Data breaches dominate cyber filings.
37% of filings confirmed data exfiltration — more than ransomware (21%) and intrusions-without-exfiltration (27%) combined.
Markets price cyber disclosures.
41 of 61 filings (67%) traded down in the 5 trading days after an Item 1.05 8-K. Median move -2.4%; outlier drops beyond -15%.
Companies rewrite their cyber risk factors every time.
100% of the 40 filings with both a pre-incident 10-K and a post-incident 10-K/Q had substantive cyber risk-factor changes. 88% explicitly reference the specific incident.
Operational disruption is the norm.
69% of filings report that the incident disrupted business operations — systems offline, order processing halted, manufacturing delays.
Named attribution is vanishingly rare.
Only 1 of 70 filings named a specific threat actor — filers overwhelmingly prefer generic descriptors to named groups.
Compliance looks strong when measured correctly.
The SEC's 4-business-day clock starts at the materiality determination, not discovery. Of the 11 filings that disclose the materiality date, 82% filed within the window.
1. Incident type mix
The data_breach / unauthorized_access split is the most consequential classification in the dataset. Exfiltration triggers customer notification, state AG filings, and class action exposure in ways that uncorroborated access does not.
2. Filing cadence
Adoption peaked in Q1 2024 (15 filings) as the rule took effect, then settled to a steady ~2-3 incidents per month through 2026.
3. Data categories exposed
How often each category of sensitive data was reported as affected. Silent filings (not disclosing category) are excluded. "None disclosed" filings explicitly state no data was accessed — a useful signal for defenders tracking intrusion-only vs. data-theft incidents.
4. Operational disruption & remediation
48 of 70 filings (69%) report that the incident disrupted business operations. Most filings still show the incident ongoing or under investigation at disclosure time — consistent with the SEC's intent that disclosure happen during the incident window, not after it wraps up.
5. Disclosure timing
The histogram below shows how long companies take between discovering an incident and filing the 8-K. Median is 12 days, meaning half of filers take more than two weeks — well outside the 4-business-day SEC rule as commonly understood. Note: the rule's clock actually starts at the materiality determination, not discovery, so this histogram describes operational tempo, not compliance.
* The 4-day SEC rule applies from materiality determination, not discovery. When filers disclose the materiality date (11 filings do), 82% fall within the rule window.
6. Market reaction
Cyber disclosures move prices. 41 of 61 filings traded down in the 5 trading days after the 8-K. Median t+5 return is -2.4%, and the distribution's left tail reaches below -20% in several cases.
Largest market-adjusted drops (t+5 vs SPY)
Ticker
Filing date
t+5
market-adj t+5
ZCAR
2025-06-13
-55.6%
-55.3%
CCLD
2026-03-27
-15.0%
-17.1%
LEE
2025-02-18
-19.3%
-16.7%
UFPT
2026-02-24
-16.1%
-15.8%
FFIV
2025-10-15
-13.2%
-14.1%
BAFN
2025-10-30
-13.7%
-11.2%
RILY
2024-04-08
-13.1%
-10.4%
CPNG
2025-12-16
-7.8%
-9.2%
7. Repeat filers
Companies with multiple Item 1.05 filings — most multi-filing chains are the same incident with amendments as the investigation progressed. First American, UnitedHealth, and Key Tronic each have three filings on a single incident.
Company
Filings
First disclosure
Latest
First American Financial Corp
3
2023-12-22
2024-01-12
UNITEDHEALTH GROUP INC
3
2024-02-22
2024-04-24
KEY TRONIC CORP
3
2024-05-10
2024-08-06
V F CORP
2
2023-12-18
2024-01-18
MICROSOFT CORP
2
2024-01-19
2024-03-08
SouthState Corp
2
2024-02-09
2024-03-29
PRUDENTIAL FINANCIAL INC
2
2024-02-13
2024-02-21
Cencora, Inc.
2
2024-02-27
2024-07-31
MARINEMAX INC
2
2024-03-12
2024-04-01
BRANDYWINE OPERATING PARTNERSHIP, L.P.
2
2024-05-07
2024-05-28
SONIC AUTOMOTIVE INC
2
2024-07-05
2024-08-05
BASSETT FURNITURE INDUSTRIES INC
2
2024-07-15
2024-08-06
ENGLOBAL CORP
2
2024-12-02
2025-01-27
LEE ENTERPRISES, Inc
2
2025-02-18
2025-03-06
NUCOR CORP
2
2025-05-14
2025-06-20
DATA I/O CORP
2
2025-08-21
2025-09-10
WYTEC INTERNATIONAL INC
2
2025-08-29
2026-02-03
Coupang, Inc.
2
2025-12-16
2025-12-29
WEST PHARMACEUTICAL SERVICES INC
2
2026-05-11
2026-05-20
8. Largest disclosures by length
Disclosure length is an imperfect but useful proxy for depth. These are the most thoroughly disclosed incidents in the corpus.
