UNITED STATES
SECURITIES AND EXCHANGE COMMISSION
Washington, D.C. 20549
_________________
FORM 8-K
_________________
CURRENT REPORT
Pursuant to Section 13 or 15(d)
of the Securities Exchange Act of 1934
Date of Report (Date of earliest event reported): February 19, 2026
_______________________________
(Exact name of registrant as specified in its charter)
_______________________________
| (State or Other Jurisdiction of Incorporation) | (Commission File Number) | (I.R.S. Employer Identification No.) | ||||||
(Address of Principal Executive Offices) (Zip Code)
(978 ) 352-2200
(Registrant's telephone number, including area code)
N/A
(Former name or former address, if changed since last report)
_______________________________
Check the appropriate box below if the Form 8-K filing is intended to simultaneously satisfy the filing obligation of the registrant under any of the following provisions:
| Written communications pursuant to Rule 425 under the Securities Act (17 CFR 230.425) | |||||
| Soliciting material pursuant to Rule 14a-12 under the Exchange Act (17 CFR 240.14a-12) | |||||
| Pre-commencement communications pursuant to Rule 14d-2(b) under the Exchange Act (17 CFR 240.14d-2(b)) | |||||
| Pre-commencement communications pursuant to Rule 13e-4(c) under the Exchange Act (17 CFR 240.13e-4(c)) | |||||
Securities registered pursuant to Section 12(b) of the Act:
| Title of each class | Trading Symbol(s) | Name of each exchange on which registered | ||||||
The | ||||||||
Indicate by check mark whether the registrant is an emerging growth company as defined in Rule 405 of the Securities Act of 1933 (§230.405 of this chapter) or Rule 12b-2 of the Securities Exchange Act of 1934 (§240.12b-2 of this chapter).
Emerging growth company o
If an emerging growth company, indicate by check mark if the registrant has elected not to use the extended transition period for complying with any new or revised financial accounting standards provided pursuant to Section 13(a) of the Exchange Act. o
Item 1.05 Material Cybersecurity Incidents.
On or about February 14, 2026, UFP Technologies, Inc. (the “Company”) detected suspicious activity involving its information technology (“IT”) systems. Upon detecting the issue, the Company began taking steps to assess, contain, and remediate the unauthorized activity, including isolating the affected systems and launching an investigation with the assistance of external cybersecurity advisors.
Through the Company’s efforts, the Company believes that the third party responsible for this cybersecurity incident has been removed from the Company’s IT systems, and the Company’s ability to access information impacted by this incident has been restored in all material respects. The incident appears to have impacted many but not all of the Company’s IT systems and affected functions such as billing and label making for customer deliveries. Certain Company or Company-related data appear to have been stolen or destroyed. As a result of the Company’s contingency plans and data backup systems, the Company implemented planned solutions for the issues posed by the incident. The Company’s operations have continued since the detection of the cybersecurity incident in all material respects.
Although the Company has ascertained that certain files were exfiltrated, it is still investigating the extent of any sensitive information contained in the accessed systems, including whether any personal information was exfiltrated. It is evaluating what legal and regulatory notifications and filings may be required as a result of this incident and will make such filings as are required based on its findings. The Company continues to investigate the nature and scope of the unauthorized access.
The Company currently expects that a significant portion of its direct costs incurred relating to containing, investigating and remediating the cybersecurity incident will be reimbursed through insurance recoveries.
As of the date hereof, the incident has not had a material impact on the Company’s financial systems, operations or financial condition. While the Company’s investigation and assessment of this incident is ongoing, as of the date of this filing, the Company believes its primary IT systems are operational in all material respects and the Company does not believe the incident is reasonably likely to materially impact the Company’s financial condition or results of operations.
Cautionary Statement Regarding Forward-Looking Statements
This Current Report on Form 8-K contains statements about future events and expectations which are “forward-looking statements” within the meaning of Sections 27A of the Securities Act of 1933, as amended, and 21E of the Securities Exchange Act of 1934, as amended. Forward-looking statements can be identified by forward-looking words such as “may,” “might,” “could,” “would,” “should,” “will,” “anticipate,” “believe,” “plan,” “estimate,” “project,” “expect,” “intend,” “seek,” “are encouraged,” and other similar expressions. Any statement contained in this Current Report on Form 8-K that is not a statement of historical fact may be deemed to be a forward-looking statement. All forward-looking statements involve risks, uncertainties and other factors that may cause actual results to differ materially from those expressed or implied in the forward-looking statements. For example, all statements regarding the impact of the incident described above on the Company and its operations, financial systems, or financial condition, the scope of the investigation, expectations regarding the adequacy of insurance, the Company’s plans, objectives, projections and expectations regarding the Company’s operations or financial condition, and assumptions related thereto are all forward-looking statements. Factors that might cause the Company’s actual results to differ materially from those anticipated in forward-looking statements include, but are not limited to, the Company’s ongoing assessment of the impacts of the cybersecurity incident, including the Company’s potential discovery of additional information related to the incident in connection with its investigation or otherwise; the Company’s expectations regarding its ability to contain and remediate the cybersecurity incident; the impact of the cybersecurity incident on the Company’s relationships with customers, employees, and governmental regulators; the legal, reputational, and financial risks resulting from the cybersecurity incident, including as may arise from the exfiltrated data or any potential regulatory inquiries and/or litigation to which the Company may become subject in connection with the incident; any further or still undetected cyber security incident; and remediation and other additional costs that may be incurred by the Company in connection with the investigation and remediation of the incident. The forward-looking statements speak only as of the date of this Current Report on Form 8-K. The Company undertakes no obligation to publicly update or revise any forward-looking statements, whether as a result of new information, future events, or otherwise, except as required by applicable law. For additional information on identifying factors that may cause actual results to vary materially from those stated in forward-looking statements, see the Company’s Annual Report on Form 10-K for the fiscal year ended December 31, 2024, and the Company’s subsequent filings with the Securities and Exchange Commission.
SIGNATURE
Pursuant to the requirements of the Securities Exchange Act of 1934, the registrant has duly caused this report to be signed on its behalf by the undersigned hereunto duly authorized.
| UFP Technologies, Inc. | ||||||||
| Date: February 24, 2026 | By: | /s/ Ronald J. Lataille | ||||||
| Ronald J. Lataille | ||||||||
| Chief Financial Officer and Senior Vice President | ||||||||