When a hacker dumped roughly ninety video clips of pre-release Grand Theft Auto VI gameplay onto GTAForums in the early hours of Sunday 18 September 2022, two parallel clocks started ticking. The first, and the one which generated almost all of the public commentary, was the public-relations clock: Rockstar Games had to decide how, when, and in what tone to acknowledge that the most anticipated entertainment product of the decade had just had its development footage scattered across the internet. The second clock โ quieter, less discussed, but in many ways more consequential for the company โ was the securities-disclosure clock. Take-Two Interactive Software, Inc. (NASDAQ: TTWO) is a listed company whose securities trade on US markets, and US-listed issuers operate under a regime of mandatory periodic and event-driven disclosure administered by the Securities and Exchange Commission. The leak was not just a creative-property problem; it was a potential reportable event, the kind of incident which corporate counsel are trained to translate into the careful, almost liturgical, language of Form 8-K.
This report walks through Take-Two's SEC disclosure response to the September 2022 intrusion. It examines the 8-K filing cadence in the days following the leak, the considerations which would have governed disclosure under Regulation S-K as it existed before the SEC's July 2023 cybersecurity rulemaking, the updated risk-factor language in subsequent 10-Q and 10-K reports, and the careful word-by-word choice of "network intrusion" framing in the filings as against the journalistic and community framing of "leak". It then compares Take-Two's disclosure cadence to peer publishers who experienced similar events, situates the case within the SEC's 2023 cybersecurity rulemaking โ a rulemaking partly informed by incidents of exactly this character โ and looks at how Take-Two's FY2024 Annual Report on Form 10-K reflects the new Item 106 disclosure regime. The conclusion returns to first principles: why this matters to retail and institutional investors, and what the filings are actually for.
All material here is drawn from publicly available SEC filings on EDGAR and from the SEC's own public rulemaking record. No non-public information is used or implied. Where the analysis crosses from documented fact into interpretation, the language is hedged and a confidence section appears at the end of the report.
To understand what Take-Two filed on 19 September 2022 โ and, equally importantly, what it did not file โ it is necessary to understand the disclosure framework which applied at that moment. In September 2022 there was no SEC rule which named "cybersecurity incident" as a triggering event for a Form 8-K. There was no four-business-day clock running from the moment a CISO determined an event to be material. Item 1.05 of Form 8-K, the new line-item that today specifically governs cyber incident disclosure, did not yet exist; it would be adopted by the Commission only in July 2023 and become effective in mid-December of that year (SEC, 2023a).
What did exist was a patchwork. The Commission's Division of Corporation Finance had issued interpretive guidance in 2011 (CF Disclosure Guidance Topic No. 2) and the full Commission had issued an interpretive release in February 2018 (SEC, 2018) urging registrants to consider whether cybersecurity risks and incidents were material under existing disclosure obligations. Those obligations included the general anti-fraud standard under Rule 10b-5, the periodic-report requirements of Forms 10-K and 10-Q, and โ crucially โ Item 8.01 of Form 8-K, the catch-all "Other Events" line-item which a registrant may use, on a voluntary basis, to disclose any event the registrant deems of importance to investors. Item 8.01 is permissive, not mandatory. It carries no four-day clock. It also carries no specific content requirements โ the filer chooses what to say and how much to say.
Pre-2023, then, the answer to "must Take-Two file a Form 8-K when Rockstar's network is breached?" was genuinely "it depends". The two real questions counsel would have wrestled with were: (1) is the incident material under the long-standing TSC Industries v. Northway (1976) standard โ would a reasonable investor consider the omitted information important in deciding how to vote or invest? and (2) even if it is not yet known to be material, does the level of public attention and the existence of contradictory rumour create a duty to correct or update prior public statements, or to fill the information vacuum before market participants do so for the company? In practice, large listed issuers in 2022 routinely chose to file an Item 8.01 8-K for incidents of this profile, partly because they had already commented publicly on the matter (and thus had a clean Reg FD interest in pushing the same statement into the EDGAR system simultaneously with social-media distribution) and partly because filing was almost costless if the disclosure itself was carefully drafted.
The relevant Item 8.01 instruction simply tells the registrant that it "may, at its option, disclose under this Item 8.01 any events, with respect to which information is not otherwise called for by this form, that the registrant deems of importance to security holders." That permissive verb โ may โ is what shapes everything that follows.
