The first Item 1.05 8-K hit EDGAR within weeks of the rule's December 18, 2023 effective date. By the time the SEC staff opened its comment-letter sweep in May 2024, several dozen filings were live and a recognizable set of patterns had emerged. By early 2026, the corpus is large enough to study seriously. This post reviews a handful of the most-cited filings, the disclosure choices that drew SEC staff or market scrutiny, and what filers in 2026 should take from the cumulative experience. It does not attempt a comprehensive catalog; it walks through specific filings as case studies in materiality determination, update cadence, and supply chain disclosure.
What did UnitedHealth Group's filings teach about scope?
UnitedHealth Group filed its initial Item 1.05 8-K on February 22, 2024 disclosing that a "suspected nation-state associated cybersecurity threat actor" had gained access to information technology systems at Change Healthcare. The initial filing identified the immediate operational impact (disconnected systems, impacted services) and the company's response. Over the following months, the company filed multiple updates as new facts emerged: ransom payment confirmation, the scale of impacted individuals (eventually estimated at over 100 million), forensic findings on the initial access vector (compromised credentials, no MFA on the affected server), and updated financial impact disclosures running into the billions. The case became the de facto template for sustained Item 1.05(b) updates: filings every few weeks, each adding specific facts, all consistent with prior disclosures. The opposite anti-pattern — a single 8-K declaring an incident and never updating until a 10-Q — became materially harder to defend after the UnitedHealth experience.
What did AT&T's filings illustrate about staff comment letters?
AT&T filed an Item 1.05 8-K in March 2024 covering an incident involving an AT&T-owned third-party cloud platform that exposed data of approximately 73 million current and former customers. The SEC staff issued comment letters asking AT&T to expand its description of the nature and scope of the incident, including types of data compromised, categories of customers affected, and material impacts beyond financial — including reputational, legal, regulatory, operational, and competitive risks. AT&T's responses, visible in the SEC EDGAR correspondence file, illustrate how the staff probes disclosure adequacy in practice. The case became a reference point for what "material aspects of the nature, scope, and timing" means: not a one-paragraph acknowledgement, but a substantive description that allows investors to assess impact.
What did the Snowflake downstream filings reveal about supplier-incident disclosure?
In May and June 2024, multiple SEC registrants — Ticketmaster (Live Nation), Santander, Advance Auto Parts, and others — disclosed cyber events tied to credential-based access against their Snowflake tenants. None of the filings attributed root cause to Snowflake's infrastructure; the consensus root cause was credential reuse by individual tenant customers absent MFA enforcement. Filers wrestled with how to disclose an incident affecting a single customer's tenant of a multi-tenant SaaS without misleading investors about either the supplier or the customer's controls. The resulting filings tended to describe what was accessed and the affected data categories without making attribution claims the filer could not support. The episode also accelerated Snowflake's announcement of MFA-by-default for new accounts and an MFA enforcement push for existing accounts. For Item 1.05 purposes, the lesson was clear: vendor-tier incidents are filer-tier obligations, and the filer must be ready to disclose facts about its own configuration even when the headline names the SaaS.
How have filers handled materiality determination timelines?
The four-business-day clock starts on materiality determination, not on incident discovery. Filings reveal a range. Some filers determined materiality within days of discovery and filed inside the four-day window. Others took weeks, filing an Item 1.05 only after sustained forensic work and legal review confirmed material impact. The SEC has not publicly second-guessed materiality timing in most cases, but it has stressed in guidance that the determination must be made "without unreasonable delay" and that the analysis should be documented. Disclosure committee minutes capturing the materiality analysis — who participated, what facts were known, what was unknown, what the conclusion was — have become the operational artifact that supports timing decisions if challenged later.
What about Item 1.05 vs Item 8.01?
After the May 2024 SEC guidance, filers shifted incident disclosures of indeterminate or non-material status to Item 8.01 (Other Events). The ratio of 8.01 to 1.05 inverted: through the back half of 2024 and into 2025, more cybersecurity disclosures appeared under 8.01 than under 1.05. The line between the two is not always clean. A filer that issues an 8.01 disclosure may later determine materiality and need to switch to a 1.05 amendment or a fresh 1.05; case-by-case, filers have done both. The staff has generally not penalized 8.01 disclosure followed by 1.05 escalation when the underlying facts support the sequence. What it has questioned is 8.01 disclosure that obviously should have been 1.05 from the outset.
# Item 1.05 filing decision rubric (2026 practice)
1. Has materiality been affirmatively determined?
- Yes → Item 1.05 within 4 business days, even if facts incomplete
- No → Item 8.01 if voluntary disclosure desired; refresh assessment regularly
- Possibly → document the materiality analysis, file 1.05 when threshold met
2. Are facts sufficient for substantive disclosure?
- Nature: type of incident in plain terms
- Scope: business unit, data categories, system status
- Timing: discovery, determination, response milestones
- Material impact: financial, operational, legal, reputational, competitive
3. Cadence of updates planned?
- Every 2-4 weeks until incident closed
- Each update self-contained but consistent with prior filings
4. Linkage to vendor or supply chain incident?
- Yes → describe filer's own configuration and exposure
- Avoid attribution claims the filer cannot support
What about the public-private interaction with regulators?
Some Item 1.05 filings explicitly note ongoing engagement with the FBI, CISA, or state attorneys general. Others omit those references for confidentiality reasons. The rule's text allows a delay of disclosure if the Attorney General determines disclosure poses a substantial risk to national security or public safety, but the delay mechanism has been used sparingly. UnitedHealth and several other filers have publicly described engagement with federal incident-response coordination without invoking the formal delay mechanism. The takeaway: regulator engagement should be disclosed when it is material to the incident response narrative, but the formal delay tool is not a routine option.
What patterns will probably define the next year of filings?
Three predictions. First, AI-related incident disclosures will rise — both because AI systems are deployed in more places and because AI-specific failure modes (prompt injection leading to data exfiltration, model-driven autonomous action with downstream harms) are entering the threat landscape. Second, supply chain incident filings will continue to dominate; the supplier-as-vector trend in 2024-2025 will continue through 2026. Third, the integration of Item 1.05 with CIRCIA reporting (once finalized) will reshape disclosure timing: the CIRCIA 72-hour clock starts on "reasonable belief," well before materiality determination, so filers will increasingly have a CISA report filed before they know whether 1.05 applies.
How Safeguard Helps
Safeguard provides the SBOM, dependency graph, and vendor-risk inventory that lets a filer build a defensible disclosure picture quickly when an incident — internal or supplier-tier — surfaces. Griffin AI cross-references incident indicators with KEV entries, vendor advisories, and VEX statements to surface reachability and exposure facts the disclosure committee can take into a materiality discussion. TPRM workflows track vendor notification obligations and incident-cooperation clauses, ensuring that when a SaaS supplier is implicated the filer has a contractual basis to demand facts. Policy gates can also enforce documentation of vendor configuration baselines (MFA enforced, network controls active, evidence retained) so the filer's own posture is itself defensible if the disclosure ends up referencing a supplier event.