communication.

5. Omitting post-incident analysis.

Questions to ask your insurer/broker

1. What is the maximum notification period?

2. Who commissions the forensic experts?

3. Is business interruption covered without physical damage?

4. Are legal fees included?

5. Does the insurer coordinate crisis communication?

6. Is there a 24/7 hotline?

7. How is the operating loss calculated?

8. Are there any sub-limits specific to ransomware?

9. Does the warranty cover digital extortion?

10. How can we improve our renewal profile?

Conclusion

A ransomware attack on Swiss SMEs is not just an IT incident. It's a governance crisis.

The first few hours determine the financial and reputational impact. Structured cyber insurance provides coordination and expertise, but it does not replace the preparation or strategic decision-making of the leader.

Next step: formalize a clear incident response plan and test your

backups before you need them.