Data breaches dominate cyber filings.
37% of filings confirmed data exfiltration — more than ransomware (21%) and intrusions-without-exfiltration (27%) combined.
Markets price cyber disclosures.
41 of 61 filings (67%) traded down in the 5 trading days after an Item 1.05 8-K. Median move -2.4%; outlier drops beyond -15%.
Companies rewrite their cyber risk factors every time.
100% of the 40 filings with both a pre-incident 10-K and a post-incident 10-K/Q had substantive cyber risk-factor changes. 88% explicitly reference the specific incident.
Operational disruption is the norm.
69% of filings report that the incident disrupted business operations — systems offline, order processing halted, manufacturing delays.
Named attribution is vanishingly rare.
Only 1 of 70 filings named a specific threat actor — filers overwhelmingly prefer generic descriptors to named groups.
Compliance looks strong when measured correctly.
The SEC's 4-business-day clock starts at the materiality determination, not discovery. Of the 11 filings that disclose the materiality date, 82% filed within the window.
1. Incident type mix
The data_breach / unauthorized_access split is the most consequential classification in the dataset. Exfiltration triggers customer notification, state AG filings, and class action exposure in ways that uncorroborated access does not.
2. Filing cadence
Adoption peaked in Q1 2024 (15 filings) as the rule took effect, then settled to a steady ~2-3 incidents per month through 2026.