Cyber or data incident

An exfiltration of customer data is confirmed at 2 a.m. on a Saturday. A ransomware lock encrypts production systems Tuesday morning before the markets open. A forensics team flags that a months-long intrusion had quiet persistence on infrastructure the company did not realise was critical. The security-team work is underway from the moment of detection; the board’s decisions have windows measured in hours, not weeks. Notification deadlines under the revised nDSG, under GDPR for EU data subjects, and under sectoral rules (FINMA for supervised institutions, EU DORA — in full application since 17 January 2025 — for in-scope financial firms operating into the EU) each run. The Marchand mission-critical framing applies directly: a board that cannot evidence prior oversight of cyber risk is also the board being measured against the oversight failure now.

1. The duties that bear on this

Board-level oversight of cyber risk. Art. 716a(1)(2) OR on the organisation, and 716a(1)(5) on compliance supervision, reach cyber risk as a board matter in any company of meaningful digital exposure. The question in the post-incident period is not whether the board was supposed to oversee cyber; it is what the board’s prior oversight record will look like when read after the event.

Data-protection notifications under the revised nDSG. Personal-data breaches that produce a high risk for the data subjects must be notified to the FDPIC as soon as possible; data subjects themselves must be notified where the risk requires it. Deliberate non-notification or late notification engages administrative and, in specific cases, criminal exposure. Unlike GDPR’s explicit 72-hour window, the revised nDSG requires notification to the FDPIC “as soon as possible” under Art. 24 nDSG; the practical standard in Swiss practice is expressed in hours rather than days for high-risk breaches.

GDPR parallel obligations. Where the affected data subjects are in the EU, GDPR notification obligations run — 72 hours to the supervisory authority — and penalty exposure is materially higher than under the Swiss regime. Art. 271 StGB discipline applies to Swiss-held data production to EU authorities in cross-border matters.

Sectoral rules. FINMA-supervised institutions have specific incident-reporting obligations; Swiss-listed companies may have SIX Listing Rules disclosure triggers where the incident is price-sensitive; companies providing essential services have additional sector-specific reporting requirements.

2. The process — first 72 hours

1. Activate the incident-response team. If the team does not exist or has not been rehearsed, the first decision is who on the board sits with it.
2. Engage external forensic and legal support. Route forensic work through counsel where possible to preserve privilege.
3. Preserve. Do not rebuild systems until forensic work is complete in the affected scope. Ransom-decryption and restoration tactics that destroy evidence are common and durable errors.
4. Scope: who is affected, what data, what systems, what is the dwell time, what is the vector. Premature scope statements externally become factual commitments.
5. Decide notifications: FDPIC under nDSG; EU supervisors under GDPR; FINMA if regulated; customers where material; SIX if listed and price-sensitive. Each has its own clock.
6. Communications: internal (employees), external (customers, counterparties, regulators, press). Messages must be coordinated across geographies and regulators; inconsistent statements between jurisdictions become discovery exhibits.
7. Board or emergency-committee meetings: convene within hours; decisions on cooperation, public posture, remediation direction must be formally taken by the competent body.
8. Decide on ransom. The ransom decision is the board’s, taken on advice — not the CEO’s to make alone. Legal, insurance, and sanctions implications each bear.

3. Questions to ask the incident team and counsel

• What do we know, with what confidence, about scope — data affected, systems affected, dwell time, vector?
• Who is affected, by jurisdiction, and which notification regimes does that trigger?
• What is our absolute deadline for each notification, and what is our plan to meet each?
• What is the forensic preservation status, and is there any restoration activity that might compromise evidence?
• Is there a ransom demand, and if so, what is the payment analysis — legal, regulatory, insurance, sanctions, efficacy?
• What is our cyber-insurance response, and what are the policy conditions we must meet to preserve coverage?
• What is the litigation and regulatory exposure on an expected and worst-case basis?
• Is our prior oversight record sufficient to defend against an ex post Marchand-type pleading?
• What is our communications posture, and who is the spokesperson?
• What is our recovery timeline, and what is the business-continuity exposure?

4. The record to leave

The incident log with timestamps; the forensic engagement and preservation record; the notification decisions and their delivery confirmations; the board or committee minutes on each material decision taken; the communications record (internal and external); the cyber-insurance notifications and responses; and — when the dust settles — the lessons-learned review and the remediation roadmap. The record built in the first seventy-two hours is what subsequent regulators, insurers, litigants, and courts will test the board’s response against.

5. Failure modes

Notification delay as the second offence. The notification obligation was triggered; the company chose to complete its investigation before notifying; the deadline lapsed. The regulator’s enforcement action now combines the original breach with the subsequent non-notification, and the sanction is materially heavier.

Prior-oversight deficiency revealed. The incident is a serious breach; the board’s prior minutes contain no substantive engagement with cyber risk. Plaintiffs plead a Marchand-type oversight failure; the Swiss route reaches the same outcome under Art. 716a OR without the bad-faith gloss. The oversight question becomes a parallel liability track to the original incident.

Communications contradictions. Public statements made early — “a limited subset of customer data” — are contradicted by forensic findings a week later. The subsequent correction is more damaging than an initial statement calibrated to what was then known. The discipline is to say less, accurately.

Cognitive register. Cyber incidents produce cognitive load that drives two recognisable failure modes: panic and premature closure. Panic causes boards to issue early communications that make factual commitments the forensics do not yet support — what looks like transparent leadership in the moment becomes the discovery exhibit that proves the company said wrong things. Premature closure is the opposite pattern: the board accepts an initial scope statement (“a limited subset of customer data”) because it wants the problem to be small, and resists updates to that scope as evidence accumulates. The procedural discipline of saying less accurately, and of distinguishing what is known from what is suspected and what is being investigated, is a response to both biases — and to the board’s own tendency, under pressure, to want to appear in command by saying more than the facts warrant.

6. See also

• Board Duties in the Governance of AI Systems — the analogous mission-critical oversight framing
• Corporate Criminal Exposure — Art. 102 StGB exposure where the incident is criminally-rooted
• Commentary: Marchand v. Barnhill — mission-critical oversight
• Agenda: regulatory investigation opens
• Agenda: civil litigation commenced