Risk Partners Life Sciences Roundtable 2024, thank you very much! Already for the 26.06.2025 >

Contact us

Foreign filers / private issuers watch out!
2023 brought further harmonization of European
and US standards for cyber incident reporting.

Under the SEC Ruling, all companies listed on the US stock exchange are now required to publicly report significant data security incidents to the SEC within four business days. In addition, they must disclose in their annual report (10-K) their procedures for identifying and addressing material cybersecurity risks, including the role of the board of directors.

Please note: This regulation also applies to foreign private issuers (e.g. German companies that have issued a US bond). However, they are only obliged to make ad hoc reports (Form 6-K) of incidents if they are obliged to do so in another jurisdiction, e.g. under theMarket Abuse Regulation.

The materiality of an incident is determined in particular by the potential financial consequences. These consequences must be presented in the report, but not whether the incident is still ongoing or whether data has been compromised.

US legislation regarding the reporting of data security incidents is thus moving increasingly closer to European regulations, which is to be welcomed in principle. Recently, the US Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA) introduced reporting obligations for security incidents in critical infrastructure, comparable to the NIS guidelines and the BSI Act applicable in Germany. One particular aspect of the US regulations is the obligation to report such incidents within 72 hours and ransomware payments within 24 hours.

The new SEC ruling introduces a legal obligation for US companies to report cybersecurity incidents that is not exclusively limited to critical infrastructure. In view of the small number of German foreign filers and private issuers in the USA, this regulation affects fewer economic operators than the reporting obligations under the GDPR and, in future, the NIS2 implementation laws, but may have significant consequences due to the companies' relevance to the capital market. This is because the requirement is not limited to reporting to a supervisory authority or specific data subjects, but also to the (investor) public.

Against this backdrop, we recommend reviewing the cost components of your cyber insurance policy's reporting obligations and keeping the D&O insurance program up to date with regard to both the insured group and the insurance conditions with regard to cyber risks. In past due diligence reviews, we were able to identify weaknesses in this regard - favored by the tough years in the US D&O insurance market. Please contact us if you have any questions. You are also welcome to read further expertise on D&O insurance from Foreign Filers on our website.  

Being Public

Public prosecutor's office investigates: Suspicion of deception in short-time work (Sono Motors)

No startup bonus for criminal and administrative offenses. The incident and possible insurance cover. As exclusively researched by Hannah Schwär and her team at Capital Magazin, the founders of Sono Motors are now also facing problems with the public prosecutor's office. According to Capital Magazin, subsidy fraud in the context of short-time work and the programs surrounding the corona crisis is in the offing. The company, which is listed on the NASDAQ via De-SPAC, has already filed a report with the SEC. While the loss amount of EUR 40,000 is still being

Read more "
March 19, 2024
Being Public

Earnings Call: one 0 too many - the Lyft CEO mistake

"Look, it was a bad mistake, and that's on me," CEO of LYFT Inc. The incident and possible insurance coverage. You may have also heard about the recent incident with LYFT. In the quarterly earnings report, LYFT originally stated that profit margins were up 500 basis points before correcting this to 50 basis points during the conference call. This clerical error caused the stock price to rise more than 60% in after-hours trading. This situation is exactly what investor relations teams that

Read more "
February 17, 2024
Venture Capital

We provide information on liability risks for VC funds in the VC Magazine

In December, we were asked by VC-Magazin whether we could provide insights into liability and risk management issues relating to venture capital funds. With pleasure! Together with the team, Florian not only provided insights into current challenges, but also suggested practical solutions to effectively minimize and sensibly transfer the risks of a VC fund. In the VC Magazine article, you will therefore find: added value of customized insurance concepts for VC funds (focus: D&O/E&O insurance #Moonshotprotect), key measures for risk prevention (learning curve from our claims world), indemnifying contractual provisions as a preventive measure, and

Read more "
January 26, 2024