Company
Filing date
Incident type
Characters
iLearningEngines, Inc.
2024-11-18
Business email compromise
8,997
Bitcoin Depot Inc.
2026-04-08
Unauthorized access
7,188
BRANDYWINE OPERATING PARTNERSHIP, L.P.
2024-05-28
Ransomware
6,843
UFP TECHNOLOGIES INC
2026-02-24
Data breach
6,044
Oncology Institute, Inc.
2026-05-22
Unauthorized access
5,801
NUCOR CORP
2025-06-20
Data breach
5,465
Hewlett Packard Enterprise Co
2024-01-24
Data breach
5,227
CONDUENT Inc
2025-04-14
Data breach
4,939
BASSETT FURNITURE INDUSTRIES INC
2024-08-06
Unauthorized access
4,926
Coinbase Global, Inc.
2025-05-15
Data breach
4,717
9. Financial impact when disclosed
Only 17 of 70 filings put a dollar figure on the incident in the initial disclosure. Most filers defer quantification to later periodic filings.
Range
$250K – $1.2B
Median (when disclosed)
$3M
10. How companies rewrite cyber risk factors after an incident
The most distinctive analytic signal in this dataset. For every cyber 8-K, we looked at the same company's 10-K cyber risk-factor language before the incident and after (in their next 10-K or 10-Q).
Of the 40 filings with both pre and post periodic filings available, every single one had substantive cyber risk-factor changes, and 35 (88%) explicitly reference the specific incident.
Most-added new threat themes
Theme
Filings adding it
data exfiltration
9
operational disruption
7
regulatory penalties
3
lost sales impact
3
ransomware
3
malware
3
cyberterrorism
3
third-party cybersecurity experts
2
insider threats
2
unauthorized account access
2
fraud vulnerability
2
regulatory reporting interference
2
ongoing litigation risk
2
ai-enabled attacks
2
financial covenant breach
2
AI-enabled attacks and nation-state attribution emerge as the two fastest-rising post-incident risk-factor themes across the corpus, even at companies where the specific incident wasn't AI-related or nation-state-attributed.
11. Notable incidents
Selected incidents with substantive disclosure depth. Summaries drawn from the filing text with every fact provenance-linked to its source sentence.
iLearningEngines, Inc. — 2024-11-18
Business email compromise · AILE
iLearningEngines disclosed that a threat actor illegally accessed its network environment, misdirected a $250,000 wire payment (unrecovered), and deleted email messages. The incident has been contained and a forensic firm engaged. The Company expects a material operational impact for Q4 2024 but not on full-year 2024 results. No specific threat actor was named.
Bitcoin Depot Inc. — 2026-04-08
Unauthorized access · BTM
On March 23, 2026, Bitcoin Depot Inc. discovered unauthorized access to its IT systems, during which the threat actor obtained credentials for digital asset settlement accounts and transferred approximately 50.903 Bitcoin (~$3.665 million) without authorization. The Company engaged cybersecurity experts and law enforcement, believes customer data was not affected, and determined the incident material on April 6, 2026. Investigation is ongoing.
Market reaction (t+5): +75.5% over t+5 trading days
On May 1, 2024, Brandywine Operating Partnership detected unauthorized third-party access to its IT systems, involving deployment of encryption (ransomware) and exfiltration of files containing personal information. Business applications including financial and operating reporting systems were disrupted. As of the filing date, the threat actor has been removed and affected information restored, though investigation into the scope of exfiltrated personal information remains ongoing.
Market reaction (t+5): +0.4% over t+5 trading days
UFP TECHNOLOGIES INC — 2026-02-24
Data breach · UFPT
On or about February 14, 2026, UFP Technologies detected suspicious activity on its IT systems. The company isolated affected systems, engaged external cybersecurity advisors, and believes the threat actor has been removed. Certain data was confirmed exfiltrated; the full scope of sensitive or personal information involved is still under investigation. Operations have continued in all material respects, and insurance is expected to cover a significant portion of direct costs.
Market reaction (t+5): -16.1% over t+5 trading days
Oncology Institute, Inc. — 2026-05-22
Unauthorized access · TOI
The Oncology Institute disclosed a cybersecurity incident involving unauthorized access to patient data through a third-party software service provider. Initially voluntarily disclosed in November 2025, the company confirmed on May 20, 2026 via Kroll (the vendor's third-party administrator) that patient personal information was affected. The incident also impacted other healthcare providers. Company operations were not materially disrupted; investigation remains ongoing.
12. What to watch
Filing volume has stabilized around 2-3 new incidents per month.
AI-enabled attacks are the fastest-emerging theme in post-incident risk-factor updates.
Supply-chain compromise appears as a new post-incident risk-factor theme even at companies not yet hit by one directly — pre-disclosure of the risk vector.
Disclosure lag is not closing. The median discovery-to-filing gap remains 12 days, unchanged since the rule took effect.