Cybercrime in Switzerland: a guide to protection, response and reporting for business

Disclaimer: This information is for general guidance only and does not constitute legal, tax or financial advice. We accept no responsibility for any loss or damage arising from reliance on this information.

Cybercrime in Switzerland is no longer a distant threat—it is a daily business reality. In 2024, Switzerland recorded 59,034 digital offenses, more than double the 2020 figure. Phishing attacks rose 56.2%, and phishing sites increased 108% year-on-year (SMG Swiss Marketplace Group, 2025). For companies operating in or entering the Swiss market, understanding how to protect your operations, respond to incidents and comply with reporting obligations is essential for survival and growth.

This guide provides a step-by-step action plan for businesses facing cyber threats in Switzerland. You will learn how to contain an attack, whom to notify under Swiss law, what preventive measures to implement and how to navigate the evolving regulatory landscape. Whether you run an e-commerce platform, a tech startup or an established enterprise, this material will help you build resilience against ransomware, phishing, data breaches and emerging AI-powered threats.

How to report cybercrime in Switzerland: a step-by-step guide

Disclaimer: This information is for general guidance only and does not constitute legal, tax or financial advice. We accept no responsibility for any loss or damage arising from reliance on this information.

You have been hit by a cyberattack. Do not panic. Act fast and follow the correct procedure. This step-by-step plan will help you minimize damage and report the incident to the appropriate Swiss authorities in compliance with legal requirements.

Step 1: immediate actions to contain the threat

The first minutes after detecting an attack determine how far the damage will spread. Rapid isolation of affected systems is critical to stop lateral movement of the threat.

• Isolate affected systems: Disconnect compromised computers from the network to prevent malware propagation. Do not shut down devices—preserve volatile memory for forensic evidence.
• Change passwords immediately: Use an unaffected device to reset credentials for critical accounts, especially those with administrative privileges.
• Document everything: Take screenshots of ransom notes, suspicious emails and system states. Record timestamps, IP addresses and any unusual network activity. Preserve logs and operational memory for forensics; retention periods should follow your internal policy and applicable Swiss regulatory or contractual requirements.
• Block command-and-control servers: If your IDS/IPS identifies malicious IP addresses or domains, block them immediately to cut off attacker control.

Step 2: where and what to report? (NCSC vs. police vs. FDPIC)

The choice of authority depends on your goal: technical analysis, criminal prosecution or compliance with data protection law.

Source: Information sheet on reporting obligation for cyberattacks on critical infrastructure, Federal Council/NCSC, 5 August 2025; Federal Act on Data Protection (revDSG), 2020/2023.

"From 1 April 2025, critical infrastructure must report to NCSC within 24 hours of discovery; sanctions apply from 1 October 2025." — SPIE Switzerland, 2025

Step 3: what information to prepare for the report

Authorities require structured, factual data to assess the incident and coordinate response. Prepare the following:

• Timestamps: When was the attack discovered? When did it likely begin? Timeline of events.
• Affected systems and services: List of compromised servers, workstations, applications and data repositories.
• Technical indicators: IP addresses, domain names, file hashes, malware samples, network and system logs.
• Scope and impact: Number of affected users/systems, duration of service downtime, types of data exfiltrated or encrypted.
• Evidence: Screenshots of ransom notes, phishing emails, transaction records, any communication with attackers.
• Mitigation actions taken: Steps already implemented to contain the threat and restore operations.
• Contact details: Designated incident response contact, legal entity identifiers, sector classification (for critical infrastructure).

The cybercrime landscape in Switzerland: key statistics for businesses

Cybercrime in Switzerland is not a hypothetical risk—it is an escalating reality. According to the latest data from the Swiss Federal Statistical Office and the National Cyber Security Centre, the number of attacks is rising, financial losses are mounting and businesses are the primary targets. Understanding the statistics and trends is the first step toward building effective defenses.

In 2024, Switzerland recorded 59,034 digital offenses, more than double the 2020 level. Over 90% of these incidents involved hacking, fraud and phishing. The NCSC received approximately 63,000 voluntary incident reports in 2024, nearly double the 2023 figure. Phishing attacks rose 56.2% in 2024; antiphishing.ch identified 20,872 sites (+108% YoY) (SMG Swiss Marketplace Group, 2025).

