Cybersecurity Incidents: What 916 SEC 8-K Filings Reveal

On March 11, 2026, Stryker Corporation — a $130 billion medical device manufacturer — filed an 8-K disclosing a cybersecurity incident that caused "a global disruption to the Company's Microsoft environment," disrupting order processing, manufacturing, and shipping. Over the next 12 days, Stryker filed two more 8-Ks, including a forensic update identifying a malicious file that had been used to hide attacker activity. As of March 23, 2026, the company still cannot say whether the incident will have a material financial impact. This is how all SEC cybersecurity disclosures begin. What the initial 8-K never shows is what comes next — and how expensive it gets.

A search of SEC filings from March 2025 to March 2026 found 916 8-K material event disclosures mentioning "cybersecurity incident" or "data breach." Across four non-tech companies — Stryker, Krispy Kreme, loanDepot, and Ardent Health — a predictable three-phase SEC disclosure lifecycle emerges: acute disruption, quantification and litigation, then insurance recovery. The most financially specific disclosures appear not in the initial 8-K, but 12 to 24 months later.

Phase 1: Acute — Stryker (March 2026)

Stryker's incident is textbook Phase 1. On March 11, 2026, the company detected unauthorized access to its Microsoft environment and filed an 8-K the same day. The next day, a second 8-K reported that operations continued to be disrupted, "including its order processing, manufacturing and shipping." Twelve days after detection, a third 8-K disclosed forensic findings from Palo Alto Networks Unit 42.

On March 11, 2026, Stryker Corporation ('we' or the 'Company') identified a cybersecurity incident affecting certain information technology systems of the Company that has resulted in a global disruption to the Company's Microsoft environment. Upon detection, the Company activated its cybersecurity response plan and launched an investigation internally with the support of external advisors and cybersecurity experts to assess and to contain the threat. The Company has no indication of ransomware or malware and believes the incident is contained. The incident has caused, and is expected to continue to cause, disruptions and limitations of access to certain of the Company's information systems and business applications supporting aspects of the Company's operations and corporate functions.

The March 23 forensic update revised that initial "no ransomware or malware" assessment: Unit 42 identified that "the threat actor used a malicious file to run commands which allowed it to hide its activity while in its systems." The initial read was wrong. This is not evasion — it reflects the genuine limits of real-time disclosure under the SEC's four-day materiality rule. Stryker filed accurately at Day 1, but the facts changed as the investigation deepened.

Stryker's most important Phase 1 disclosure is what it explicitly ruled out: three separate 8-Ks each confirmed that "patient-related services have not been disrupted" and that "connected products were not impacted." A $130 billion medical device maker can draw a hard line between enterprise IT and patient-facing systems. No financial company or food distributor can make that separation. No financial figures appear anywhere in Stryker's Phase 1 filings — those will arrive in its Q1 2026 quarterly report, months from now.

Phase 2: Quantification and Litigation — Krispy Kreme (2024–2025)

Krispy Kreme's cybersecurity incident began November 29, 2024, when unauthorized activity disrupted online ordering in the U.S. Its 10-Q for the period ended September 28, 2025 — filed nearly a year after the incident — provides the financial figures that no Phase 1 8-K could contain.

We incurred losses and costs from the incident, primarily in the fourth quarter of fiscal 2024 and early in the first quarter of fiscal 2025, which were estimated to have had an approximately $15 million aggregate impact on Adjusted EBITDA in those periods (includes margin on lost revenues, as well as operational inefficiencies). We hold cybersecurity insurance which has offset a portion of the losses and costs from the incident. We received $9.3 million business interruption insurance proceeds during the third quarter of fiscal 2025, and expect to receive additional insurance proceeds.

That a donut company's online ordering disruption generates an SEC-reportable $15 million EBITDA impact is itself a cross-industry signal: Krispy Kreme's digital channel had grown material enough that its outage required financial disclosure. The $9.3 million insurance recovery — received nearly 10 months after the incident — illustrates why Phase 1 financials are always "unknown." Claims must be submitted, insurers investigate, and reimbursement takes quarters, not days.

The litigation timeline mirrors the insurance delay. Krispy Kreme's data breach determination was not completed until May 22, 2025 — six months after detection. Class actions followed immediately in June 2025 and were consolidated in the Western District of North Carolina by September 18, 2025. An amended consolidated complaint was filed October 17, 2025. As of the November 2025 10-Q, the company stated it was "too soon to predict with any certainty what, if any, damages could be awarded." Phase 2, by definition, has no financial resolution — only financial exposure accumulating toward a future settlement number.

