Risk Partners Life Sciences Roundtable 2024, thank you very much! Already for the 26.06.2025 >

Contact us

Foreign filers / private issuers watch out!
2023 brought further harmonization of European
and US standards for cyber incident reporting.

Under the SEC Ruling, all companies listed on the US stock exchange are now required to publicly report significant data security incidents to the SEC within four business days. In addition, they must disclose in their annual report (10-K) their procedures for identifying and addressing material cybersecurity risks, including the role of the board of directors.

Please note: This regulation also applies to foreign private issuers (e.g. German companies that have issued a US bond). However, they are only obliged to make ad hoc reports (Form 6-K) of incidents if they are obliged to do so in another jurisdiction, e.g. under theMarket Abuse Regulation.

The materiality of an incident is determined in particular by the potential financial consequences. These consequences must be presented in the report, but not whether the incident is still ongoing or whether data has been compromised.

US legislation regarding the reporting of data security incidents is thus moving increasingly closer to European regulations, which is to be welcomed in principle. Recently, the US Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA) introduced reporting obligations for security incidents in critical infrastructure, comparable to the NIS guidelines and the BSI Act applicable in Germany. One particular aspect of the US regulations is the obligation to report such incidents within 72 hours and ransomware payments within 24 hours.

The new SEC ruling introduces a legal obligation for US companies to report cybersecurity incidents that is not exclusively limited to critical infrastructure. In view of the small number of German foreign filers and private issuers in the USA, this regulation affects fewer economic operators than the reporting obligations under the GDPR and, in future, the NIS2 implementation laws, but may have significant consequences due to the companies' relevance to the capital market. This is because the requirement is not limited to reporting to a supervisory authority or specific data subjects, but also to the (investor) public.

Against this backdrop, we recommend reviewing the cost components of your cyber insurance policy's reporting obligations and keeping the D&O insurance program up to date with regard to both the insured group and the insurance conditions with regard to cyber risks. In past due diligence reviews, we were able to identify weaknesses in this regard - favored by the tough years in the US D&O insurance market. Please contact us if you have any questions. You are also welcome to read further expertise on D&O insurance from Foreign Filers on our website.  

Management

OLG Cologne: Insurer clarifies burden of proof for direct claim in D&O insurance

Cologne Higher Regional Court finally provides clarification in the area of D&O direct litigation with a recent ruling A new and exciting ruling from the world of D&O insurance. The proceedings dealt with the question of who bears the burden of proof if a company does not first take action against the managing director in an internal liability case, but instead takes direct action against the D&O insurer(s) (so-called direct action). This is possible if the defendant has assigned his/her indemnification claims against the D&O insurer to the company. But what happens in this case with the privileged

Read more "
November 21, 2023
Management

How managers protect themselves from personal liability in the event of cyber incidents - #29Minutes by Control Risk & Risk Partners

How directors and officers protect themselves from personal liability in the event of cyber incidents - #29Minutes by Control Risk & Risk Partners Looking at our claims experience in the area of directors' and officers' liability in recent years, internal claims alleging inadequate cyber risk management and emergency management in the event of a cyber attack are unfortunately on the rise. In addition to special risk transfer solutions (cyber and CDI insurance), there are also very practical tips on how to react correctly if the worst comes to the worst. Following an exchange at a risk management conference in Q1 of this year

Read more "
November 8, 2023
Life Sciences

Finance Day 2023

Growth capital for biotechnology: Yesterday, today, tomorrow! A few days ago, Jutta Zaglauer and Florian Eckstein from our team attended the Finance Day 2023 on the occasion of the 25th anniversary of biotechnology at the IZB - Innovation and Startup Center for Biotechnology. The event offered an exciting exchange and insights into current financing and capital market issues of biotechnology companies. As an experienced specialist insurance broker for the areas of life sciences, venture capital and IPOs, all three cornerstones of our "magic expertise triangle" were part of the exciting agenda. It was also interesting to discuss the importance of customized

Read more "
November 6, 2023