Ransomware remains a critical threat. In the first half of 2025, 57 ransomware cases were reported, primarily targeting companies and organizations—up from 44 in the first half of 2024. Groups such as Akira, LockBit and Black Basta continue to exploit vulnerabilities in Swiss firms. Ransomware accounted for 52% of global cyberattacks in 2024 (SPIE Switzerland, 2025). Switzerland ranks ninth in Europe for cyberattack frequency (Jul 2024–Jun 2025 telemetry) (Microsoft, 2025).

DDoS attacks by pro-Russian and pro-Palestinian hacktivists disrupted Swiss business websites and government portals throughout 2024 and early 2025. Targeted defenses were deployed during high-profile events such as the World Economic Forum and the Eurovision Song Contest to prevent service outages.

Source: NCSC Semi-Annual Report 2025/1, 2025; Swiss Federal Statistical Office via SMG, 24 March 2025; Microsoft Digital Defense Report, telemetry July 2024–June 2025.

Markus Pritzker

Swiss Corporate Lawyer

+41 44 515 25 91

Book consultation

Main types of cyber threats for Swiss business

Cyber threats targeting Swiss companies fall into several categories: attacks on systems and data, deception and fraud, threats to people and reputation, and high-stakes espionage. Each category requires specific defenses and awareness.

Attacks on systems and data: hacking, malware and data breaches

Hacking involves unauthorized access to systems, often through exploitation of software vulnerabilities or weak credentials. Once inside, attackers deploy malware—malicious software designed to steal data, disrupt operations or establish persistent backdoors. Ransomware, a subset of malware, encrypts critical files and demands payment for decryption keys. In many cases, attackers exfiltrate data before encryption and threaten to publish it if the ransom is not paid.

Data breaches occur when sensitive information—customer records, financial data, intellectual property—is accessed or disclosed without authorization. Under the revised Swiss Federal Act on Data Protection (FADP), companies must notify the Federal Data Protection and Information Commissioner (FDPIC) "without delay" if a breach poses a high risk to individuals' rights and freedoms. For intentional failure to report a data breach that requires notification, responsible individuals may face fines up to CHF 250,000.

Real-world impact in Switzerland:

• Radix (June 2025): Ransomware attack led to the publication of approximately 1.3 terabytes of data, affecting several federal offices. NCSC conducted an analysis to determine the operational impact on government services.
• Xplain (June 2023): The Play ransomware group encrypted data belonging to a supplier for emergency response services. After the company refused to pay, attackers published stored data, affecting the Federal Customs and Border Security Service and requiring NCSC and police intervention.
• Ascom (March 2025): Compromise of Jira infrastructure resulted in the theft of approximately 44 GB of data, affecting operational support units and requiring investigation and recovery of workflows.

Source: Switzerland government statement, 30 June 2025; BleepingComputer report, 30 June 2025; Federal Office for Customs and Border Security announcement, 2023; Ascom public confirmation, 19 March 2025.

Operational disruption from such attacks can halt production, delay customer deliveries and damage trust. Swiss companies in pharmaceuticals, finance and technology—sectors with high-value data—are particularly vulnerable.

Deception and fraud: phishing, identity theft and information stealing

Phishing attacks use fraudulent emails, messages or websites to trick employees into disclosing credentials, downloading malware or transferring funds. Spear phishing is a targeted variant: attackers research specific individuals or organizations to craft personalized, convincing messages. Business Email Compromise (BEC) involves spoofing or compromising legitimate corporate email accounts to request invoice redirection or wire transfers.

Phishing attacks rose 56.2% in 2024; antiphishing.ch identified 20,872 sites (+108% YoY) (SMG Swiss Marketplace Group, 2025).

Identity theft occurs when attackers steal personal or corporate credentials to commit fraud, open accounts or access systems. Information stealing malware captures keystrokes, browser data and stored passwords, enabling further attacks.

