This marks the first material cybersecurity 8-K I've tracked where the root cause was employee use of unauthorized AI software. Full filing on Board Cybersecurity: https://www.board-cybersecurity.com/incidents/tracker/cb-financial-services-cybersecurity-incident-2b5a3883?utm_source=mastodon&utm_medium=social&utm_campaign=cb-financial-shadow-ai

CB Financial Services, the parent company of Community Bank, filed an Item 1.05 disclosure on May 11 after discovering on May 5 that non-public customer information had been processed through an unauthorized AI application. On May 7, the Company determined the incident to be material due to the volume and sensitivity of the data involved.

The exposed records included customer names, social security numbers, and dates of birth—essentially a full identity-theft starter kit.

Three aspects make this filing noteworthy:

1. Materiality determinations are rare. Out of 153 8-K filings that discuss cybersecurity materiality in the Board Cybersecurity dataset, only 9 concluded the incident was material across the five SEC impact categories. CB Financial is unique in stating that the incident "has not had, and is not expected to have, a material impact on the Company's consolidated financial condition or results of operations," yet still filed under Item 1.05, emphasizing the materiality based on data volume and sensitivity.

2. The root cause is not ransomware, vendor breaches, or phishing campaigns; it is shadow AI. An employee or employees used an unsanctioned AI application to handle customer data. This serves as a reference case for every CISO warning their board about this risk.

3. The materiality determination occurred just two days after discovery, driven solely by the data's volume and sensitivity, not by operational impact, as the Bank stated that operations, payment systems, customer access, and core IT infrastructure were not disrupted.

The key takeaway is not that AI is inherently dangerous, but rather that the gap between "employees can access AI tools" and "the bank has controls over what data goes into those tools" has led to a material cybersecurity disclosure.

Expect more developments on this front.