Risk Partners Life Sciences Roundtable 2024, thank you very much! Sign up now for the 26.06.2025 >

Contact us

Foreign filers / private issuers watch out!
2023 brought further harmonization of European
and US standards for cyber incident reporting.

Under the SEC Ruling, all companies listed on the US stock exchange are now required to publicly report significant data security incidents to the SEC within four business days. In addition, they must disclose in their annual report (10-K) their procedures for identifying and addressing material cybersecurity risks, including the role of the board of directors.

Please note: This regulation also applies to foreign private issuers (e.g. German companies that have issued a US bond). However, they are only obliged to make ad hoc reports (Form 6-K) of incidents if they are obliged to do so in another jurisdiction, e.g. under theMarket Abuse Regulation.

The materiality of an incident is determined in particular by the potential financial consequences. These consequences must be presented in the report, but not whether the incident is still ongoing or whether data has been compromised.

US legislation regarding the reporting of data security incidents is thus moving increasingly closer to European regulations, which is to be welcomed in principle. Recently, the US Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA) introduced reporting obligations for security incidents in critical infrastructure, comparable to the NIS guidelines and the BSI Act applicable in Germany. One particular aspect of the US regulations is the obligation to report such incidents within 72 hours and ransomware payments within 24 hours.

The new SEC ruling introduces a legal obligation for US companies to report cybersecurity incidents that is not exclusively limited to critical infrastructure. In view of the small number of German foreign filers and private issuers in the USA, this regulation affects fewer economic operators than the reporting obligations under the GDPR and, in future, the NIS2 implementation laws, but may have significant consequences due to the companies' relevance to the capital market. This is because the requirement is not limited to reporting to a supervisory authority or specific data subjects, but also to the (investor) public.

Against this backdrop, we recommend reviewing the cost components of your cyber insurance policy's reporting obligations and keeping the D&O insurance program up to date with regard to both the insured group and the insurance conditions with regard to cyber risks. In past due diligence reviews, we were able to identify weaknesses in this regard - favored by the tough years in the US D&O insurance market. Please contact us if you have any questions. You are also welcome to read further expertise on D&O insurance from Foreign Filers on our website.  

Being Public

Prospectus liability insurance (POSI): Risk Partners publishes for you

Risk Partners on Going Public and the capital market blog on prospectus liability insurance In recent months, we have been able to share our expertise on prospectus liability insurance with a wide audience on two renowned platforms. Here is an overview: Kapitalmarkt.blog In the article "POSI insurance - The protective vest on the capital market", we explain why prospectus liability insurance is an indispensable tool for companies becoming active on the capital market. The article shows in a practical way how such insurance not only minimizes liability risks, but also strengthens investor confidence. GoingPublic Magazine In

Read more "
December 29, 2024
4 pillars of cyber insurance for venture capital and private equity
Cyber Security

Cyber insurance Venture capital and private equity

Why cyber insurance does not transfer the core risk of VC & PE funds and why we have invested in Risk Partners cyber master agreements. Why cyber risks are relevant for venture capital and private equity funds With the increasing growth of the cyber crime industry (see Federal Office for the Protection of the Constitution), venture capital (VC) and private equity (PE) funds and their fund managers are also increasingly exposed to cyber risks. For years, this has been reflected in the claims we have been able to support, in which fund managers have ranked first year after year among the industries we advise.

Read more "
December 29, 2024
Cyber Security

"Digital Operational Resilience Act" (DORA regulation) from the perspective of venture capital and private equity funds

DORA regulation applies from January 2025. Significance for our private equity and venture capital clients The somewhat unwieldy name "Digital Operational Resilience Act" (DORA for short) has a very serious background and is fundamentally to be welcomed. After all, when we evaluate our claims in the context of cybercrime, PE and VC funds and their KVGs are those with the highest frequency of claims. It can be safely assumed that they are a "worthwhile target group" for cyber criminals based abroad.

Read more "
December 27, 2024