Employee training is critical. A single click on a malicious link can compromise an entire network. Regular simulations of phishing attacks, combined with clear protocols for verifying unusual requests, reduce the risk of successful social engineering.

High-stakes threats: intellectual property theft and cyber terrorism

Cyber espionage targets intellectual property, trade secrets and proprietary research—assets that define competitive advantage. Swiss industries such as pharmaceuticals, finance and advanced manufacturing are prime targets for state-sponsored and criminal actors seeking to steal innovations, client lists or strategic plans.

In 2024, hackers stole confidential data from Concevis, a software provider for the Swiss Federal Government, including operational government data. After the company refused to pay a ransom, attackers threatened to publish the data on the dark web. A second incident in 2024 involved Xplain, where stolen government-related data was published after an attack in May.

Cyber terrorism—attacks on critical infrastructure with the intent to cause widespread disruption or harm—remains a lower-probability but high-impact risk. Swiss authorities have strengthened defenses for energy, water, transport and telecommunications sectors, but businesses in these areas must maintain vigilance.

Preventive measures: how to protect your business

The best defense against cybercrime is prevention. A comprehensive protection strategy rests on three pillars: technology, processes and people. Each layer reinforces the others, creating resilience against evolving threats.

Only 42% of Swiss SMEs feel protected; 4% were hit by attacks in the past three years (digitalSwitzerland, 2025).

Technical protection: the foundation of your security

• Endpoint Detection and Response (EDR): Continuous monitoring of endpoints (workstations, servers, mobile devices) to detect and respond to malicious behavior in real time. EDR tools provide endpoint telemetry and response workflows; align processes with NIST SP 800-61r3 and implement relevant 800-53/800-171 controls.
• Next-Generation Firewalls (NGFW): Network perimeter and segment control that enforces policy across layers; maintain TLS inspection, IPS, and segmentation.
• 3-2-1 Backup Rule: Maintain at least three copies of data on two different media, with one copy stored off-site or in an immutable/air-gapped environment. Formalized in CISA and NIST guidance as required practice for resiliency, 2021–2023.

• Multi-Factor Authentication (MFA): Require two or more authentication factors (something you know, have or are) to authenticate users. Mandated or recommended in NIST SP 800-63B (Digital Identity Guidelines—Authentication and Lifecycle) and ENISA authentication guidance, 2017–2023.

Source: NIST, USA; CISA, USA; ENISA, EU.

Organizational measures: from plan to control

• Incident Response Plan (IRP): A documented, step-by-step procedure for detecting, registering, responding to and analyzing cyber incidents. The plan should define roles, resources, escalation paths and communication protocols. Developed in collaboration with SOC teams and senior management, tested regularly and updated after each incident.
• Cybersecurity Policies: Establish clear policies for data handling, access control, acceptable use of IT resources and vendor management. Policies must be communicated to all employees and enforced consistently.
• Principle of Least Privilege (PoLP): Grant users and systems only the minimum access rights necessary to perform their functions. Regularly review and revoke unnecessary permissions to limit the impact of compromised accounts.
• Vendor and Supply Chain Risk Management: Assess the cybersecurity posture of third-party suppliers and partners. Require contractual commitments to security standards and conduct periodic audits.

The human factor: your first line of defense

• Regular Training and Phishing Simulations: Conduct mandatory cybersecurity awareness training for all employees at least annually. Run simulated phishing campaigns to test and reinforce vigilance.
• Cyber Hygiene Rules: Enforce strong, unique passwords for all accounts. Require password managers. Educate employees on the risks of public Wi-Fi and the importance of verifying sender identities before clicking links or opening attachments.
• Verification Protocols for Financial Requests: Implement a dual-verification process for all unusual or urgent financial transactions. Require verbal confirmation via a known phone number before executing wire transfers or changing payment details.

Protect your business from cyber attacks

Not sure where to start? Our team of experts will conduct a risk assessment and help you implement robust protection. Get a free cybersecurity consultation for your business.

Markus Pritzker

Swiss Corporate Lawyer

+41 44 515 25 91

Book consultation

Case studies of attacks on Swiss companies and lessons learned

Theory is important, but real examples speak louder. Below are two cases of cyberattacks on Swiss companies and the key lessons that can be drawn from them.

