BREACH/TRIGGERBlog

· BreachTrigger

8-K Cybersecurity Incident Disclosure Examples: What Real Filings Look Like in 2026

TL;DR: SEC Form 8-K cybersecurity disclosures fall into two buckets—Item 1.05 (material events requiring same-day or 4-day filing) and Item 8.01 (other events). Strong disclosures describe the incident's scope, financial impact, and remediation timeline. Weak ones bury risk under vague language like "we are investigating" or omit financial exposure entirely. Follow-up amendments often correct understatement or add materiality thresholds months later. Monitoring annotated examples helps IR, MSSP, and cyber-insurance teams spot early what public companies are still learning to disclose.


What exactly is an 8-K Item 1.05 cybersecurity disclosure?

Item 1.05 is reserved for "Costs Associated with Exit or Disposal Activities"—but the SEC's December 2023 amendments expanded this to include Material Cybersecurity Incidents. Companies must file an 8-K within 4 business days of determining that a cybersecurity incident is material. "Material" means it causes, or is reasonably likely to cause, significant financial loss, operational disruption, reputational harm, or regulatory liability. The disclosure must describe the incident's nature, scope, impact, and the company's response—with financial quantification where available.


How do companies typically structure Item 1.05 vs. Item 8.01 filings?

Item 1.05 (Material Incidents):
Used when the breach meets the materiality bar. Requires specific detail on the incident, affected data, timeframe, and financial or operational consequence. Example format:

"On June 15, 2026, our Chief Information Security Officer determined that an unauthorized third party gained access to customer payment records between May 12–June 14, 2026. Approximately 47,000 records (0.3% of our customer base) were exfiltrated, containing names, email addresses, and obfuscated payment method last-four digits. We estimate direct remediation costs of $2.1M over 18 months, including forensics, credit monitoring, and regulatory settlement. No fraudulent transactions have been detected to date."

Item 8.01 (Other Events):
Used for non-material or precautionary disclosures. Often more hedged: "We experienced a cybersecurity event affecting certain systems. We are investigating and will provide updates as appropriate." Item 8.01 filings are not subject to the 4-business-day deadline and allow more discretion in timing and detail.


What does a weak cybersecurity disclosure look like?

Weak disclosures tend to cluster around three patterns:

  1. Vague scope: "We experienced unauthorized access to certain systems" (no numbers, affected data types, or timeline).
  2. Missing financial impact: "We are taking steps to enhance our security posture" (no cost estimate, no quantification of data loss).
  3. Delayed or missing amendments: Company files Item 8.01 initially, then 6–12 months later amends to Item 1.05 once damages become clear, signaling underestimation.

Real weak-disclosure pattern (simplified):

"On June 1, 2026, we became aware of suspicious activity on a customer-facing web application. Our security team and third-party investigators are assessing the scope and impact. We do not currently believe this incident will have a material impact on our business."

Problems:

  • No data exfiltration detail (was data stolen, or just accessed?).
  • No user/record count.
  • "Immaterial" assertion made before investigation closes (sets up later reversal).
  • No timeline for remediation or disclosure update.

What does a strong, transparent cybersecurity disclosure look like?

Strong disclosures are prompt, quantified, and action-oriented.

Real strong-disclosure pattern (simplified):

"On June 8, 2026, our security operations center identified a SQL injection vulnerability on our customer portal that may have allowed unauthorized access to employee email addresses and internal project metadata for 89,000 customer contacts between May 20–June 8. No financial data, passwords, or personally identifiable information beyond email were exposed. We patched the vulnerability immediately upon detection (June 8, 2pm PT) and retained Mandiant to conduct forensic analysis. We estimate incident response and patch deployment costs of $580K over Q3 2026 and have notified affected customers and relevant regulators within 24 hours. We are updating our cloud security assessment quarterly through Q1 2027."

Why this is stronger:

  • Specific dates (vulnerability window: May 20–June 8).
  • Clear data scope (employee emails + project metadata; NOT financial data or passwords).
  • Quantified user count (89,000).
  • Immediate remediation timestamp.
  • Named third-party vendor (builds credibility).
  • Direct cost estimate ($580K).
  • Timeline and follow-up cadence (Q3 remediation, quarterly assessments through Q1 2027).
  • Proactive notification detail (customers + regulators within 24 hours).

How do amendments change the disclosure narrative?

Amendments often occur when:

  1. Materiality reassessment: Company initially files Item 8.01, then later amends to Item 1.05 once damage assessment is complete.
  2. Financial update: Initial filing estimated $1M in costs; amendment raises to $4.2M as third-party liability or regulatory fines materialize.
  3. Scope expansion: Initial filing stated "approximately 15,000 records"; amendment clarifies "actually 127,000 records based on complete forensic review."

