What happened?
In January 2025, a mid-sized Swiss pharmaceutical company in north-western Switzerland fell victim to a ransomware attack through a compromised VPN access. The company, which wishes to remain anonymous for reputational reasons, manufactures active ingredients and generics for the European market with approximately 350 employees.
The attack began with the compromise of VPN credentials of an external IT provider responsible for maintaining the production control systems (SCADA/OT). The attackers used the stolen credentials to log directly into the company network via VPN — without multi-factor authentication being active.
Over several days, the attackers mapped the network topology, identified critical production systems and exfiltrated confidential data — including formulas, GMP documentation and patient data from clinical trials. On 10 January 2025, they triggered the encryption.
The consequence was devastating: all production lines stood still. The cleanroom production control systems, quality assurance systems and ERP system were encrypted. Production could only resume after a complete reinstallation and revalidation of GMP-compliant systems — a process that is particularly lengthy in the pharmaceutical industry.
Who was affected?
- 350 employees, of whom over 200 in production had to be temporarily furloughed
- Hospitals and pharmacies in Switzerland and the EU that depended on regular deliveries
- Patients whose medication supply was endangered — particularly for products with few alternative suppliers
- Suppliers of raw and auxiliary materials whose deliveries had to be cancelled or postponed
- The external IT provider whose compromised credentials enabled the attack
- Swissmedic, which had to be informed as the supervisory authority
Two of the manufactured active ingredients were on the federation’s essential medicines list. A longer outage would have impacted medication supply in Switzerland.
How large was the damage?
The total damage of CHF 8.5m breaks down as follows:
| Cost item | Estimated cost | Covered by cyber insurance? |
|---|---|---|
| Production downtime (17 days) | CHF 4,200,000 | Yes – business interruption coverage (core service) |
| IT restoration & GMP revalidation | CHF 1,800,000 | Yes – system restoration covered |
| Incident Response & Forensics | CHF 650,000 | Yes – 24/7 immediate assistance from hour 1 |
| Contractual penalties | CHF 850,000 | Yes – liability component |
| Payroll during shutdown | CHF 480,000 | Yes – as part of business interruption |
| Legal advice & data protection | CHF 280,000 | Yes – incl. authority notifications |
| Crisis communication | CHF 120,000 | Yes – PR advice frequently included |
| Accelerated catch-up production | CHF 130,000 | Partially – mitigation costs often covered |
| Long-term customer loss | Not quantifiable | No – indirect damage |
| Total damage | CHF 8,510,000 | ~70–85% potentially covered (CHF 6–7.2m) |
With a coverage limit of CHF 10m (typical recommendation for a pharma company of this size), CHF 6–7.2m would have been covered. The annual premium for such a policy is approximately CHF 25,000–40,000 — a fraction of the actual damage.
The company had no cyber insurance. Management had underestimated the risk and delegated IT security to the external provider — without contractually defining or verifying their security standards.
Lessons for Swiss SMEs
-
VPN without MFA is negligent: The entire attack could have been prevented by multi-factor authentication on the VPN access. MFA is the most effective and cost-efficient single measure — and a standard requirement for cyber insurance.
-
Third-party access is high risk: External IT providers with VPN access often have the same rights as internal administrators. Restrict access rights to the minimum (least privilege) and monitor external access.
-
Pharma and medtech are particularly vulnerable: GMP revalidation after a cyber attack makes recovery in the pharmaceutical industry especially expensive and lengthy. Industry-specific risks must be considered when sizing coverage.
-
17 days is not unusual: The average downtime after a ransomware attack on an SME is 22 days according to studies. 17 days is below average.
-
CHF 8.5m can ruin an SME: For smaller companies with 20–50 employees, a comparable incident would be potentially existentially threatening.
-
The premium is a fraction of the damage: CHF 25,000–40,000 annual premium vs. CHF 8.5m in damages. The cost-benefit ratio of cyber insurance is clear for this risk profile.
Get a free consultation. The specialists at BTAG Versicherungsbroker AG in Bern have experience insuring pharmaceutical companies, manufacturing operations and companies with OT infrastructure.