Thanks to this Wilson Sonsini alert for sharing the first Item 1.05 Form 8-K filed in connection with “shadow AI” (unauthorized AI use). Here’s the background from the alert:

On May 5, 2026, a Pennsylvania-based regional bank, Community Bank, the wholly owned subsidiary of CB Financial Services, Inc. (CB), detected a cybersecurity incident caused by the use of an unauthorized AI application which exposed sensitive customer information. Unlike the usual cybersecurity incident involving an attack on the company’s systems by a third-party bad actor or sabotage by an internal party, the exposure of confidential information in this case arose from the improper use of AI, presumably by a bank employee who turned to the unauthorized AI for efficiencies in handling customer information. Two days later, CB determined the incident was material and filed a Form 8-K under Item 1.05.

The alert says that this incident is a good reminder that:

– A cybersecurity incident need not involve an external attacker or system intrusion or material financial consequences to qualify as material under Item 1.05.

– Insider misuse of technology, including unauthorized use of AI tools, can independently trigger SEC disclosure obligations if the confidential information at risk is sensitive and extensive such that a company determines the incident is material.

– Meredith Ervine