Cyber Incident Victim: PSI Software SE
Date:
Feb 2024
Location:
Germany
Summary
A cyberattack targeted PSI Software SE, prompting the company to issue a mandatory regulatory disclosure under EU market abuse regulations. The incident was classified as insider information requiring immediate public notification, indicating material operational or financial implications. The announcement disseminated through official stock exchange channels confirms the attack's severity but does not specify intrusion methods, data impacts, or recovery timelines. This disclosure reflects compliance with transparency obligations for listed entities following significant cybersecurity events.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 0 motives | 0 techniques |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
On February 15, 2024, PSI Software SE publicly disclosed a cyberattack via an ad-hoc announcement published through EQS Group, complying with Article 17 of the EU Market Abuse Regulation (EU No. 596/2014). The announcement, released at 20:25 CET/CEST, confirmed the incident but did not specify the attack vector, intrusion timeline, or initial detection methods. The disclosure’s regulatory nature indicated material operational or financial implications requiring immediate transparency to investors and markets. No technical details were provided regarding compromised systems, data exfiltration, or disruption to PSI’s software development, supply chain management, or customer services. The absence of attributed threat actors or ransom demands in the filing suggested ongoing internal investigations or law enforcement coordination. The company’s decision to issue a standalone cyberattack notification—distinct from routine financial reporting—highlighted the incident’s perceived severity under capital market compliance standards.
The announcement’s distribution through EQS News—a platform specializing in regulatory disclosures—emphasized PSI’s adherence to legal obligations rather than proactive public relations outreach. No supplementary press releases, executive statements, or technical advisories accompanied the filing at the time of publication. The lack of operational impact assessments, recovery timelines, or mitigation measures in the disclosure left stakeholders without clarity on business continuity status or potential service interruptions. Market surveillance mechanisms triggered by the ad-hoc release ensured real-time investor awareness, though PSI’s stock ticker ("PSI Software N") showed no immediate trading suspension data in the source material. The incident’s public confirmation aligned with EU regulatory frameworks mandating prompt cyber incident reporting by listed entities, but the absence of forensic findings or recovery actions underscored the preliminary stage of PSI’s response.