Case 1: Qilin ransomware attack on Habib Bank AG Zurich

Situation: In November 2024, the Qilin ransomware group targeted Habib Bank AG Zurich, a financial institution with 587 branches and 7,904 employees, generating USD 750 million in annual revenue. The attackers exfiltrated approximately 2.5 terabytes of data, including 2 million files containing passports, account details and internal documents.

Action: The bank's incident response team isolated affected systems and engaged forensic specialists. However, the attackers had already exfiltrated the data before encryption. The bank notified regulators and affected customers.

Result: Customer data was compromised, requiring notification under FADP. The bank faced reputational damage and regulatory scrutiny. The incident highlighted the need for stronger data repository protection and network segmentation to prevent lateral movement.

Lesson: Strengthen defenses around data storage systems. Implement zero-trust architecture and monitor for unusual data access patterns. Ensure backups are immutable and tested regularly.

Source: Infowatch, Cybernews, 2024.

Case 2: account takeover at Cyberhaven

Situation: On 25 December 2024, hackers compromised an administrator account at Cyberhaven, a cybersecurity company. The attackers used the access to distribute a malicious update to the company's Chrome browser extension.

Action: After detecting the malicious code, Cyberhaven immediately removed the extension from the Chrome Web Store and notified users. The company conducted a forensic investigation to determine the scope of the compromise.

Result: The malicious update was distributed to users before detection, potentially exposing their data. The incident was contained, but trust in the product was temporarily damaged.

Lesson: Segment administrative access and implement strict controls for software distribution pipelines. Use code signing and automated integrity checks to detect unauthorized changes before deployment.

Source: ITSec.ru, 28 December 2024.

Future cyber threats: what businesses should prepare for

The cyber threat landscape is evolving rapidly. Businesses must anticipate and prepare for emerging risks to maintain resilience.

AI-powered threats

Artificial intelligence is transforming both defense and offense in cybersecurity. Attackers use generative AI to create convincing phishing emails without grammatical errors, produce deepfake audio and video of executives to authorize fraudulent transactions, and automate the discovery of vulnerabilities in target systems.

45% of Swiss firms rate AI cyber risks 'rather high'; over 40% faced AI-enabled fraud (SECO/KMU.admin.ch, 2025).

Recommendation: Invest in AI-powered defense tools that can detect anomalies in communication patterns and user behavior. Train employees to verify unusual requests through secondary channels, even if they appear to come from trusted sources.

Supply chain attacks

Supply chain attacks compromise suppliers or components to inject malware into trusted software or hardware, affecting all downstream customers. These attacks are particularly dangerous for interconnected economies like Switzerland's, where cascade failures in finance, pharmaceuticals or logistics can have widespread impact.

The SolarWinds Orion attack in 2020 remains the most prominent example: hackers inserted malware into software updates, affecting over 18,000 organizations worldwide. In 2025, supply chain attacks are expected to rise, with attackers using legitimate supplier credentials to access client networks.

Recommendation: Conduct thorough due diligence on all third-party vendors. Require security certifications and contractual commitments to incident notification. Implement network segmentation to limit the impact of a compromised supplier.

Risks related to the Internet of Things (IoT)

The proliferation of IoT devices in corporate environments—sensors, controllers, cameras, smart building systems—creates new attack surfaces. Many IoT devices have weak default passwords, unpatched firmware and limited security controls, making them easy targets for attackers.

Compromised IoT devices can be recruited into botnets for DDoS attacks, cryptocurrency mining or data theft. Vulnerabilities in industrial IoT (IIoT) devices can lead to equipment failure, production stoppages and safety incidents.

Recommendation: Inventory all IoT devices on your network. Change default passwords, apply firmware updates promptly and isolate IoT devices on separate network segments. Monitor IoT traffic for anomalies and disable unnecessary external access.

81.6% of Swiss companies expect cybercrime to surge by 2026; mitigation is a top priority (SECO/KMU.admin.ch, 2025).