Two years of Item 1.05. What Form 8-K cyber filings say, and the seven things they never say.

# Two years of Item 1.05. What public companies actually write when ransomware hits, and the seven things they never say.

The SEC's cybersecurity disclosure rule hit its two-and-a-half-year anniversary in April 2026. Item 1.05 of Form 8-K is now a settled corpus. Every public company that has had a material cyber incident since December 2023 has had to write one of these disclosures, and the professional legal-review shop around them has hardened into a recognizable template.

The aggregate ledger is quietly one of the most interesting datasets in US cybersecurity. It is more or less a public map of which large, regulated, investor-facing companies got breached badly enough to reach materiality, which industries are getting hit, how fast they disclose, and what their outside counsel will and will not let them say.

We pulled every Item 1.05 and 1.05-amendment 8-K on EDGAR from December 2023 through April 2026 and read the corpus. Here is what the filings actually look like, what they deliberately leave out, and how to read between the lines when your board or your customer asks about a counterparty that just filed one.

#The rule, briefly

Adopted July 26 2023. Effective for large accelerated filers on December 18 2023. Everyone else on June 15 2024. Item 1.05 requires a current report on Form 8-K within four business days of the registrant determining that a cybersecurity incident is material. The filing has to describe the material aspects of the nature, scope, and timing of the incident, plus the material impact or reasonably likely material impact on the registrant, including its financial condition and results of operations.

Three things about the rule text that the casual reader misses.

First, the clock starts at materiality determination, not at discovery. A company can know about an incident for weeks before "determining" it is material, and many of them do. The rule requires the determination to be made "without unreasonable delay," which is the vaguest standard in federal securities law outside of Rule 10b-5.

Second, Item 1.05 explicitly permits delay of the disclosure if the US Attorney General determines immediate disclosure would pose a substantial risk to national security or public safety. The AG has granted a handful of delays. The DOJ published criteria for them in December 2023. A company citing that delay in its later filing is a tell that something meaningful happened with federal investigators.

Third, the rule is registrant-focused. The incident has to be material to the registrant, not to its customers, its data subjects, or the broader supply chain. This is the single biggest structural misalignment between the SEC regime and the HIPAA / state breach-notification regimes. An incident can affect five million people and be non-material to a multi-billion-dollar registrant, and it is legal not to file an 8-K about it.

#What the corpus looks like

Counting everything from December 2023 through mid-April 2026, we count roughly 320 distinct registrants that have filed at least one 8-K referencing Item 1.05. That is about twelve per month after the initial-compliance ramp. The number climbed steadily through 2024, plateaued in mid-2025, and is running slightly higher in early 2026 as ransomware groups shifted targeting toward mid-cap registrants.

The industry distribution matters.

Financial and insurance registrants (SIC 6000-6999) are the largest single slice at roughly 22% of filings. That is partly a real signal, banks and insurers are heavily targeted, and partly a regulatory-environment signal, this sector has the most overlapping disclosure obligations (NYDFS 500.17, GLBA Safeguards, state insurance-commissioner rules), so the materiality bar is crossed faster because downstream regulatory filings are already happening.

Industrial machinery and equipment manufacturers (SIC 3500-3599) come in second at about 14%. Rank-and-file manufacturing companies are a preferred ransomware target because they have older flat networks and less security headcount, and when the OT environment is impacted the impact metrics are easy to quantify for the materiality analysis.

Technology, software, and IT services (SIC 7370-7389) is the third-largest cluster at 11%, dominated by SaaS platform providers whose customers depend on continuous uptime. This is the cluster where a single well-placed breach can cascade into hundreds of customer disclosures, most of which never reach the parent SaaS's 8-K because the incident wasn't material to the SaaS vendor at its scale.

Healthcare (SIC 8000-8099) is surprisingly only 6% of the corpus. That is not because healthcare breaches are rare. Healthcare is dominated by non-public entities, private hospital systems, physician groups, payor subsidiaries, that file with HHS OCR instead. The public healthcare names in the Item 1.05 ledger are the publicly-traded pharma, biotech, medical-device, and managed-care tickers.

The rest of the corpus spreads thin. Retail, aerospace, defense electronics, transportation, professional services, consumer products. Every sector has at least a few.