Real amendment pattern (simplified timeline):

  • June 12, 2026 (8-K, Item 8.01): "We experienced a ransomware intrusion affecting our manufacturing facility network. We are assessing impact and expect to restore systems by mid-June."
  • June 20, 2026 (8-K/A Amendment): Reclassified to Item 1.05. "The ransomware attack encrypted data across 8 production facilities, affecting Q3 shipments by an estimated $47M revenue loss. Threat actor demanded $9M ransom (declined). We have engaged law enforcement and a forensic recovery firm. Recovery expected by July 15, 2026. Estimated incident costs: $18.3M (recovery + downtime + new security controls)."

Investor and IR lesson: Amendments signal either incomplete initial assessment or pressure from regulators to upgrade disclosure. Heavy amendments are red flags for investors—they suggest inadequate CISO-to-CFO communication or legal pushback on materiality thresholds.


What do Item 8.01 disclosures typically include when companies avoid Item 1.05?

Companies sometimes file Item 8.01 when they believe a breach doesn't meet materiality thresholds—or when the legal team asserts that determining materiality requires time. Common Item 8.01 language:

"A third-party vulnerability assessment identified potential exposure in our legacy authentication system. We have engaged external security advisors to evaluate scope and remediation options. No customer data is known to have been compromised at this time. We will provide further updates if circumstances warrant."

Red flags here:

  • "Potential exposure" (hedge against future disclosure).
  • "Not known to have been compromised" (leaves wiggle room).
  • "External advisors" (diffuses accountability).
  • "If circumstances warrant" (delays next update indefinitely).

This language buys time—but also signals to sophisticated investors (and regulators, and insurance carriers) that the company is either still investigating or minimizing the incident. In 2026, regulators and cyber-insurance underwriters are scrutinizing these patterns closely.


Which companies have set the disclosure bar highest in recent 8-Ks?

Financial-services and healthcare companies (bound by PCI-DSS and HIPAA) tend to disclose faster and more thoroughly. Tech companies have become more transparent since the SEC's December 2023 rule. Manufacturing and retail companies still lag—often filing Item 8.01 initially, then backtracking.

Notable recent transparency leaders:

  • Companies with dedicated CISO reporting directly to general counsel.
  • Tech companies with established incident-response playbooks (Okta, CrowdStrike, etc.) that name timelines and cost.
  • Companies facing active investigations (SEC, state AGs) tend to pre-disclose to avoid adverse surprises.

How can your organization benchmark your own cybersecurity disclosures?

  1. Monitor your industry competitors using BreachTrigger's 8-K alerts. Set triggers for your competitor list and the sector keywords (e.g., "unauthorized access," "ransomware," "incident response").
  2. Review what-is-sec-8k-item-105-cybersecurity-disclosure for the formal SEC guidance and standard filing templates.
  3. Calculate materiality thresholds using cybersecurity-incident-materiality-determination—define your own revenue %, customer count %, and cost baselines now, before an incident forces urgent guessing.
  4. Track amendments over 12 months: Do peer companies upgrade from Item 8.01 to 1.05? How long until financial estimates change? Patterns reveal common blind spots.
  5. Cross-reference trademark infringement and domain-spoofing risk using TrademarkSignal—threat actors often register lookalike domains before or during breaches to amplify damage.

What's the best way to monitor 8-K filings for cybersecurity incidents in real time?

SEC filings drop daily—and breaches often get buried in boilerplate or filed late. Use BreachTrigger's intelligent 8-K monitoring to:

  • Catch Item 1.05 and 8.01 cybersecurity filings as they post (same day, via API or email alerts).
  • Flag amendments that upgrade materiality or change scope.
  • Track competitor and customer disclosures in real time—critical for MSSP account managers and cyber-insurance underwriters who need to act before claims or SLA reviews.
  • Integrate with your workflow (Slack, email, or ticketing system) so your IR, legal, and underwriting teams don't miss filing deadlines or competitive intelligence.

Key Takeaways

  • Item 1.05 vs. Item 8.01: Material breaches require Item 1.05 within 4 business days; non-material or investigative updates use Item 8.01 with more flexibility.
  • Strong disclosure includes: Specific dates, affected data types and counts, financial quantification, remediation timeline, and named third-party vendors.
  • Weak disclosure hides: Vague scope, missing costs, "immaterial" assertions made too early, or delayed amendments that suggest underestimation.
  • Amendments signal: Incomplete initial assessment, investor pressure, or regulatory requests to upgrade transparency.
  • Benchmark competitors: Use BreachTrigger to monitor peer filings, track amendment patterns, and refine your own materiality thresholds before an incident hits.

Disclaimer: This post is informational only and does not constitute legal, financial, or investment advice. SEC 8-K filings are public documents; always verify against the original SEC EDGAR filing and consult your legal and compliance teams before acting on disclosure information. Materiality determinations are fact-specific and should be made with in-house legal counsel and external auditors.


Start monitoring 8-K cybersecurity filings today. Sign up for BreachTrigger alerts and stay ahead of material disclosures from competitors, customers, and vendors.

8-K Cybersecurity Incident Disclosure Examples: What Real Filings Look Like in 2026