The 24 hour reporting obligation to BACS is clearly defined by law. What companies actually need to do operationally during those 24 hours is not. Between the moment of discovery and the formal report lie decisions that determine the scale of damage, recovery time, and regulatory consequences. A practical guide to the first day after an incident.
Why the First Hours Decide Everything
Actual Swiss cyber statistics show the scale of the problem. In 2024, BACS recorded around 63,000 cyber incidents – nearly double the previous year. Since the ISG reporting obligation came into force in April 2025, 264 attacks on critical infrastructure have been formally reported through February 2026 alone. Ransomware accounts for a substantial share of these.
Reading these statistics and concluding only “this IS bad” misses the more important message: ransomware is no longer a theoretical risk but an operational normal. The question is no longer whether a company will be hit, but when – and more importantly, how well prepared it will be for that moment.
The difference between a well-managed incident and a disaster rarely lies in technical defense at the moment of attack. It lies in the decisions made in the hours afterward. Those who improvise aimlessly in these hours lose time, data, and freedom of action. Those who work according to a prepared procedure maintain control.
This guide describes what to do concretely in the first 24 hours after discovering a ransomware attack. It does not replace a complete incident response playbook, but it shows the critical steps and the typical mistakes that repeatedly occur in Swiss companies.
Hour 0 to 1: Detect and Isolate
The first sign of a ransomware attack is rarely the dramatic ransom note on the screen. More often it is suspicious patterns – files that suddenly cannot be opened, backups that fail, alerts from the endpoint protection system, users complaining about unusual computer behavior. In this phase there is no certainty yet, only suspicion.
The decisive mistake in this phase is waiting. “Let’s first check whether this is really a problem” typically costs hours in which the ransomware spreads unhindered. Modern ransomware variants encrypt in minutes, not hours.
The three immediate actions in the first hour:
First, disconnect affected systems from the network, but leave them powered on. Shutting down destroys volatile forensic data in RAM that can be critical for later analysis. Pulling network cables or disabling WiFi is sufficient. Cloud connections, VPN tunnels, and remote desktop sessions should also be cut.
Second, protect backup systems. Ransomware groups now systematically target backups to make ransom payment unavoidable. If there is any suspicion that backups could be compromised, physically or logically separate them from the rest of the network. Offline backups are now more valuable than gold.
Third, inform IT leadership and executive management. Not later, not after initial analysis, but immediately. Executive management must be involved from the beginning because the upcoming decisions have financial, legal, and reputational dimensions that only they can make.
Hour 1 to 4: Triage and Escalation
Now suspicion becomes confirmed incident. The next three hours serve to assess damage and activate the right resources.
Determine scope: How many systems are affected? Which data holdings are encrypted or exfiltrated? Is Active Directory compromised? Are cloud systems affected? Answering these questions requires structured forensics, not speculation. Without knowledge of scope, all further decisions are guesswork.
Mobilize external help: Most Swiss SMEs do not have their own forensic specialists. The call to a specialized incident response provider belongs in this phase. Swiss providers such as InfoGuard, Kudelski Security, Compass Security, terreActive, or Redguard offer 24/7 response services, some with “on-demand” models that work without ongoing contract costs. Companies that only search for such a provider in the moment of crisis lose several hours to onboarding and legal framework negotiations. Ideally, the contract exists beforehand.
Activate legal counsel: Ransomware incidents have multiple legal dimensions – data protection (revFADP, GDPR), reporting obligations (ISG, FINMA for financial companies), contractual rights toward customers and suppliers, insurance questions. A lawyer with IT law expertise should be involved at this point at the latest, and again an existing relationship is ideal.
Form the crisis team: Small, clearly defined group with clear roles. Incident commander, technical lead, communications lead, legal lead, executive management contact. In Swiss SMEs these roles often overlap – more important than clean separation is that each role is explicitly named and everyone knows who can make which decisions.
Hour 4 to 12: Forensics and Evidence Preservation
These hours are about establishing facts that will later become operationally relevant and legally relevant.
Create forensic images of affected systems before anything is restored. These images form the basis for the analysis of how the attacker entered the system, which tools were used, and what data may have been exfiltrated. Without this forensics, the later BACS report is incomplete and the insurance case is harder to prove.
Collect and document indicators of compromise. IP addresses, malware hash values, tools used, C2 server addresses, user accounts with suspicious activity. This information is important both for containment and for reporting.
Identify the attack vector. How did the ransomware enter the network? Phishing email with attachment? Compromised VPN access? Exploit of unpatched software? RDP brute force? Without knowledge of the entry vector, the hole cannot be closed, and there is a risk that recovery takes place in a still-infected network.
