What happened?
In January 2024, Hoerbiger Holding AG — an internationally active Swiss industrial group headquartered in Zug — fell victim to Akira ransomware. The attackers gained access to the company’s systems, exfiltrated over 50 GB of confidential data and subsequently encrypted critical systems.
Hoerbiger refused to pay the ransom. The attackers then published the stolen data on their darknet leak site — a tactic known as double extortion: first threatening with encryption, then with data publication.
The Akira group has been active since March 2023 and specialises in industrial companies, SMEs and the healthcare sector. It typically uses compromised VPN access without multi-factor authentication as an entry point and employs legitimate administration tools such as AnyDesk and WinSCP for data exfiltration, making detection difficult.
Who was affected?
Hoerbiger is a global company with over 6,000 employees in more than 40 countries:
- Employees worldwide whose personnel and payroll data were potentially contained in the stolen 50+ GB
- Customers in the oil & gas, process and automotive industries whose technical specifications and contract details may have been compromised
- Suppliers and partners whose business information could appear in the leaked data
- Production sites restricted by the encryption of IT systems
- Shareholders of the Hoerbiger Foundation facing reputational and valuation losses
Hoerbiger operates in compression and drive technology and supplies the energy sector among others. Technical drawings and patent data are among the company’s most valuable assets.
How large was the damage?
The total damage is estimated at CHF 15–40m:
| Cost item | Estimated cost | Covered by cyber insurance? |
|---|---|---|
| Incident Response & Forensics | CHF 1–2m | Yes – immediate specialist deployment |
| System restoration & decryption | CHF 2–4m | Yes – core policy service |
| Business interruption (production) | CHF 5–15m | Yes – revenue loss coverage |
| Ransom demand | CHF 2–5m | Partially – on insurer’s recommendation |
| Multi-jurisdictional data protection notifications | CHF 500,000–1m | Yes – regulatory costs covered |
| Third-party liability | CHF 2–5m | Yes – cyber liability component |
| Darknet monitoring & identity protection | CHF 200,000–500,000 | Yes – frequently included |
| Crisis communication & PR | CHF 300,000–800,000 | Yes – professional media advice |
| Competitive damage (IP loss) | CHF 3–10m | No – indirect, long-term damage |
| Reputational damage & customer loss | CHF 2–5m | No – not directly insurable |
| Estimated total damage | CHF 15–40m | ~50–65% potentially covered |
A cyber insurance policy would have particularly absorbed the massive costs of business interruption and liability claims. For a company of Hoerbiger’s size, a coverage limit of CHF 20–30m would have been appropriate.
Lessons for Swiss SMEs
-
Double extortion is the new norm: Ransomware groups no longer just encrypt — they steal data first. Even with perfect backups, your confidential data ends up on the darknet. Cyber insurance covers the consequential costs.
-
VPN without MFA is an open door: Akira systematically exploits VPN access without multi-factor authentication. Implementing MFA on all remote access is the most effective single measure — and a typical requirement for cyber insurance.
-
Industrial companies are primary targets: The manufacturing industry is the second most attacked segment after healthcare. The combination of valuable data (patents, technical drawings) and often outdated OT security makes these companies attractive.
-
Data classification is crucial: Do you know which of your data would cause the greatest damage in a leak? Data classification helps protect the most critical assets and correctly size the insurance coverage.
-
Not paying is courageous but costly: Hoerbiger acted admirably by refusing the ransom. However, the consequence — data publication — causes significant follow-on costs. Cyber insurance supports the decision and covers costs in both scenarios.
-
Darknet monitoring as early warning: After a data leak, stolen data can be misused for fraud months or years later. Cyber insurance policies frequently offer darknet monitoring as an additional service.
Get a free consultation. The experts at BTAG Versicherungsbroker AG in Bern know which risks are specifically relevant for industrial and manufacturing companies, and find the right cyber insurance with appropriate coverage.