The Silence in the Filing Record

This analysis is primarily relevant for public issuers, IPO-stage resource companies, institutional investors, and governance leaders evaluating cyber disclosure readiness.

Since December 18, 2023 — the date the SEC's cybersecurity disclosure rules took effect — approximately 42 public companies had filed Item 1.05 cybersecurity incident disclosures as of May 2026, according to public SEC filing trackers.

Only a small number of them operate in the sectors that control the physical infrastructure the global economy depends on: oil and gas, mining, critical minerals, and defense.

Again, very few came from mining, upstream energy production, or major defense contractors, I found 2 in my research.

Two is the starting point for this analysis. Not because it suggests these sectors are more secure. Because in the geopolitical and commodity environment of mid-2026, it raises a harder question.

The silence in the filing record is not evidence that nothing is happening. In this environment, it may be evidence that companies do not yet have the governance infrastructure to know.

The Disclosure Framework — Item 1.05 and Item 8.01

The SEC's 2023 cybersecurity rules created two distinct disclosure pathways for public companies experiencing cybersecurity incidents.

Item 1.05 of Form 8-K is mandatory. When a company determines that a cybersecurity incident is material — meaning there is a substantial likelihood that a reasonable investor would consider it important — it must file within four business days of that determination. The disclosure must describe the nature, scope, and timing of the incident, and its material impact or reasonably likely material impact on the company.

Item 8.01 is voluntary. Companies experiencing incidents that are not material, or for which a materiality determination has not yet been made, are encouraged by the SEC to disclose voluntarily under Item 8.01 rather than under Item 1.05. This preserves the signal value of Item 1.05 filings for investors while allowing companies to communicate transparently about incidents below the material threshold.

The distinction matters. A company that files under Item 1.05 has made a legal determination that the incident is material. A company that files under Item 8.01 is communicating with investors without triggering mandatory material reporting standards. A company that files nothing has either determined the incident is immaterial and chosen not to disclose voluntarily, or has not detected or assessed the incident at all.

All three outcomes look the same from the outside: silence.

What the Data Shows

The volume and distribution of filings across both items tells a story about how the disclosure framework has evolved since December 2023.

The inflection point in May 2024 is significant. Prior to the SEC's guidance clarifying that Item 1.05 should be reserved for material incidents, companies were filing under 1.05 out of caution — including for incidents they simultaneously disclosed as immaterial. After the guidance, the ratio inverted dramatically. Item 8.01 voluntary disclosures surged. Item 1.05 filings fell.

What did not change was the sector distribution. Across all 106 filings combined — Item 1.05 and Item 8.01 — the mining, oil and gas production, critical minerals, and defence prime contractor sectors account for a handful of disclosures. The overwhelming majority of filings came from financial services, technology, healthcare, and retail.

The Sector Picture — What Has and Has Not Been Filed

*Note: The Itron filing relates to critical utility infrastructure — smart meters and grid management systems — rather than pure oil and gas production. It is included here because it represents the closest recent example of OT-adjacent critical infrastructure disclosure behaviour.

The Halliburton Case — What the Governance Gap Looks Like in Practice

Halliburton is the sector's detailed reference point, and it is instructive precisely because of how the disclosure unfolded.

On August 21, 2024, Halliburton became aware that an unauthorized third party had gained access to certain of its systems. The company activated its cybersecurity response plan, took systems offline, engaged external advisors, and notified law enforcement. That same day it filed under Item 8.01 — the correct first step for an incident under active assessment.

Thirteen days later, on September 3, 2024, Halliburton filed under Item 1.05. The company disclosed that the unauthorized third party had accessed and exfiltrated information from its systems, that the incident had caused disruptions to business applications across operations and corporate functions, and that it was evaluating the nature and scope of the exfiltrated data.

The filing simultaneously stated that the company believed the incident had not had, and was not reasonably likely to have, a material impact on its financial condition or results of operations.

The SEC sent a comment letter on October 17, 2024, asking Halliburton to explain why it had filed under Item 1.05 given that statement.

Halliburton's third quarter 2024 results subsequently disclosed a pre-tax charge of $116 million that included cybersecurity incident expenses, and a $0.02 per share earnings impact attributed in part to the August cybersecurity event.

A company with a quantifiable financial impact — $116 million in charges, measurable EPS dilution — still could not make a clean materiality determination in its initial Item 1.05 filing.

This is the governance gap made visible. Not an absence of security. An absence of the governance infrastructure to assess and disclose what the security team already knew.

The Halliburton sequence is now the model the SEC has effectively confirmed as best practice: file 8.01 first when the incident is detected and assessment is underway, then escalate to 1.05 when materiality is determined. But what the case also illustrates is that even a company of Halliburton's scale — with dedicated legal, compliance, and investor relations functions — struggled to connect the operational reality of a significant system compromise to a clear, defensible materiality determination.