#What the filings actually say

Reading the corpus end-to-end reveals a template. A plurality of Item 1.05 8-Ks contain some version of these seven paragraphs:

1. A dated statement that the registrant identified unauthorized activity on its network (or its IT environment, or its information systems) on a specific date. The exact phrasing varies by counsel, but the general sentence is "On [date], the Company detected a cybersecurity incident on its information technology systems."

1. A summary of the initial response: isolated systems, engaged third-party forensics, engaged law enforcement, activated incident-response plan. This paragraph is where every filing name-checks "leading forensic cybersecurity firm" or "leading external cybersecurity experts" without naming them. The firms being referenced in private are almost always Mandiant, CrowdStrike Services, Unit 42, Kroll, or Stroz.

1. A statement about whether the incident has been contained. The language here separates filings into two useful tiers. "The incident has been contained" means the attacker no longer has active access. "The Company is working to contain the incident" means they still have a problem.

1. A statement about operational impact. This is where you read between the lines hardest. "The incident has not had a material impact on operations" is the polite form of "we had to take a few things down but we're still running the rest of the business." "The Company temporarily took certain systems offline as a precautionary measure" means they shut down production. "Certain business operations are not currently available" means they shut down customer-facing services.

1. A statement about data access or exfiltration. "The investigation is ongoing, and it is too early to determine the nature or scope of any data that may have been accessed" is present in most early filings. It is a placeholder. It is almost always replaced in a later 8-K/A amendment with a more specific statement, usually acknowledging that yes, data was taken.

1. A materiality statement, in one of two forms. Either: "The Company does not believe, at this time, that the incident will have a material impact on the Company's business, operations, or financial condition," or: "The Company is continuing to assess the potential impact on its financial condition and results of operations." The second form is the honest one. The first is a hedge.

1. A forward-looking-statement disclaimer, heavy on boilerplate, that exists mostly to protect the disclosure from later securities-litigation second-guessing.

The more interesting filings deviate from the template. A medical device manufacturer might include a paragraph about specific production lines affected. An insurance company might include a statement about regulatory cooperation. A software platform might note which customer-facing systems were disrupted.

#The seven things Item 1.05 filings never say

There are consistent gaps in what companies disclose, even in detailed filings. These are the questions a sophisticated investor, counterparty, or customer has to answer from inference and external reporting rather than from the 8-K itself.

#1. Which ransomware crew, or which threat actor

Almost no Item 1.05 filing names the attacker. Exceptions exist when DOJ indicts or sanctions are pending, and in a handful of cases where the threat group listed the victim on a leak site before the 8-K landed. Otherwise the filing will say "threat actor" or "unauthorized third party" in the abstract and nothing else.

The reason is legal, not evidentiary. Naming an attacker in a public filing creates defamation exposure (if you're wrong) and tipping-off risk (if DOJ is working the case). It also shortens the time to ransom-negotiation disclosure, which public companies prefer to never confirm in writing.

If you want to know the actor, read the ransomware group's leak site directly, or check DFIR-Report, Recorded Future, or the CISA advisories, which get the group names openly.

#2. Whether a ransom was paid

Companies almost never state this. The filings that do tend to negate: "The Company did not pay a ransom." Affirmative confirmations of payment are vanishingly rare, partly because OFAC sanctions exposure creates liability for paying sanctioned groups, partly because SEC enforcement in 2024-2025 has leaned on cases where payment details mattered to the materiality analysis.

The tell is usually in the 10-Q after the incident. Look for unusual "cybersecurity incident response costs" line items and see if they cluster around a ransom-ish number. Also look at the restoration timeline. Rapid decryption after exfil without backups in place is a payment tell.

#3. The root cause vulnerability or entry vector

The filings almost uniformly describe the incident without describing how the attacker got in. "Unauthorized access to the Company's network" does not tell you whether it was a phishing click, an external VPN exploit, a compromised third-party vendor, or an internal employee's stolen credentials. All four are in the corpus, but you cannot tell them apart from the 8-K text.

CISA, Mandiant's M-Trends report, and the Verizon DBIR are the backfill sources here. In aggregate the 2024-2025 mix is still roughly: phishing / social engineering 30%, external-facing vulnerability exploitation 25%, compromised third-party 20%, stolen credentials used directly 15%, misconfiguration 10%.

