When a ransomware attack hit a mid-sized Swiss manufacturer in 2024, the board learned three things in rapid succession: the CEO had delegated all security decisions to IT, the company had no incident response plan, and under Art. 717 CO the board members faced personal liability for failing to manage a foreseeable risk. Their D&O insurer refused to cover the claim. Cybersecurity stopped being a technical problem years ago. It is a strategic leadership responsibility that directly affects the board of directors and executive management.

This article explains why cybersecurity belongs on the board agenda, which risks exist at the governance level, and what concrete responsibilities leaders carry in Switzerland.

The Problem: Business Risk, Not IT Risk

The traditional view of cybersecurity looks something like this:

Wrong assumption: “We have an IT department. They handle firewalls and antivirus. That’s their job.”

Reality: Cybersecurity is a business risk with financial, legal, operational, and reputational consequences. The IT department can implement technical measures, but it cannot decide which risk level is acceptable for the company. That’s a leadership decision.

Why Cybersecurity is a Business Risk

Cyber attacks don’t just affect IT systems. They have direct impacts on:

  • Revenue and cash flow: Production outages, delivery delays, customer attrition
  • Liability and legal consequences: Data breaches, contract violations, regulatory fines
  • Reputation: Loss of trust among customers, partners, and investors
  • Strategy: Delays or prevention of digitalization projects
  • M&A and financing: Cybersecurity incidents reduce company value and complicate financing

An example: A medium-sized Swiss company suffers a ransomware attack. Production stops. Customers cannot be supplied. Contractual delivery obligations are violated. Customer data is affected, FINMA must be informed. The incident becomes public, media reports.

Is this an IT problem or a business problem?

Obviously the latter. The IT department can respond technically, but the business consequences, communication, legal decisions, and strategic implications rest with the board.

Financial Impact: What Cyber Attacks Cost

Cybersecurity incidents are expensive. The costs are not hypothetical, they are real and measurable.

Direct Costs

  • Ransom: In ransomware attacks, ransoms between CHF 50,000 and several million francs are demanded
  • Recovery: Rebuilding IT systems, restoring data, commissioning external forensics
  • Production downtime: Every hour of standstill costs revenue
  • Legal costs: Lawyers, experts, settlements
  • Regulatory fines: Data breaches can result in fines up to CHF 250,000 (revDSG) or more for FINMA-regulated companies

Indirect Costs

  • Customer attrition: Loss of trust leads to loss of business
  • Reputational damage: Long-term damage to the brand
  • Insurance premiums: Cyber insurance becomes more expensive or unavailable
  • Contracts: Customers or partners terminate contracts or demand improvements
  • M&A impact: Company value drops, deals fall through

Real Numbers from Switzerland

According to the Swiss Cyber Security Report 2024, a medium-severity cyber attack costs a Swiss SME on average CHF 500,000 to CHF 2 million. For larger companies, costs can reach double-digit millions.

A single successful attack can wipe out years of profitable work.

In Switzerland, there are increasingly clear legal requirements for cybersecurity. These directly affect the board and executive management.

revDSG: Revised Data Protection Act

The revised Data Protection Act (revDSG), in force since September 2023, significantly tightens requirements.

Core obligations:

  • Data security: Appropriate technical and organisational measures to protect personal data (Art. 8 revDSG)
  • Notification obligation: Data breaches must be reported to the Federal Data Protection and Information Commissioner (FDPIC) as soon as possible if they pose a high risk to those affected (Art. 24 revDSG)
  • Privacy by Design: Data protection must be integrated into systems from the start
  • Documentation: Register of processing activities must be maintained

Sanctions:

  • Fines up to CHF 250,000 for intentional violations
  • Liability of responsible persons, not just the company
  • Reputational damage through public disclosure of violations

Board responsibility:

The board must ensure the company is compliant. “We knew nothing about it” is not a defence. Ignorance does not protect against liability.

FINMA: Financial Market Supervisory Authority

For regulated financial institutions (banks, insurance companies, asset managers), additional FINMA requirements apply.

FINMA Circular 2008/21: Operational Risks

  • Cybersecurity is part of operational risk management
  • Banks must identify, assess, and manage cyber risks
  • Incident response plans are mandatory
  • Regular tests (e.g., penetration tests) are required

FINMA Circular 2023/1: Cyber Risks

  • Explicit requirements for cybersecurity governance
  • Board and management must understand and monitor cyber risks
  • Cyber resilience must be demonstrated
  • Notification obligations for significant incidents

Consequences of violations:

  • FINMA enforcement proceedings
  • Public disclosure of deficiencies
  • Withdrawal of licence in extreme cases
  • Personal liability of board members and executives

Other Regulatory Developments

  • EU NIS-2 Directive: Will indirectly affect Swiss companies operating in the EU
  • DORA (Digital Operational Resilience Act): Affects financial service providers with EU business
  • Corporate Responsibility Initiative and Counter-proposal: Due diligence obligations in supply chains, including cybersecurity

The regulatory landscape is continuously tightening. Ignorance is not an option.