Phase 3: Resolution — loanDepot and Ardent Health

loanDepot's January 2024 breach and Ardent Health's November 2023 ransomware attack represent the cybersecurity incident lifecycle at full maturity: insurance paid, class actions settled, costs booked and closed. Their filings quantify the total financial outcome that Stryker and Krispy Kreme cannot yet see.

loanDepot received $35 million in total cybersecurity insurance proceeds — $15 million in fiscal 2024 and a final $20 million received in October 2025, 21 months after the incident. Its 10-Q filed November 7, 2025 closes the loop explicitly:

During the year ended December 31, 2024, the Company received $15.0 million of reimbursements from its insurers and recorded an additional insurance receivable of $20.0 million that was received in October 2025. No additional reimbursements are expected at this time.

loanDepot's XBRL filing introduced a custom dimension — "CyberSecurityIncidentMember" — to track incident-related financial flows across reporting periods. This is operationally unusual. It indicates the incident generated enough discrete financial activity over enough quarters that the company created a dedicated accounting member in its taxonomy. The $35 million total recovery represents the highest confirmed insurance figure in this analysis and the upper bound visible from a mid-size financial institution's public filings.

Ardent Health shows the resolution phase in healthcare. Its November 2023 ransomware attack disrupted hospital billing systems and adversely affected cash flows through Q1 2024. Three class actions — filed on behalf of approximately 38,000 individuals whose personal and protected health information was affected — were consolidated under Hodge v. AHS Management Company in the Middle District of Tennessee. Settlement was executed October 4, 2024, 11 months post-incident.

The complaint for the consolidated class action, filed on behalf of approximately 38,000 individuals who alleged their personal information and protected health information were affected by the Cybersecurity Incident, generally asserted state common law claims of negligence, breach of implied contract, unjust enrichment, breach of fiduciary duty, and invasion of privacy with respect to how the Company managed sensitive data. On October 4, 2024, the Company executed a settlement agreement to resolve the consolidated class action litigation.

Final court approval came August 1, 2025 — nearly two years after the attack. Insurance recovery of $21.5 million arrived in the nine months ended September 30, 2025 and was classified entirely as "other non-operating gains." The settlement was deemed "not material" to operations, financial position, or liquidity. This is the standard accounting resolution: operational disruption costs appear in operating results during Phases 1 and 2; insurance recoveries arrive later as non-operating offsets. An investor reading only the initial 8-K sees no numbers. An investor reading only the Phase 3 10-Q sees what looks like a profitable non-operating income line.

The Pattern: A Predictable Lifecycle Hidden Across Filings

These four companies support a specific claim: the SEC's cybersecurity disclosure regime creates a three-phase financial lifecycle that is invisible from any single company's filing, but apparent when cross-company timing is analyzed. A company reading Stryker's Phase 1 8-K learns almost nothing financially useful. A company reading Ardent Health's Phase 3 10-Q sees the fully resolved cost structure of a comparable incident — but without the cross-company lens, there is no reason to connect the two.

Phase 1 (the initial 8-K) is the least financially informative disclosure in the lifecycle. It establishes that an incident occurred and that systems are affected, but financial materiality is explicitly undetermined. Stryker's three 8-Ks each end with "the Company has not yet determined whether the incident is reasonably likely to have a material impact." This is not evasion — it is the accurate state of knowledge at Day 1.

Phase 2 begins when personal data exposure is confirmed, typically 3–6 months post-incident. That confirmation triggers class action filings within weeks. Krispy Kreme's sequence — breach November 2024, data determination May 2025, class actions June 2025, consolidation September 2025 — is replicable across any company with a digital channel storing personal or health information. The EBITDA figures that appear in Phase 2 quarterly filings are the first real numbers, but they are backward-looking and exclude insurance recoveries still under negotiation.

Phase 3 insurance recoveries are the final and often largest financial disclosure. loanDepot's $35 million across two tranches and Ardent Health's $21.5 million booked as non-operating gains follow the same accounting treatment: costs recognized in operating results during Phases 1 and 2; insurance proceeds classified as non-operating income in Phase 3. The gap between these phases is why standard trailing-twelve-month financial analysis understates cybersecurity incident costs — the full economic picture doesn't fit within a single reporting period.

Three things to watch:

1. Stryker's Q1 2026 10-Q — the first quarterly filing after the March 2026 incident will contain the initial financial quantification that three 8-Ks could not provide
2. Krispy Kreme's Western District litigation — the October 2025 amended consolidated complaint is the precursor to a damages range appearing in future 10-Qs; the settlement figure will mark the true end of Phase 2
3. Airlines and railroads — 70 combined 8-Ks in 12 months from two non-tech industries signal that operational technology dependency, not cybersecurity sophistication, is the better predictor of disclosure frequency

The lifecycle pattern also extends into IPO disclosures. Of the 10,000+ total SEC filings mentioning "cybersecurity incident" or "data breach," 1,263 were S-1 registration statements — IPO filings in which companies disclosed past incidents as risk factor narrative. Companies going public now routinely describe prior breach history as material risk, suggesting the lifecycle extends beyond the 24-month resolution window shown here into permanent disclosure obligations that follow a company through its public markets debut.

Reading this lifecycle requires tracking a company across form types and years simultaneously. MetricDuck's filing intelligence tools aggregate 8-K, 10-K, and 10-Q disclosures for a single company across its full history, making it possible to trace an incident from the initial detection 8-K through the Phase 3 insurance recovery without manually searching EDGAR accession by accession. For companies currently in Phase 2, earnings analysis pages surface the specific 10-Q language that first quantifies EBITDA impact — the moment the incident transitions from operational problem to financial disclosure.