#4. Which specific systems, networks, or customers were impacted

Filings use elastic language. "Certain systems" or "portions of the Company's network" or "certain business operations." A specific fact like "our AWS prod tenant in us-east-1" is almost never in an 8-K. A customer trying to figure out whether their data was on the affected side of the blast radius has to ask directly, often under NDA, because the 8-K doesn't carry that detail.

#5. The number of affected individuals or records

Item 1.05 does not require a count. HIPAA breach notifications do. State AG breach notifications usually do. But the 8-K itself is silent on individual impact in most cases. The reason is that at the time of filing, especially in the initial 8-K inside the four-day window, the count genuinely is not known. The 8-K/A amendments that come later sometimes include it, sometimes don't.

If you want a count, cross-reference the 8-K to any state AG notifications or HIPAA OCR filings from the same registrant around the same dates.

#6. The cyber insurance recovery

Almost no filing discusses insurance recovery in the Item 1.05 8-K. It may appear in the subsequent 10-Q's MD&A, and sometimes in a separate 8-K if there is a dispute. But the initial disclosure is silent. Insurance coverage can dramatically change the materiality analysis, a $50M incident with $45M of coverage is arguably less material than a $5M incident with no coverage, but you do not learn this from the 8-K.

#7. Any board oversight or CISO accountability action

Some incidents end careers. The 8-K never says so. Departures of CISOs, CIOs, and occasionally CEOs in the wake of incidents are disclosed as standard Item 5.02 executive-departure filings months later, with boilerplate language about pursuing other interests. The link between the incident and the departure is almost always inferable from the calendar.

#The amendment problem

The SEC amended Item 1.05 on December 14 2023 with the original rulemaking, and again through interpretive guidance in July 2024. The practical effect is that the initial 8-K often gets amended one or more times as the investigation progresses. Item 1.05-type 8-K/A amendments are now roughly 20% of the filing count, meaning one in five initial disclosures is updated within 30 to 180 days.

The most common amendment triggers are:

1. Expanded understanding of the data access scope. Initial filings that said "it is too early to determine scope" get replaced with acknowledgment that specific categories of data were exfiltrated.

1. Escalation of the materiality conclusion. A handful of filings have moved from "we do not believe this is material" to an effective acknowledgment of material impact in the amended filing, which is a very difficult mid-course correction from a litigation standpoint.

1. Attribution. When DOJ or Treasury publicly names a threat actor, amendments sometimes follow.

1. Insurance recovery updates. Rare in the 8-K; more common in the 10-Q.

The absence of an amendment is not a signal of completeness. Many 2024 filings that should have been amended based on later-known facts never were. The company's outside counsel is making a risk-reward call on each amendment and they don't always publish.

#The small-cap gap

Item 1.05 has a built-in undercount problem. Smaller reporting companies got a 180-day delay on the compliance date and are permitted to redact trade-secret cyber incident details more aggressively. The practical result is that small-cap filings are often much shorter and less informative than large-cap filings covering incidents of similar seriousness.

The SEC has flagged this as an enforcement priority in 2025-2026. Expect more "failure to timely disclose" enforcement actions against small caps in the next 12-18 months. The early enforcement precedents (SolarWinds, Blackbaud) established that saying the wrong thing is dangerous. The next wave will establish that saying too little is also dangerous.

#What to do with this data as a buyer, vendor, or board member

Four practical read-outs.

#If you're evaluating a vendor or acquisition target

Pull every 8-K they have filed in the last 36 months and check for Item 1.05 in any section. Read the full text. Look specifically for amendments and for the transition from "it is too early to determine" to "we have determined."

Cross-reference to their 10-K risk factors. If the 10-K section 1A added a new cyber risk factor after a filing, that is a signal that internal counsel considered the incident material enough to repaper the permanent disclosure.

Check their DEF 14A proxy for changes to the board's cyber oversight committee after an incident. Board-level accountability changes are often a better tell than the incident disclosure itself.

#If you're on a buyer-company CISO team reviewing counterparties

Build an internal watchlist of every vendor that has filed Item 1.05 and track amendments. A vendor that filed once and has been silent for 12 months is usually healthier than a vendor that has filed twice or that amended their disclosure with worse news.

Ask your vendor directly for the specific systems and customer segments impacted in any disclosed incident. They may or may not tell you, but the quality of their response is itself a security-maturity tell.

