Clorox Cyberattack Brings Early Test of New SEC Cyber Rules

Since an initial notice posted on its website and one filed with the SEC on Aug. 14, Clorox has issued six more, including another 8-K filing, each adding details about operational disruptions as the episode unfolds. The company said the financial impact is still unknown. 

Clorox’s string of bulletins over more than four weeks shows how determining the material impact of a cyberattack is unfamiliar ground for companies. Such decisions can take longer than assessments of more common material events, such an executive departure, said

Andrew Heighington,

chief information security officer and head of technology and privacy at software provider Visit.org.

“The fog of these incidents will make it hard to provide reliable information at the start,” Heighington said. “A stream of 8-Ks will be the new norm,” he said.

Most public companies will be required to report significant hacks to the SEC in an 8-K form starting Dec. 18.  

Clorox, whose many brands include Burt’s Bees cosmetics and Glad trash bags, said the cyberattack damaged some technology systems and the company shut down others to stop the spread. As a result, order processing and some manufacturing have been disrupted, leading to product shortages. On Monday, Clorox said it was working on system repairs and it expected order processing to start getting back to normal next week.

The first statement from Clorox was vague, said Heighington, who has held cybersecurity positions at

Bank of America

and

JPMorgan Chase.

Clorox said “unusual activity” on its systems prompted the company to take down some technology and that “some operations are temporarily impaired.” 

“I’m not sure the initial disclosure had much value to investors, other than letting them know they were experiencing an incident,” he said. Subsequent notices were more useful, which reflects the nature of a cyber incident, where consequences become clear over time and with investigation, he said.

Clorox hasn’t specified which products have been affected and to what extent. A spokeswoman declined to comment on which systems were damaged or shut down, pointing to the company’s public statements.

Chau Banks,

chief information and data officer, and CISO

Amy Bogac

are among the employees working on incident response, the spokeswoman said.

Under the SEC’s new rules passed in July, a company has four days to outline the nature, scope and timing of a cyber incident after determining it will have material consequences.

The agency wants investors to have access to more standardized information about significant cyber breaches, said

Eric Gyasi,

a lawyer with the firm BakerHostetler who focuses on cyber risk and incident response. He declined to comment directly on the situation at Clorox.

A clear, documented process for deciding whether a cyberattack is material is new ground for some companies, Gyasi said. “Make sure there’s a process for bringing actionable information to disclosure committees,” he said. The procedure will likely include the CISO, working with legal, finance and other departments, he said.

At Clorox, leaders are still evaluating the financial and business impact, but the company said that its first-quarter earnings would take a hit from the attack. Clorox’s fiscal 2024 first quarter ends Sept. 30.

“Due to the order processing delays and elevated level of product outages, the Company now believes the impact will be material on Q1 financial results,” Clorox said in an SEC filing. “It is premature for the Company to determine longer-term impact, including fiscal year outlook, given the ongoing recovery.”

Write to Kim S. Nash at kim.nash@wsj.com