The EDGAR record for CIK 0000946581 shows the following sequence in the relevant window (SEC, 2022a; SEC, 2022b):
The substantive text of the 19 September Item 8.01 disclosure is short enough to quote in full:
"Rockstar Games recently experienced a network intrusion in which an unauthorized third party illegally accessed and downloaded confidential information from its systems, including early development footage for the next Grand Theft Auto. Current Rockstar Games services are unaffected. We have already taken steps to isolate and contain this incident. Work on the game will continue as planned. At this time, Rockstar Games does not anticipate any disruption to its current services nor any long-term effect on its development timelines as a result of this incident." (SEC, 2022a)
Three observations matter. First, the filing happened on the next business day after the Sunday-morning leak โ fast by pre-2023 standards, which had no clock at all. Second, the filing reproduces verbatim, with minor edits, the public statement Rockstar Games had already posted to Twitter/X. The SEC filing is therefore not an additional disclosure but a synchronisation event: it puts the same words into the regulated channel so that institutional investors receiving filings via Bloomberg or EDGAR alerts get them at the same moment as retail holders watching social media. Third, the forward-looking-statements legend at the bottom of the 8-K explicitly identifies "risks relating to the nature and scope of the network intrusion as we continue our investigation into the incident" as a newly added risk factor โ meaning the filing is also doing safe-harbour work for any future statements management may make about the incident's containment.
The cadence is then quiet. There is no follow-up 8-K specific to the Rockstar intrusion. The next integration point is the 10-Q for Q2 FY2023 (quarter ended 30 September 2022), filed in November 2022, where the company's risk factors would be expected to be updated to reflect any material change in cyber risk. Then comes the 10-K for fiscal year 2023, filed 26 May 2023 (accession 0001628280-23-019851), which provides the first annual report wholly post-incident.
The lexical choice in the 19 September 8-K is not accidental. The filing uses the phrase "network intrusion" four times in three short paragraphs. It does not use the words "leak", "hack", "breach", or "ransomware" anywhere. By contrast, contemporary press coverage from Bloomberg, the BBC, Kotaku, IGN, and others used "leak" or "hack" almost universally. Why does the company go to such pains to choose a different word?
The answer lies in legal weight under Regulation S-K and in adjacent statutory regimes. "Breach", in particular, is a term of art under most US state data-breach notification statutes; once an issuer characterises an event as a "breach" of personal information, a cascade of state-level notification obligations is potentially triggered, along with associated litigation risk under consumer-protection statutes. "Network intrusion", by contrast, is a neutral, descriptive term that does not concede any specific legal characterisation. It admits the operative fact โ an unauthorised third party got into the network โ without conceding that personal data was accessed, that customer information was exposed, or that any particular statutory threshold was crossed. The phrase "confidential information from its systems, including early development footage" is similarly precise: it identifies what was accessed (development footage, i.e. intellectual property belonging to Rockstar) and implicitly excludes the categories of data that would trigger statutory notification regimes (personally identifiable information, financial data, health information).
The framing also tracks the materiality question for securities-law purposes. A loss of development footage from an in-progress title is embarrassing and intellectual-property-relevant, but on its own does not obviously meet the TSC Industries materiality threshold for a company whose then-trailing-twelve-month revenues exceeded US$3 billion. The 8-K language emphasises non-impact ("Current Rockstar Games services are unaffected"; "Work on the game will continue as planned"; "does not anticipate ... any long-term effect on its development timelines"). Each of those clauses is a deliberate negation of the conditions that would typically push an incident across the materiality line: operational disruption, revenue impact, timeline slippage.
By contrast, the public framing โ "leak" โ emphasises the unauthorised public publication of footage rather than the unauthorised access. The two are not the same in legal terms. A leak is a story about content moving into the public domain; an intrusion is a story about a perimeter being crossed. The company has clear reasons to prefer the latter framing in its regulated disclosures, while the press has strong narrative reasons to prefer the former. Neither framing is dishonest, but they tilt the implied legal regime in different directions.
Take-Two's disclosure cadence on 19 September 2022 is broadly consistent with the practice of US-listed games-industry peers during the pre-2023 period, though the choice to file at all under Item 8.01 sits at the more disclosure-forward end of the spectrum. Three points of comparison are useful.