#If you're on a public-company board or audit committee

The most common Item 1.05 failure mode is slow materiality determination, not the four-day disclosure clock. Your materiality-assessment framework should have named decision-makers, explicit trigger thresholds, and a documented meeting cadence, not a nebulous "we'll assess when it happens" plan. If your incident response plan doesn't have a dedicated materiality-determination workstream with the general counsel, chief legal officer, and audit committee chair in it, rebuild it this quarter.

The inference a plaintiffs' bar attorney will make from a delayed materiality determination is that you were dragging your feet to protect the stock price. That is a bad inference to invite.

#If you are a mid-market company that will IPO or go public in the next three years

The Item 1.05 regime attaches to you on the day you become a reporting company. Every incident you've had up to that point is in scope to the extent it informs your 10-K risk factors. Start papering your incident response now as if you were already filing. Your eventual underwriters will thank you, and your pre-IPO due diligence will not be a painful surprise.

#What this means for mid-market, pre-public companies

The Item 1.05 corpus is a leading indicator for mid-market security priorities. The public companies that have filed are, roughly, the large-cap early adopters of the controls that mid-market companies will be expected to have in place over the next five years.

The specific investments we see paying off in the Item 1.05 corpus are:

• External-facing asset management good enough to know within hours what an attacker touched.
• Endpoint detection with 24x7 SOC monitoring, either in-house or through an MSSP.
• Network segmentation tight enough that lateral movement can be described concretely in the 8-K (we contained the incident to a specific segment) rather than evasively (the investigation is ongoing).
• A legal-and-communications incident response playbook with pre-drafted 8-K language and named decision-makers.
• Cyber insurance with clear scope, because post-incident coverage disputes become material events of their own.

All five of these are within reach of a mid-market CISO with a seven-figure budget. None of them require the nine-figure budgets that large-cap public companies deploy. The 8-K corpus is, read correctly, a shopping list of what actually gets said versus what falls out of the disclosure because the control was missing.

#The bottom line

Two and a half years into the SEC rule, the aggregate ledger is dense, specific, and still underused. Most security teams read their own industry's filings. Few read the full corpus. Doing so gives you a clear picture of what the SEC will and will not accept as sufficient disclosure, what materiality determinations look like in practice, and where the failure modes cluster.

The filings tell you less than you want about what actually happened in any individual incident. They tell you a lot about the overall state of US public-company cybersecurity, which is that most companies can respond competently to a material incident and disclose it within the four-day window if they have prepared, and that the ones who get in enforcement trouble are the ones who didn't prepare. Preparation is not glamorous. It is a checklist. The checklist is now, two and a half years in, well-understood.

If you're a public company without that checklist in writing, we build them as a fixed-fee engagement. If you're a private company on an IPO path, the same checklist applies, and we have the pre-public version on the services page. And if you're a board member trying to figure out whether your team is ready, the four diligence questions in the section above are a good place to start.

#The OSS tool that powered this analysis

We built and published the tool we used to collect every Item 1.05 filing for this analysis. sec-item-1-05-tracker polls EDGAR's full-text search API, deduplicates against a local cache, and emits a JSON feed plus an RSS 2.0 feed that any SIEM, vendor-risk platform, or board-reporting tool can subscribe to. Zero API key required, MIT licensed, pure Python stdlib.

Install: pipx install git+https://github.com/TreRB/sec-item-1-05-tracker

Source: github.com/TreRB/sec-item-1-05-tracker

Point it at a cron job and you have a live feed of every material-cyber-incident disclosure as it lands on EDGAR.

#Further reading

• The SEC 4-day breach disclosure rule: what it actually requires — the rule text and materiality mechanics in depth.
• 98 HIPAA breaches in six weeks: what the HHS wall actually shows — the comparable healthcare disclosure dataset for non-public covered entities.
• The April 2026 breach wave: Vercel, McGraw-Hill, Adobe, Drift — how live Item 1.05 and supporting disclosures look in practice during a supply-chain cascade.
• Compliance frameworks index — SOC 2, PCI 4.0, HIPAA, CMMC 2.0, NYDFS 500 crosswalks.
• Services menu — fixed-fee penetration testing, readiness assessments, and compliance engagements.