For a mid-tier mining company with operations on a remote site, one IT person, and satellite connectivity, the governance distance between detecting an incident and making a disclosure decision is orders of magnitude larger.

The Environment in Which This Silence Exists

The absence of disclosure from mining, resources, oil and gas, and defence does not exist in a neutral environment. It exists in the most geopolitically charged commodity cycle since the 1970s oil shocks — and the conditions that define that cycle are precisely the conditions that motivate the most sophisticated cyber adversaries.

Gold crossed $5,000 per ounce in early 2026. J.P. Morgan projects prices toward $6,000 per ounce as a scenario over the medium term, driven by central bank diversification and investor demand that has no obvious ceiling. At these price levels, the financial value of gold mine operations, reserves, and geological data is near its peak. So has the strategic value of disrupting them.

Copper entered 2026 at or near historic highs following year-long disruptions at major operations including Grasberg, Kamoa-Kakula, and El Teniente. BloombergNEF identified the potential for structural deficit as early as 2026. The US Geological Survey added copper to its critical minerals list. The metal is now simultaneously a financial asset, an energy transition dependency, and a national security concern. That combination — strategic value plus supply constraint — is a textbook attacker targeting criterion.

China's rare earth export controls, expanded through 2025 and into 2026 to cover silver, tungsten, antimony, lithium-ion batteries, and graphite anode materials alongside the original 25 rare earth elements, have demonstrated that the supply of critical minerals can be weaponised as a geopolitical tool. Various industry estimates place China’s share of global rare earth separation and refining capacity at roughly 85–90%. The companies in Western jurisdictions that represent an alternative supply — and that are therefore targets of both capital and strategic interest — operate the same remote, OT-dependent environments that are most difficult to secure and most difficult to monitor for sophisticated intrusion.

The Strait of Hormuz has been effectively blockaded since late February 2026 following the outbreak of military conflict with Iran. Roughly 20% of global seaborne oil trade and 20% of global LNG trade transits the strait. The Dallas Fed has modelled the removal of close to 20% of global oil supplies as raising WTI prices to $98 per barrel under a one-quarter disruption scenario, with $175 per barrel identified as a plausible upper bound under prolonged disruption. Asian gas prices have already risen 54% from pre-conflict levels. European prices have risen 63%. The fertilizer inputs that flow through Hormuz — roughly one-third of global fertilizer trade — have driven urea prices from $475 to $680 per metric ton, with direct implications for North American food inflation.

These are not background conditions. They are active threat multipliers. When the physical assets a company controls have strategic value — to nation-states seeking to disrupt Western supply chains, to criminal groups targeting high-value ransom targets, to sophisticated adversaries conducting reconnaissance for future leverage — the probability and sophistication of cyber attacks against those assets rises accordingly.

Nation-state threat actors do not target mining and energy companies randomly. They target them when the assets those companies control have strategic value.

In May 2026, a lithium mine in Nevada, a copper operation with US off-take agreements, a rare earth processor supplying the defense supply chain, or an oil and gas producer with Gulf exposure has exactly the kind of strategic value that motivates persistent, sophisticated adversaries.

That is a categorically different threat profile from ransomware. And it is the threat profile least likely to generate a voluntary disclosure — because the most sophisticated intrusions are the ones that are not easily detected.

AI and the Expanding Attack Surface

The sophistication of the threat is increasing faster than the governance capability to respond to it.

AI-enabled attack tools lower the cost and skill threshold for targeting industrial control systems. Reconnaissance that previously required weeks of manual effort — mapping SCADA architecture, identifying vendor access points, understanding operational sequences — can now be conducted at scale with AI assistance. The attack surface for a mining or energy operation has not changed, but the attacker's ability to exploit it efficiently has expanded significantly.

SCADA systems in mining and energy environments were not designed for the threat landscape of 2026. Many run firmware that cannot be patched without production shutdown. Air gap assumptions — the belief that operational networks are physically isolated from corporate IT — are routinely undermined by VPN tunnels, remote vendor access, and USB maintenance connections. The historian servers that bridge OT and IT networks are frequently the pivot point for lateral movement.

For a company preparing for a US IPO, or already public and subject to Item 1.05 obligations, the question is not whether these vulnerabilities exist. They do. The question is whether the governance infrastructure exists to detect an incident on these networks, assess its materiality under the SEC's standard, and disclose it accurately within four business days.

In most cases, the honest answer is no. Not because these companies lack security teams. Because the governance layer — the materiality determination framework, the board escalation protocol, the incident response integration with legal and disclosure counsel — has not been built.

The Three Explanations for the Silence

There are three possible explanations for the near-total absence of cybersecurity disclosures from mining, resources, oil and gas, and defence, and all three are worth examining.