The “No More Ransom” initiative by Europol and the ID Ransomware database can help identify the ransomware variant. For some known variants, free decryption tools exist that can significantly reduce damage. It costs ten minutes and can save hundreds of thousands.
Hour 12 to 24: Reporting and Communication
Now the technical incident becomes a regulatory and communicative matter. The 24-hour deadline from BACS runs from the moment of discovery – not from the moment everything is understood.
Prepare and submit the BACS report. The report is filed via the Cyber Security Hub or by email. The initial report does not need to be complete – supplementary information can be added within 14 days. What matters is that the report is submitted within the deadline, even if some details are still unclear.
Typical mandatory fields: time of discovery, affected systems and services, known technical characteristics of the attack, measures taken so far, contact person at the company. A prepared report template with placeholders saves critical time in a crisis.
Check parallel reporting obligations. Data breaches trigger an additional 72-hour deadline for reporting to the FDPIC under the revFADP. Financial companies must inform FINMA. Listed companies must check whether an ad-hoc disclosure event exists. Companies with EU subsidiaries must additionally observe national NIS2 reporting obligations. These parallel obligations must not be forgotten – they have their own deadlines and formats.
Manage internal communication. Employees will notice that something is wrong. Those left without information until the afternoon will speculate or inform third parties uncontrolled. Clear, honest internal communication – without details about technical vulnerabilities – prevents chaos. The message should be: we have a security incident, we are working on it, here is the temporary working mode, here is the contact person for questions.
Prepare external communication, but hold it back. Customers, suppliers, and media should only be informed when the factual situation is stable and the message is coordinated. Premature communication with incomplete information creates follow-up problems. Too late communication creates loss of trust. The right moment typically lies between 24 and 72 hours after discovery, depending on the scale of the incident.
Typical Mistakes That Will Become Expensive
From the experience of documented Swiss cyber incidents, several recurring patterns emerge that systematically increase damage.
First mistake: Shutting down instead of isolating. Shutting down affected systems deletes volatile memory contents that can be crucial for forensics. Isolation through network separation is almost always the better choice.
Second mistake: Delayed escalation. The desire to “first resolve the problem internally” before informing executive management, external experts, or authorities costs hours and worsens the legal position. The ISG 24-hour reporting deadline leaves no room for a test phase.
Third mistake: Paying the ransom without consultation. The decision whether to pay ransom is complex and has financial, legal, and ethical dimensions. It should never be made without legal counsel, insurance involvement, and executive management decision. In many cases, payment is legally problematic if the attacker group is on sanctions lists. BACS and international authorities generally advise against payment.
Fourth mistake: Recovery on compromised systems. Restoring backups into a network that still contains remnants of the attack infrastructure leads to immediate reinfection. Before recovery, the entire network must be cleaned, passwords reset, vulnerabilities closed, and monitoring intensified.
Fifth mistake: No documentation. Every step, every decision, every contact must be logged. Not only for legal protection, but also for later analysis and improvement of internal processes. In the heat of the incident, this step is often forgotten and painfully missed later.
Preparation Before the Crisis
The best playbook is useless if it is only read in the moment of crisis. The decisive preparations must happen beforehand.
A documented playbook that is specifically tailored to your own systems and processes – not a generic template. Roles must be filled with real names and contact details, not function titles.
Pre-negotiated contracts with external incident response providers and IT lawyers. The call in case of crisis should lead directly into processing, not into contract negotiations.
Regular exercises – at least once a year a tabletop exercise in which the crisis team is walked through a realistic scenario. These exercises regularly reveal gaps that would be catastrophic in a real incident.
Offline backups that are physically or logically separated from the production network. The 3-2-1 rule remains the gold standard: three copies, on two different media, one of which offsite.
A prepared BACS reporting template with the always-identical mandatory fields, where only incident-specific details need to be added. This saves at least an hour in a crisis.
The investment in this preparation is small in relation to the potential damage of an unprepared incident. And it pays off even if the worst case never occurs – through a structured understanding of your own risks and dependencies.
The Sober Truth
A ransomware attack is not a question of if, but of when. The quality of response depends almost entirely on preparation, not on ability to improvise in the moment of crisis. Companies that have understood this invest in playbooks, exercises, and external partnerships. Companies that have not understood it pay later – either in the form of ransom, recovery costs, regulatory fines, or lost customer trust.
The ISG reporting obligation since April 2025 does not change this. It only makes the costs of a badly managed incident more visible and increases the pressure to be prepared.
