A Bank Just Filed an Item 1.05 Because an Employee Used an Unauthorized AI Tool

Most Item 1.05 filings describe an outside attacker. CB Financial Services (NASDAQ: CBFV) filed one on May 11, 2026 that describes something newer and, for compliance officers, more unsettling. According to the 8-K, on May 5, 2026 its subsidiary Community Bank “became aware of an internal incident involving the handling of certain non-public customer information using an unauthorized artificial intelligence-based software application.”

There was no breach in the classic sense. The filing is explicit that the event “did not involve a disruption to the Bank’s operations, customer access to accounts or services, payment systems, or core information technology infrastructure.” What made it reportable was the data: “due to the volume and sensitive nature of the non-public information at issue, on May 7, 2026, the Company determined the event to be material.” Among the disclosed data were “customer names, social security numbers and dates of birth.”

This is a shadow-AI incident dressed in 8-K language, and it is a meaningful precedent. The SEC’s cyber rule defines a cybersecurity incident broadly enough to capture unauthorized handling of data, not just unauthorized access by a third party. Feeding regulated personal data into an unsanctioned AI tool can therefore be a material cybersecurity incident even with no external adversary and no system compromise.

Note the clean two-step materiality timeline: awareness on May 5, materiality determination on May 7, 8-K on May 11. The company’s remediation reads like an internal-controls response rather than an intrusion response — “strengthening existing controls, implementing additional controls and enhancing monitoring measures” — and it stayed in contact with banking regulators throughout, consistent with the overlapping obligations financial institutions face.

For policy watchers, this filing is a signal that Item 1.05 is starting to absorb the AI-governance problem. As employees reach for generative tools, “data loss” increasingly means data voluntarily pasted somewhere it shouldn’t go. The primary record is at sec.gov, surfaced via EdgarBeast (“SEC filing data API & evidence index”). Expect more disclosures shaped like this one — and expect AI-use policies to be treated as a cybersecurity control, because the SEC just saw one fail in a filing.