Key Takeaways

• CB Financial Services, Inc. filed the first SEC Form 8-K under Item 1.05 triggered by an  unauthorized use of an artificial intelligence (AI) tool, not an external cyberattack.
• A cybersecurity incident caused by insider misuse of AI (known as Shadow AI) should be assessed for disclosure under SEC rules.
• The four-business-day disclosure clock under Item 1.05 starts at the materiality determination, not at detection of the incident.
• Shadow AI should be considered as a cybersecurity risk as part of a company’s enterprise risk management framework.
• Financial institutions face layered exposure: federal banking guidance, state breach notification laws, and class action litigation.
• Suggested actions companies could take in reaction to Shadow AI developments are included below.