Reputational Damage: Trust is Fragile

Cybersecurity incidents massively and permanently damage reputation.

How Trust is Lost

Customers, partners, and investors entrust companies with their data and their business. A cyber attack signals:

  • Incompetence: “The company doesn’t have its IT under control”
  • Negligence: “Security wasn’t taken seriously”
  • Unreliability: “Can we trust this partner?”

Media Coverage

Cybersecurity incidents are now regularly covered by media. Coverage is rarely favourable. Headlines like:

  • “Customer data from [company] found on dark web”
  • “Ransomware cripples [company]”
  • “[Company] violates data protection law, pays fine”

permanently damage the brand.

Long-term Consequences

  • Customer attrition: Especially in B2B, where cybersecurity is a selection criterion
  • Difficulty acquiring new customers: “They had that incident…”
  • Higher costs: Customers demand security audits, additional insurance, contractual penalties
  • Talent attrition: Good employees leave companies with damaged reputations

Swiss Specificity: Discretion is Expected

In Switzerland, special value is placed on discretion and reliability. A cybersecurity incident fundamentally violates this expectation. Reputational damage is therefore often more severe in Switzerland than in other markets.

Strategic Implications: Digitalization and Competitiveness

Cybersecurity is not only defensive (protection from harm) but also strategically relevant.

Digitalization Requires Cybersecurity

Companies are digitalizing processes, products, and business models. Cloud, IoT, AI, mobile apps, all create new attack surfaces.

Without cybersecurity, digitalization cannot succeed.

Examples:

  • Cloud migration: Without a clear security strategy, cloud creates new risks
  • IoT in production: Connected machines are entry points for attackers
  • Mobile apps: Customer data in apps must be protected
  • Home office: Distributed work models increase attack surface

Companies that ignore cybersecurity will fail in digitalization or take unnecessary risks.

Competitive Advantage Through Cybersecurity

Conversely: Companies that take cybersecurity seriously gain advantages:

  • Trust: Customers choose secure partners
  • Differentiation: “We take security seriously” becomes a USP
  • Efficiency: Well-secured systems run more stably
  • Innovation: Security from the start enables faster, more secure product development

M&A and Company Value

In company acquisitions, financing rounds, or IPOs, cybersecurity is increasingly examined.

Due diligence now includes:

  • Cybersecurity assessments
  • Penetration tests
  • Review of incidents and response capability
  • Compliance status (revDSG, FINMA, etc.)

Companies with poor cybersecurity posture:

  • Achieve lower sale prices
  • Experience deal cancellations
  • Must commit to improvements (with corresponding costs)

Board Responsibility: What Concretely Must Be Done

The board and executive management cannot and should not control technical details. Their responsibility lies at the strategic and governance level.

1. Understand Cyber Risks

The board must know the essential cyber risks of the company.

Concretely:

  • Which systems and data are critical for business?
  • What are the greatest threats (ransomware, data leaks, DDoS)?
  • How high is the probability of an attack?
  • What would be the financial and operational consequences?

Not required: Technical detailed knowledge about firewalls or encryption algorithms.

Required: Understanding of risks in business language.

2. Define Risk Tolerance

The board must decide which risk level is acceptable.

Questions:

  • How much are we willing to invest in cybersecurity?
  • Which residual risks are we willing to accept?
  • Which risks must be covered by insurance?
  • Which risks are unacceptable and must be eliminated?

These decisions are strategic and cannot be delegated.

3. Ensure Governance

The board must ensure cybersecurity is systematically managed.

Governance measures:

  • Clarify responsibilities: Who is responsible for cybersecurity? (CISO, CTO, management?)
  • Establish reporting: Regular reports on security status, incidents, tests
  • Policies and standards: Are security guidelines defined and enforced?
  • Incident Response Plan: Does a clear plan exist for how to respond to cyber attacks?
  • Budget: Are sufficient resources available for cybersecurity?

4. Ensure Compliance

The board must ensure legal and regulatory requirements are met.

Concretely:

  • revDSG: Are data protection measures implemented? Does a notification process for data breaches exist?
  • FINMA (if relevant): Are FINMA requirements met? Are cyber risks considered in risk management?
  • Industry-specific: Are there additional requirements (e.g., medical device law, critical infrastructure)?

5. Training and Awareness

The board must ensure employees are sensitized to cyber risks.

Why: Most attacks succeed through human error (phishing, weak passwords, careless behavior).

Measures:

  • Regular training for all employees
  • Special training for executives (CEO fraud, whaling)
  • Tests (e.g., simulated phishing attacks)

6. Tests and Audits

The board must ensure security measures are regularly tested.

Measures:

  • Penetration tests: External experts attempt to hack systems
  • Vulnerability assessments: Vulnerabilities are systematically identified
  • Audits: Independent review of security measures
  • Incident response tests: Is the emergency plan regularly practiced?

