Microsoft filed this late today with the SEC[1] just before they stopped accepting new filings for the day under their new Cybersecurity Incident disclosure rule[2]. FWIW, two other publicly traded companies disclosed[3] their breaches since the rule went into affect last month.
Actually there has been more, e.g. LoanDepot, Inc [1], and then various amended 8-Ks. I’ve been hacking on a side project to parse the 8-K data which is all over the place, including some companies still reporting under old “items” like 8.01 vs the new 1.05 material cybersecurity incident item.
If folks are interested in this space, I just got the mailing list [2] running last night and you can see a list of all the current incidents on my Incident Tracker [3].
I have many more data points I plan on tracking as well as adding 10-K GRC items to the list (potentially helpful for CISOs, other risk managers and investors to eval a companies risk management maturity).
[1] https://www.sec.gov/Archives/edgar/data/789019/0001193125240...
[2] https://www.sec.gov/news/press-release/2023-139
[3] https://last10k.com/stock-screeners/cybersecurity