Search for:
Cybersecurity

Cybersecurity Incident Disclosure Obligations: the EU/UK Market Abuse Regulation

By: , , and

Cybersecurity incidents have become an ever-growing threat to companies as attacks become more sophisticated, particularly in the face of AI-enabled threat actors. When a cyberattack occurs, while the immediate focus is typically on containing the impact and restoring systems, it is equally as important for businesses subject to the EU/UK Market Abuse Regulation (“MAR”) to consider their disclosure obligations.  A cybersecurity incident may constitute “inside information” requiring prompt public disclosure, with delays permitted only where certain conditions are met.  In this post we explore those obligations and how best to navigate them.

The Legal Landscape: “Inside Information” under MAR

The MAR regime applies to issuers with financial instruments, such as shares and bonds, admitted to trading on UK or EU regulated markets, multilateral trading facilities, or organised trading facilities for which a request for admission to trading has been made by the issuer. “Inside information” under MAR is defined as information that relates directly to one or more issuers and is (i) precise, (ii) not public and (iii) if made public, would be likely to have a significant effect on the price of the issuer’s financial instruments.

Under MAR, information is considered “precise” when it indicates specific circumstances that exist or may reasonably be expected to occur, or an event that has occurred and if there is a “reasonable expectation” that an event will occur. Courts have held that such an expectation requires only a “realistic prospect” of occurrence and not a high probability. Information can also be “precise” without indicating the direction of the likely price movement of the financial instrument.

If an issuer concludes that “inside information” has arisen, it is required to disclose that information to the market as soon as possible unless the disclosure may be delayed. Under MAR, disclosure may be delayed if (i) immediate disclosure would be likely to prejudice the issuer’s legitimate interests, (ii) delay is not likely to mislead the public, and (iii) the issuer is able to ensure the confidentiality of the information. Failure to disclose “inside information” when required under MAR may result in financial penalties for the issuer, and personal liability for directors. Issuers may also find themselves subject to shareholder claims and heightened regulatory scrutiny, particularly where delayed disclosure is preceded by significant movement in the price of financial instruments.

When Would a Cybersecurity Incident Trigger Disclosure Obligations Under MAR?

The occurrence of a cybersecurity incident, such as a ransomware attack, data breach and other malicious cyber activity, may trigger a disclosure obligation under MAR if the issuer determines that the incident, or its effects, constitute “inside information”.

Not every cybersecurity incident will constitute “inside information,” particularly at the outset of the incident. When assessing whether a cybersecurity incident gives rise to disclosure obligations under MAR, issuers should consider potential impacts of the incident, including, but not limited to, whether the incident could:

  • materially impact revenue, margins, costs or financial performance;
  • result in operational disruption to critical business infrastructure and/or internal and customer-facing systems;
  • require the withdrawal of earnings guidance or the amendment of previously issued forecasts;
  • lead to investigations by regulators, fines and/or litigation, particularly where personal data, trade secrets or intellectual property has been compromised;
  • create significant reputational risk that could materially affect customer trust, commercial relationships or market perception.

When issuers subject to MAR disclose cybersecurity incidents, it is typically first through a brief announcement of the incident having occurred within a few days of detection, however, the occurrence of the incident will not necessarily be considered “inside information” in such an announcement. Initial announcements generally include a brief description of the incident, service disruptions, if any, and refer to investigations taking place.

Cybersecurity incidents are rarely static events though, with new facts emerging as the issuer gains greater visibility and understanding of the operational, financial and regulatory impact. As a result, it is crucial to monitor the situation closely and on an on-going basis to determine if and when it rises to the level of “inside information” and requires disclosure. That is why initial announcements of an incident are often followed by subsequent announcements that provide additional detail on the incident, its nature and scope, and its impact, including the number of customers affected and its operational impact, the type and level of data breaches, and the potential or actual financial impact.

Each development and its impact must be assessed independently though, and subsequent developments may themselves constitute new “inside information,” requiring additional disclosure. Such developments may include:

  • a material escalation in the scale of the incident;
  • a reassessment of the expected financial impact (including remediation costs); or
  • the identification of significant regulatory exposure or litigation risk and its financial consequences.

Delaying Disclosure

Under MAR, an issuer must disclose “inside information” to the public “as soon as possible”, but may delay disclosure of “inside information” if:

  • immediate disclosure would be likely to prejudice the issuer’s legitimate interests;
  • delay is not likely to mislead the public; and
  • the issuer is able to ensure the confidentiality of the information.

