Let’s start with the data, then the analysis.
Source:
Notes on the data:
- A material cyber incident should be reported in an 8K as an Item 1.05. The SEC also encourages reporting of cyber attacks that are immaterial or pending material determination in an 8K as Item 8.01.
- There were seven 8Ks filed as Item 1.05 in the first two quarters of 2025. Three were filed in error (Nucor, Sensata Technologies Holdings, and Englobal). They stated in the 8k Item 1.05 that the cyber incident would not have a material impact.
- Approximately 5500 of the 8300 SEC registrants are listed on the NYSE or NASDAQ.
Four Material Incidents
United Natural Foods: The most famous US incident in the OT security community this year as it affected their ordering and invoicing systems and stopped or delayed deliveries. Hard numbers will be available in their quarterly report this month. Their stock price is down 27% since the incident was announced on June 6th.
Interesting quotes from the 8K:
- “management believes that the incident is reasonably likely to have a material impact on the Company’s net income/(loss) and adjusted EBITDA”
- “The Company holds cybersecurity insurance that it currently expects will be adequate for the incident, and expects that the full claim and settlement process will extend into its 2026 fiscal year.”
Coinbase: A FinTech / Financial Services company and does not use OT to produce a product or service.
Conduent: This company provides services to a variety of companies and includes services related to manufacturing and other sectors with OT systems. The key quote from the 8K: “While the Company did not experience material impacts to its operating environment or costs from the event itself, the Company has incurred and accrued material non-recurring expenses in the first quarter related to the event based on potential notification requirements.” This was later reported to be $25M in direct costs to respond to the incident.
Lee Enterprises: Produces print and digital newspapers and other media as well as media services. The incident caused outages and delays in printing media, which comprises half of their revenue and is controlled by OT systems. Key quote: “Distribution of print publications across our portfolio of products experienced delays”.
Lee Enterprises “incurred $1,900,000 of expenses related to the Cyber Incident”. They have cyber insurance with a $500,000 deductible. A claim has been filed. The incident caused a short-term liquidity issue that required a 3-month delay of interest payments to their lender.
Analysis Of The Data Set
This is a very clean set of incident data on a defined population (SEC Registrants). They legally have to report cyber incidents with a material impact. When a cyber incident is determined to be material the financial impact is reported in subsequent quarterly reports (10-Qs). We have number of incidents and financial impact of each incident. And we are likely to learn how much of the financial impact was covered by insurance.
In the first half of the year, cyber incidents caused a material impact on three companies with OT involved in their product or service. The financial impact is $25M, $1.9M, and TBA.
The data set on all cyber incidents in SEC registrants is less clean. The trend is to issue an 8K on all but small cyber incidents to reduce or avoid regulatory risk. Like many areas, over reporting is viewed as less regulatory and shareholder lawsuit risk. Still this cannot be viewed as a complete data set since disclosure is voluntary.
More importantly the financial impact is not typically reported if the cyber incident is not material.
I’ll follow this up with a similar year end analysis in January. If someone wants to do the work to go through Q3 2023 to Q4 2024 I’ll share a link to that work. The Cybersecurity Incident Tracker is of great assistance, and hopefully accurate as it was the source I used.