New SEC Ruling: Transatlantic convergence on handling cyber security incidents - Risk Partners

Risk Partners Life Sciences Roundtable 2024 on 18.07.24. Thank you very much! Register now for 2025 now >

Foreign filers / private issuers watch out!
2023 brought further harmonization of European
and US standards for cyber incident reporting.

Under the SEC Ruling, all companies listed on the US stock exchange are now required to publicly report significant data security incidents to the SEC within four business days. In addition, they must disclose in their annual report (10-K) their procedures for identifying and addressing material cybersecurity risks, including the role of the board of directors.

Please note: This regulation also applies to foreign private issuers (e.g. German companies that have issued a US bond). However, they are only obliged to make ad hoc reports (Form 6-K) of incidents if they are obliged to do so in another jurisdiction, e.g. under theMarket Abuse Regulation.

The materiality of an incident is determined in particular by the potential financial consequences. These consequences must be presented in the report, but not whether the incident is still ongoing or whether data has been compromised.

US legislation regarding the reporting of data security incidents is thus moving increasingly closer to European regulations, which is to be welcomed in principle. Recently, the US Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA) introduced reporting obligations for security incidents in critical infrastructure, comparable to the NIS guidelines and the BSI Act applicable in Germany. One particular aspect of the US regulations is the obligation to report such incidents within 72 hours and ransomware payments within 24 hours.

The new SEC ruling introduces a legal obligation for US companies to report cybersecurity incidents that is not exclusively limited to critical infrastructure. In view of the small number of German foreign filers and private issuers in the USA, this regulation affects fewer economic operators than the reporting obligations under the GDPR and, in future, the NIS2 implementation laws, but may have significant consequences due to the companies' relevance to the capital market. This is because the requirement is not limited to reporting to a supervisory authority or specific data subjects, but also to the (investor) public.

Against this backdrop, we recommend reviewing the cost components of your cyber insurance policy's reporting obligations and keeping the D&O insurance program up to date with regard to both the insured group and the insurance conditions with regard to cyber risks. In past due diligence reviews, we were able to identify weaknesses in this regard - favored by the tough years in the US D&O insurance market. Please contact us if you have any questions. You are also welcome to read further expertise on D&O insurance from Foreign Filers on our website.

Being Public

Global Integrity and Compliance Forum 2024

𝗚𝗹𝗼𝗯𝗮𝗹 𝗜𝗻𝘁𝗲𝗴𝗿𝗶𝘁𝘆 𝗮𝗻𝗱 𝗖𝗼𝗺𝗽𝗹𝗶𝗮𝗻𝗰𝗲 𝗙𝗼𝗿𝘂𝗺 𝟮𝟬𝟮𝟮𝟰 "D&O and Co. - Plan B to cover personal liability!" Last Friday, Florian had the honor of taking part in the Global Integrity and Compliance Forum at the Ludwig-Maximilians-Universität in Munich. Under the motto "The RULE of LAW in the Era of Integrity & Compliance", international legal experts, company managers, in-house councils and compliance officers from all over the world gathered to discuss the future of good corporate governance in 2024. Key discussions and insights One of the

June 14, 2024

Management

Research breakdown at Stockholm's Karolinska Institute: A cooling failure destroys cell cultures from decades of research

Research mishap at Stockholm's Karolinska Institute: A cooling failure destroys cell cultures from decades of research - can you insure against it? An incident that threatens your very existence, but which we would like to shed some light on from the perspective of an insurance broker specializing in life sciences. What happened? A cooling system at the Karolinska Institute in Stockholm, Sweden's most important medical research center, failed for five days. Biological material that had been collected over 30 years and, according to the institute, was unique in the world, was destroyed as a result. The material was stored in deep-freeze tanks in which the temperature

June 7, 2024

Management

OLG Schleswig – Statute of Limitations for Liability Claims in the Case of Direct Claims in D&O Insurance

OLG Schleswig: Statute of limitations for liability claims in the case of direct claims in D&O insurance. There is a new, exciting verdict from the world of D&O insurance. Recently, we reported on the decision of the Higher Regional Court of Cologne in the context of the direct lawsuit. Now the Higher Regional Court of Schleswig has also made a groundbreaking decision. What was it about? The focus was on the question of the statute of limitations. However, it must be taken into account that the question of the statute of limitations in the event of a D&O claim is not trivial. On the one hand, there is the original claim for damages (statutory D&O liability

April 24, 2024