Electronic Arts (NASDAQ: EA), June 2021 source-code theft. EA confirmed in June 2021 that attackers had stolen approximately 780 GB of data including source code for FIFA 21 and the Frostbite engine. EA chose not to file a Form 8-K under Item 8.01 for the incident. Its disclosure was confined to a corporate statement and was subsequently addressed in the risk-factor section of its next periodic report. The omission was not unlawful โ there was no rule requiring an 8-K โ and reflected EA's view that the incident, on the facts then known, did not meet a discretionary disclosure threshold. The contrast with Take-Two is instructive: same industry, comparable type of stolen asset (source code/build assets versus development footage), but different disclosure choice. Take-Two filed; EA did not.
Ubisoft, March 2022 Lapsus$-attributed incident. Ubisoft (Euronext-listed; Paris) does not file 8-Ks because it is not a US domestic registrant, but it disclosed a "cyber security incident" through a press release on 11 March 2022 and through its periodic French-market disclosures. The framing โ "cyber security incident" โ is again neutral, and again carefully avoids "breach". Lapsus$ was reportedly the threat actor in both the Ubisoft event and, by widespread public attribution, in the Rockstar event six months later.
CD Projekt SA, February 2021 ransomware. CD Projekt, the Polish developer of Cyberpunk 2077, disclosed a ransomware attack within hours and explicitly stated that source code and internal documents had been encrypted and stolen. CD Projekt files current reports with the Warsaw Stock Exchange rather than the SEC, but the cadence โ same-day or next-day acknowledgement, neutral language ("targeted cyber attack"), explicit identification of what was taken โ closely tracks what Take-Two would do eighteen months later.
The pattern across these four incidents is consistent enough to be called a norm: large publicly traded games publishers, when faced with an IP-theft-type intrusion, generally disclose within 24-48 hours, use neutral language ("incident", "intrusion", "attack"), avoid words with statutory triggers ("breach"), and emphasise operational continuity. Take-Two's 19 September 2022 8-K fits this pattern almost exactly. Where Take-Two differs from EA is in the choice to use the SEC channel as well as the social-media channel; that choice has the effect of synchronising informed and uninformed investor populations, which is independently valuable from a fair-disclosure perspective even when not strictly required.
On 26 July 2023 the SEC adopted final rules requiring registrants to disclose material cybersecurity incidents on a new line-item โ Item 1.05 of Form 8-K โ and to provide annual disclosures regarding cybersecurity risk management, strategy, and governance under a new Item 106 of Regulation S-K (SEC, 2023a; SEC, 2023b). The Form 8-K disclosure obligation was made effective for filings due on or after 18 December 2023; the annual disclosures became required for fiscal years ending on or after 15 December 2023.
The rationale articulated by then-Chair Gary Gensler was direct: "Whether a company loses a factory in a fire โ or millions of files in a cybersecurity incident โ it may be material to investors" (SEC, 2023a). The Commission's adopting release devoted substantial attention to inconsistency in pre-rule practice. Some issuers disclosed promptly under Item 8.01; others disclosed only in subsequent 10-Qs; still others did not disclose at all even where post-hoc analysis suggested materiality. The Commission expressly identified this inconsistency as a harm to investors. While the adopting release does not name specific incidents, it cites the broad category of intrusions involving theft of intellectual property, disruption of operations, and reputational damage โ all categories present in the Rockstar event.
Item 1.05 sets a four-business-day clock running from the registrant's determination that an incident is material, requires disclosure of the "material aspects of the incident's nature, scope, and timing, as well as its material impact or reasonably likely material impact on the registrant", and provides only a narrow national-security delay mechanism controlled by the US Attorney General. The new Item 106 of Regulation S-K requires annual disclosure of the registrant's "processes, if any, for assessing, identifying, and managing material risks from cybersecurity threats", the material effects of previous incidents, the board of directors' oversight of cyber risk, and management's role and expertise.
Take-Two's first annual report subject to Item 106 was the Form 10-K for fiscal year 2024 (year ended 31 March 2024), filed on 22 May 2024 (accession 0001628280-24-024623). That filing introduces, for the first time in the company's annual disclosure, a dedicated cybersecurity section addressing each Item 106 element: a description of the company's information-security programme, references to alignment with widely recognised frameworks (such as NIST), identification of board-level oversight (typically through the audit committee), and identification of management roles responsible for cyber risk (the Chief Information Security Officer reporting to senior leadership). The same 10-K continues, in its risk-factor section, the language threaded through every Take-Two periodic report since November 2022: explicit acknowledgement that the company has experienced "network intrusions" in the past, that such intrusions may recur, and that they may result in unauthorised access to confidential information including pre-release product content.