Red team exercises, where a provider like RedTeam Partners simulates a realistic adversary, give the board concrete evidence of how the organisation would withstand an actual attack and where governance gaps remain.

7. Incident Response Preparation

The board must ensure the company is prepared for cyber attacks.

Concretely:

  • Does an incident response plan exist?
  • Are external partners (forensics, communication, legal) prepared?
  • Are communication plans for customers, media, authorities available?
  • Are emergency plans regularly tested?

In an emergency: The board must be able to decide quickly. This requires preparation.

Liability Risks: Personal Consequences

Board and management members are personally liable for breaches of duty.

Swiss Law: Corporate Liability

According to Art. 754 OR, the board of directors, management, and other corporate bodies are liable to the company, shareholders, and creditors for damages from intentional or negligent breaches of duty.

Breaches of duty in the cybersecurity context:

  • Not taking appropriate security measures
  • Ignoring or not monitoring cyber risks
  • Not complying with legal requirements
  • Not responding to warnings
  • Not responding appropriately after an incident

Consequences:

  • Personal liability for resulting damages
  • Recourse claims from insurance companies
  • Criminal consequences for intentional acts

D&O Insurance: Not a Free Pass

Directors and Officers (D&O) insurance covers liability risks, but not unlimitedly.

Exclusions:

  • Intentional breaches of duty
  • Gross negligence (depending on policy)
  • Fines and penalties

Deductibles: Often significant, especially for cybersecurity incidents.

A D&O insurance does not replace the obligation to exercise appropriate care.

Practical Steps for the Board

What should the board concretely do to fulfill its responsibility?

Step 1: Put Cybersecurity on the Agenda

Cybersecurity must be regularly discussed by the board, not only during incidents.

Recommendation: At least quarterly updates on cybersecurity status.

Step 2: Commission Risk Assessment

Commission an independent risk assessment.

Questions:

  • Which systems and data are critical?
  • Where are the greatest vulnerabilities?
  • How high is the risk of a successful attack?
  • What would be the business consequences?

Step 3: Clarify Responsibilities

Appoint a person responsible for cybersecurity (CISO or equivalent).

Important: This person must report directly to the board and have sufficient resources.

Step 4: Create Incident Response Plan

Ensure a plan exists for emergencies.

Content:

  • Who will be informed?
  • Who makes which decisions?
  • How will communication happen (internal, customers, media, authorities)?
  • Which external partners will be involved?

Step 5: Train Employees

Invest in awareness programs for all employees.

Step 6: Plan Tests and Audits

Determine when and how security measures will be tested.

Recommendation:

  • Annual penetration tests
  • Quarterly phishing simulations
  • Annual audits of security measures

Step 7: Review Cyber Insurance

Review whether cyber insurance is appropriate.

Caution: Insurance doesn’t cover everything and doesn’t replace the obligation to take appropriate measures.

Swiss Context: Specificities

FINMA-Regulated Companies

Stricter requirements apply to banks, insurance companies, and other regulated financial institutions.

Specificities:

  • Explicit governance requirements
  • Notification obligations for significant incidents
  • Regular review by FINMA
  • Higher liability risks

SMEs: Also Relevant Without FINMA

Non-regulated SMEs are also affected.

Why:

  • revDSG applies to all companies processing personal data
  • Cyber risks hit SMEs particularly hard (fewer resources, higher relative costs)
  • Customers increasingly demand cybersecurity evidence, also from SMEs

Swiss Values: Trust and Discretion

In Switzerland, trust and discretion are central values, especially in the financial sector.

Implication: Cybersecurity incidents damage reputation particularly strongly in Switzerland.

A Leadership Responsibility

Cybersecurity is not a technical side issue handled in the IT department. It’s a strategic business risk that directly affects the board.

Summary:

  • Business risk: Cyber attacks threaten revenue, reputation, compliance, and strategy
  • Financial impact: Costs can reach millions
  • Regulatory obligations: revDSG, FINMA, and other regulations create clear responsibilities
  • Reputational damage: Loss of trust is difficult to repair
  • Strategic relevance: Digitalization requires cybersecurity
  • Personal liability: Board and management members are liable for breaches of duty

The board must:

  1. Understand cyber risks (in business language)
  2. Define risk tolerance
  3. Ensure governance
  4. Ensure compliance
  5. Promote training and awareness
  6. Commission tests and audits
  7. Prepare incident response

Cybersecurity is an executive responsibility. Ignorance is not a defence, and lack of knowledge does not protect against liability. The board that takes cybersecurity seriously not only protects the company but fulfils its legal and ethical obligations.

For a practical implementation roadmap, see our Cybersecurity for Swiss SMEs: The Complete Guide.

Transparency Note: This article was created with the support of AI technology and reviewed, supplemented, and finalised by the Alpine Excellence editorial team. All content meets Alpine Excellence editorial standards.