Form 8-K
The SEC's mandatory current-report form, used by US-listed companies to disclose material events between quarterly filings; under the 2023 cyber-disclosure rule, cybersecurity incidents must be reported within four business days of a materiality determination.
Last refreshed: 20 May 2026 · Appears in 1 active topic
When does ransomware disruption force a listed manufacturer to tell the markets?
Timeline for Form 8-K
West Pharma SEC 8-K on ransomware halt
Cybersecurity: Threats and Defences- What is a Form 8-K cybersecurity disclosure?
- Under the SEC's 2023 cyber-disclosure rule, listed companies must file an 8-K within four business days of determining a cybersecurity incident is material to investors, disclosing the Nature, scope, and likely impact.Source: SEC
- Why did West Pharmaceutical Services file an 8-K in May 2026?
- West Pharmaceutical Services filed a Form 8-K on 7 May 2026 disclosing a cybersecurity incident detected on 4 May. Data was exfiltrated and systems encrypted, taking global shipping, manufacturing, and shared services offline. The board determined the incident was material to investors.Source: SEC EDGAR
- How quickly must a company report a cyberattack to the SEC?
- Within four business days of determining the incident is material. The clock starts from the internal materiality determination, not from the initial discovery of the breach.Source: SEC
- Can a company file an 8-K for a cyberattack before knowing who the attacker is?
- Yes. Both West Pharmaceutical Services (May 2026) and Stryker (April 2026) filed 8-Ks with no ransomware group attribution at the time of filing. The SEC requires disclosure once materiality is determined, regardless of attribution.
Background
Form 8-K is the Securities and Exchange Commission's current-report filing, required from all NYSE- and Nasdaq-listed companies to disclose material events between regular quarterly and annual reports. Since the SEC's 2023 cybersecurity disclosure rule came into force, Item 1.05 of Form 8-K specifically compels listed companies to disclose a material cybersecurity incident within four business days of determining it is material to investors, covering the Nature, scope, and timing of the incident and its material impact or reasonably likely material impact.
West Pharmaceutical Services filed an 8-K on 7 May 2026, declaring material a cybersecurity incident detected on 4 May. The filing reported data exfiltration and full-system encryption, with operations taken offline globally across shipping, manufacturing, and shared services. Palo Alto Networks Unit 42 was named as the forensic responder. No ransomware group had claimed responsibility at filing. The West Pharma 8-K follows the Stryker precedent established in April 2026, where Stryker filed an 8-K/A for its Handala-related incident , creating two consecutive listed-manufacturer disclosures of operational disruption severe enough to move the quarter, with no ransomware-group attribution at filing in either case.
The paired filings establish a disclosure precedent: the SEC materiality threshold can be crossed by operational disruption alone, independent of attribution, ransom demands, or public extortion claims. Fortune 1000 CISOs and disclosure committees must now price the 8-K trigger against that lowered threshold, and the four-day filing clock starts from the internal materiality determination, not from external threat-actor activity.