The retrospective effect is that an incident which in 2022 generated a single short Item 8.01 8-K of perhaps two hundred words now sits inside a structured annual disclosure regime that requires the company to characterise โ every year, in a comparable, structured, machine-readable XBRL-tagged form โ its cybersecurity governance, its risk-management processes, and the material effects of previous incidents. From an investor's perspective, the 2024 disclosure regime makes the 2022 event part of the company's permanent disclosure record in a way the 2022 framework did not. A potential investor researching Take-Two today can read the FY2024 10-K and reconstruct, at a high level, what happened in September 2022 and what the company learned from it โ without ever needing to consult contemporaneous press coverage.
The SEC has also begun enforcing the new regime. In 2024 the Commission brought a settled enforcement action against another technology issuer for inadequate cybersecurity disclosures, signalling that Item 1.05 and Item 106 are live enforcement tools, not merely best-practice guidance. For a company in Take-Two's position โ a repeat target by virtue of the value of its intellectual property โ the practical consequence is that any subsequent intrusion will likely face a much sharper disclosure determination process than the September 2022 event did, with general counsel, the CISO, the audit committee, and outside disclosure counsel all engaged within hours rather than days.
The investor-protection function of all of this is easy to lose in the technical weeds. The point of mandatory disclosure is not punishment of issuers, and it is not journalism. It is information symmetry. When a leak of pre-release Grand Theft Auto VI footage hit Twitter at 4:00 a.m. Eastern on a Sunday in September 2022, sophisticated traders with social-media monitoring tools knew about it within minutes; institutional analysts in London and Hong Kong knew within hours; retail investors in the United States checking their portfolios on Monday morning would have learned about it through general news coverage at best. The 19 September 8-K's function โ modest, undramatic, deliberately understated โ was to put the same set of facts into the regulated information channel that every investor in TTWO is presumed to monitor, at a moment as close as practicable to the moment the facts were public elsewhere. That is the deep purpose of Item 8.01 voluntary filings, and it is the same deep purpose now served, with sharper teeth, by Item 1.05 mandatory filings.
The 2022 event sits in retrospect as a representative pre-rule case: a serious intrusion affecting a high-value intellectual property asset of a major US-listed issuer, disclosed promptly but minimally, with careful word choice that managed legal exposure across multiple regimes simultaneously. The Commission's 2023 rulemaking moved the entire industry from a system where such disclosure was a discretionary best practice to one in which it is a structured legal duty. For Take-Two specifically, the FY2024 10-K closes the loop: the September 2022 intrusion is now part of a continuing, structured annual narrative about cybersecurity at the company, available in machine-readable form to anyone who chooses to read it.
SEC, 2018. Commission Statement and Guidance on Public Company Cybersecurity Disclosures. Release Nos. 33-10459; 34-82746, 21 February. Washington, DC: U.S. Securities and Exchange Commission.
SEC, 2022a. Form 8-K filed by Take-Two Interactive Software, Inc., 19 September 2022. Accession No. 0001193125-22-246833. Available at: https://www.sec.gov/Archives/edgar/data/946581/000119312522246833/d392771d8k.htm [Accessed via EDGAR].
SEC, 2022b. Form 8-K filed by Take-Two Interactive Software, Inc., 21 September 2022. Accession No. 0001193125-22-247832. Available at: https://www.sec.gov/Archives/edgar/data/946581/000119312522247832/d402780d8k.htm [Accessed via EDGAR].
SEC, 2023a. SEC Adopts Rules on Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure by Public Companies. Press Release 2023-139, 26 July. Available at: https://www.sec.gov/news/press-release/2023-139.
SEC, 2023b. Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure. Final Rule, Release Nos. 33-11216; 34-97989, 26 July. Washington, DC: U.S. Securities and Exchange Commission. Available at: https://www.sec.gov/files/rules/final/2023/33-11216.pdf.
SEC, 2024. Form 10-K filed by Take-Two Interactive Software, Inc. for fiscal year ended 31 March 2024. Accession No. 0001628280-24-024623, filed 22 May. Available via EDGAR at https://www.sec.gov/cgi-bin/browse-edgar?action=getcompany&CIK=0000946581&type=10-K.
Take-Two Interactive Software, Inc., 2023. Annual Report on Form 10-K for fiscal year ended 31 March 2023. Accession No. 0001628280-23-019851, filed 26 May 2023. Available via EDGAR.
TSC Industries, Inc. v. Northway, Inc., 426 U.S. 438 (1976).