River Financial Corporation, parent of River Bank & Trust in Prattville, Alabama, filed a material-incident 8-K with the US Securities and Exchange Commission on Thursday 25 June, disclosing a ransomware intrusion still under investigation. An 8-K filed under Item 1.05 is the disclosure a US-listed company must make when a cyber incident is judged material to investors. An unauthorised actor reached the bank's network around 16 June and was identified on 19 June; ransomware then hit portions of the server environment. The bank has not yet determined whether personally identifiable information (PII) was exfiltrated, and committed to an amendment within four business days of scoping the incident. 1
That puts a US-listed regional bank on the record mid-investigation, in the same materiality line as West Pharmaceutical Services, which filed its own ransomware 8-K in May . Disclosing before the scope of a breach is known is the harder call under the SEC's 2023 cyber rule, which lets a filer withhold detail it does not yet have. River made the filing anyway, and the amendment it has promised is what will settle the open PII question.