In the context of cybersecurity incidents, legitimate interests may include preserving the effectiveness of ongoing containment and remediation measures, mitigating the risk of further compromising system security, or facilitating cooperation with law enforcement or regulatory authorities. Delaying disclosure solely because investigations are ongoing is unlikely to provide a sufficient basis for delay for MAR purposes.  It is important to note that delay is only permissible for so long as confidentiality can be maintained.

From 5 June 2026, amendments introduced by the EU Listing Act will further clarify the conditions for delay in the EU by expressly permitting the delay of disclosure of “inside information” relating to “intermediate steps in a protracted process” (if those steps are connected with bringing about or resulting in particular circumstances or a particular event), provided that the above-mentioned conditions for a delay are still met.

Where disclosure is delayed, issuers must document their decision, maintain appropriate insider lists, and once the disclosure is made, notify the competent authority of the delay and provide a justification if required.

Practical Steps for Issuers

In the case of a cybersecurity incident, issuers should take the following steps:

  • involve legal and compliance personnel, as well as disclosure committees and legal advisors, at an early stage and keep them informed as the situation develops;
  • align cybersecurity, legal, compliance and communications teams on draft announcement language and other public-facing communications; and
  • if disclosure of “inside information” is delayed, document the reasons for the delay and maintain an insider list as mandated by MAR.

For dual-listed issuers or those with U.S. reporting obligations, the MAR disclosure analysis cannot be undertaken in isolation. The U.S. Securities and Exchange Commission requires issuers  that are subject to Form 8-K reporting requirements to disclose cybersecurity incidents if the incident is “material”, taking into account the impact on the issuer’s financial condition and results of operations, as well as qualitative factors, such as whether the incident will result in harm to reputation, customer or vendor relationships, or competitiveness, and the likelihood of litigation or regulatory investigations or actions. Where a cybersecurity incident is so significant that an issuer determines it to be material even without a determination as to its impact, issuers are required to include a statement noting that it has not yet determined the impact and to amend the Form 8-K to disclose the impact once that information is available. In addition, all issuers with a U.S. listing and their insiders are prohibited from trading on the basis of material, non-public information. Dual-listed issuers should, therefore, establish early coordination between UK, EU and U.S. counsel to align materiality assessments, timing and consistency of disclosure.

Conclusion

Issuers subject to MAR must ensure that a cybersecurity incident is immediately brought to the attention of legal and compliance professionals within the business, as well as disclosure committees and legal advisors, who would have to assess whether “inside information” exists that would require immediate disclosure or whether disclosure could be delayed. It is crucial that the situation is monitored closely and on an on-going basis, and legal and compliance professionals, and disclosure committees, are kept apprised of developments as they occur so that they make the determination when “inside information” has arisen and when the appropriate disclosure must be made.

***

To subscribe to the Data Blog, please click here.

The cover art for this blog post was generated by ChatGPT.

Author

Robert Maddox is a partner in Debevoise & Plimpton LLP’s Data Strategy & Security practice, based in London. In 2021 he was named to Global Data Review’s “40 Under 40” and is described as “a rising star” in cyber law by The Legal 500 US (2022). His practice focuses on cybersecurity incident preparation and response, internal investigations and regulatory defence. Mr. Maddox also advises on data strategy and compliance in the context of emerging technologies, including AI, and operational resilience matters. He can be reached at rmaddox@debevoise.com.

Author

Nicholas P. Pellicani is a corporate partner and a member of the firm’s Capital Markets and Banking Groups. He is recommended by The Legal 500 UK (2026), where he has been described as “reliable, confident and assured.” He is also recommended as a Notable Practitioner in IFLR1000 (2025). He can be reached at nppellicani@debevoise.com.

Author

Vera Losonci is a U.S. and English qualified counsel in the Corporate Department. Her practice covers a broad spectrum of cross-border transactions, with a special focus on capital markets and securities matters, and transactions in emerging market jurisdictions. She also advises clients in significant cross-border mergers and acquisitions and corporate finance transactions, as well as on corporate governance matters. She can be reached at vlosonci@debevoise.com.

Author

Esther Stefanini is an associate based in the London office and a member of the Capital Markets Group. She can be reached at estefanini@debevoise.com.

Related Posts