Frequently Asked Questions

What is the SEC cybersecurity disclosure requirement and when does it apply?

Since 2024, the SEC requires public companies to disclose a material cybersecurity incident on Form 8-K within four business days of determining it is material. In the 12 months ended March 2026, 916 such 8-Ks were filed. Materiality determination — not incident detection — starts the clock, which is why companies like Stryker can file an initial 8-K on the day of detection and still state that financial materiality has "not yet been determined."

Which industries file the most cybersecurity 8-Ks?

Non-tech industries generate the most repeated cybersecurity 8-K filings per company. In the 12 months ended March 2026, Norfolk Southern (NSC) filed 16 cybersecurity-related 8-Ks, Allegiant Travel (ALGT) filed 14, and Frontier Group (ULCC) and Union Pacific (UNP) filed 11 each — all airlines or railroads, not software companies. Airlines (SIC 4512) filed 43 cybersecurity 8-Ks industry-wide, second only to pharmaceutical preparations (51). Railroads (SIC 4011) filed 27.

How much does a cybersecurity incident cost in disclosed SEC figures?

Based on three resolved incidents: Krispy Kreme (DNUT) disclosed approximately $15 million aggregate impact on Adjusted EBITDA from its November 2024 incident, partially offset by $9.3 million in insurance proceeds. Ardent Health (ARDT) received $21.5 million in business insurance recovery proceeds for its November 2023 ransomware attack. loanDepot (LDI) received $35 million total from insurers for its January 2024 breach across two tranches over 21 months — the largest confirmed insurance recovery in this analysis.

When do cybersecurity incident costs appear in SEC filings?

The most financially specific disclosures appear 12–24 months after the incident. The initial 8-K typically discloses no financial figures. Six to twelve months later, quarterly reports quantify EBITDA impact. Insurance recoveries and class action settlements appear in the 12–24 month window: loanDepot received its final $20 million insurance tranche in October 2025, 21 months after its January 2024 incident. Ardent Health's $21.5 million insurance recovery arrived in the nine months ended September 2025, nearly two years after its November 2023 ransomware attack.

How does cybersecurity insurance appear in SEC filings?

Cybersecurity insurance appears first as a risk mitigation disclosure and later as a financial line item. Ardent Health classified $21.5 million in proceeds as "other non-operating gains" — entirely separate from operating income. loanDepot disclosed a $20 million insurance receivable in Q3 2025 as a subsequent event, received October 2025. Coverage ratios in these cases range from 62% (Krispy Kreme: $9.3M insurance vs $15M EBITDA impact) to well over 100% (loanDepot: $35M insurance). The multi-tranche structure means insurance income is spread across multiple reporting periods, creating recurring non-operating gains that can mask the cumulative cost in any single quarter's income statement.

What triggers class action lawsuits after a cybersecurity incident?

Class actions follow personal data breach determinations, not the initial incident detection. Krispy Kreme's November 2024 incident generated class actions beginning June 2025 — only after the May 22, 2025 investigation confirmed personal data was affected. Ardent Health's ransomware attack generated a consolidated class action on behalf of approximately 38,000 individuals. Settlement costs in both cases were characterized as "not material" to operations, financial position, or liquidity. The path from incident detection to consolidated class action consistently takes 6–12 months, meaning companies in Phase 1 (like Stryker today) face litigation exposure they cannot yet quantify.

Methodology

This analysis used MetricDuck's SEC filing intelligence tools to search 10,000+ filings for "cybersecurity incident" OR "data breach" across all SEC form types from March 2025 to March 2026. We identified 916 8-K material event disclosures and drilled into four companies — Stryker (SYK), Krispy Kreme (DNUT), loanDepot (LDI), and Ardent Health (ARDT) — representing four non-tech SIC industries at distinct stages of the cybersecurity incident disclosure lifecycle.

Tools used: SEC EDGAR Full-Text Search (EFTS) for landscape discovery and SIC industry breakdowns; MetricDuck filing intelligence reader for MD&A, legal proceedings, and notes to financial statements; company-level drill-down using Stryker EDGAR filings, loanDepot EDGAR filings, and Ardent Health EDGAR filings.

Limitations: (1) Financial figures reflect only what SEC disclosure rules require — actual incident costs including unreported internal remediation, undisclosed litigation reserves, and ongoing insurance negotiations are not captured in any filing. (2) The three-phase lifecycle pattern is derived from four companies across two fiscal years in non-tech industries; companies with materially different insurance coverage, weaker litigation exposure, or incidents in technology-native industries may show different timing patterns. (3) EFTS keyword matching on "cybersecurity incident" and "data breach" does not capture incidents disclosed under different terminology (e.g., "security event," "network intrusion"), potentially undercounting the true universe of material events.

Disclaimer: This analysis is for informational purposes only and does not constitute investment advice. Past disclosure patterns do not predict future incident severity, costs, or litigation outcomes. Investors should read each company's complete SEC filings and consult qualified financial advisors before making investment decisions.