The first is that these sectors have not experienced material cybersecurity incidents on SEC-reportable systems. This is the most reassuring explanation and the least plausible one. The publicly documented incident record — Norsk Hydro in 2019, Rio Tinto in 2023, Northern Minerals and Sibanye-Stillwater in 2024, Evolution Mining in 2024 — demonstrates that the sector is actively targeted. The Halliburton filing confirms that major oilfield services companies are not immune. The idea that mining and energy producers, operating more exposed OT environments with less mature governance infrastructure, have simply avoided compromise strains credulity.

The second explanation is that incidents are occurring but not generating disclosure decisions. This happens in two ways. In the first, an incident occurs, is detected, and the company determines it is not material — either correctly, or because the materiality framework is insufficiently developed to surface the full implications. In the second, an incident occurs and is not detected at all. For sophisticated, persistent adversaries conducting reconnaissance rather than deploying ransomware, non-detection is not an accident. It is the objective.

The third explanation is that companies are experiencing and disclosing incidents through channels other than SEC filings — regulatory notifications, law enforcement coordination, operational communications with customers — without triggering the voluntary Item 8.01 framework. This is legally permissible and may reflect considered disclosure strategy. But it means investors in these companies are receiving less consistent cybersecurity incident information than investors in banks, technology companies, and retailers.

None of these explanations is reassuring. All three point to the same conclusion: the governance infrastructure for detecting, assessing, and disclosing cybersecurity incidents in the mining, resources, oil and gas, and defense sectors has not kept pace with either the regulatory obligation or the threat environment.

What Good Governance Looks Like — and Why It Matters Now

The contrast between Halliburton's disclosure sequence and Itron's April 2026 filing is instructive. Itron — a critical utility infrastructure company operating smart meters and grid management systems — filed under Item 8.01 when an unauthorized third party accessed its systems in April 2026. The company activated its response plan, engaged external advisors, notified law enforcement, and communicated that it did not currently believe the incident would have a material impact. No Item 1.05 was filed. The determination was precise, documented, and consistent with SEC guidance.

Questions Boards Should Be Asking

· Can we determine cyber materiality within four business days?

· Does OT telemetry feed into legal escalation?

· Who owns SEC disclosure authority during an incident?

· Have we tested disclosure decision workflows?

· Are external IR/legal advisors pre-engaged?

That is what a functioning materiality governance framework produces under pressure: precision rather than improvisation. The ability to make a defensible disclosure decision within days of detecting an incident, based on pre-agreed criteria rather than crisis judgment.

For mining and energy companies now approaching US capital markets — driven by gold prices above $5,000, copper at structural highs, and a rare earth supply chain that Western governments are actively incentivising to develop — the window to build that governance infrastructure is the pre-IPO period. Not the filing sprint. Not the first annual report. The period twelve to thirty-six months before the listing date, when design freedom exists and the decisions can be made properly.

The materiality determination framework, the board oversight structure, the incident response integration with legal and disclosure counsel, the third-party risk coverage — these are governance investments that have value independent of the disclosure obligation. They make the company more resilient, more credible to institutional investors, and more defensible if an incident occurs at the worst possible moment.

In mid-2026, given what is happening in commodity markets, in the Strait of Hormuz, and in the US-China competition for critical mineral supply chains, the worst possible moment is closer than it has ever been.

Methodology

This analysis reviewed SEC EDGAR cybersecurity-related Form 8-K filings filed between December 18, 2023 and May 13, 2026, including Item 1.05 filings and voluntary Item 8.01 cybersecurity incident disclosures identified through the Debevoise Cybersecurity Form 8-K Tracker and supplemental EDGAR review.

Sources: Debevoise & Plimpton LLP Cybersecurity Form 8-K Tracker (updated May 13, 2026); SEC EDGAR; J.P. Morgan Global Research; UNCTAD Strait of Hormuz Disruptions Report; Dallas Federal Reserve Bank; Congressional Research Service R45281; IEA Strait of Hormuz Analysis; Control Risks Global Mining Issues 2026; CNBC; World Economic Forum; MINING.COM. All commodity prices and geopolitical context reflect publicly available information as of May 2026.

Sturnella's Role

Sturnella advises mining, energy, infrastructure, and defense-adjacent companies on IPO cybersecurity readiness, SEC Regulation S-K Item 106 compliance, cyber diligence in M&A transactions, and board-level cybersecurity governance — before and during capital markets events.

We operate at the deal table, not inside the IT department. Our work is focused on governance precision, disclosure defensibility, and transaction protection.

contact@sturnellahq.com | sturnellahq.com | news.sturnellahq.com

Disclaimer: This article appeared on the Sturnella website at sturnellahq.com and is provided for informational purposes only. It does not constitute investment advice, financial advice, legal advice, or a solicitation to buy or sell any security or financial instrument. The information contained herein is based on publicly available sources and is believed to be accurate at the time of publication but is not guaranteed. Sturnella LLC is a capital markets cybersecurity and governance advisory firm and is not a registered investment adviser, broker-dealer, or financial institution. Always consult a qualified financial, legal, or investment professional before making any investment decision.