A cyberattack on cleaning-products maker
is providing an early test for new rules on disclosing cyberattacks, in a case that is being closely watched by business leaders.
Clorox is one of the first large U.S. companies to suffer a cyberattack since the Securities and Exchange Commission’s rigorous new cybersecurity rules went into effect Sept. 5.
Since an initial notice posted on its website and one filed with the SEC on Aug. 14, Clorox has issued six more, including another 8-K filing, each adding details about operational disruptions as the episode unfolds. The company said the financial impact is still unknown.
Clorox’s string of bulletins over more than four weeks shows how determining the material impact of a cyberattack is unfamiliar ground for companies. Such decisions can take longer than assessments of more common material events, such an executive departure, said
chief information security officer and head of technology and privacy at software provider Visit.org.
“The fog of these incidents will make it hard to provide reliable information at the start,” Heighington said. “A stream of 8-Ks will be the new norm,” he said.
Most public companies will be required to report significant hacks to the SEC in an 8-K form starting Dec. 18.
Clorox, whose many brands include Burt’s Bees cosmetics and Glad trash bags, said the cyberattack damaged some technology systems and the company shut down others to stop the spread. As a result, order processing and some manufacturing have been disrupted, leading to product shortages. On Monday, Clorox said it was working on system repairs and it expected order processing to start getting back to normal next week.
The first statement from Clorox was vague, said Heighington, who has held cybersecurity positions at
Bank of America
Clorox said “unusual activity” on its systems prompted the company to take down some technology and that “some operations are temporarily impaired.”
“I’m not sure the initial disclosure had much value to investors, other than letting them know they were experiencing an incident,” he said. Subsequent notices were more useful, which reflects the nature of a cyber incident, where consequences become clear over time and with investigation, he said.
Clorox hasn’t specified which products have been affected and to what extent. A spokeswoman declined to comment on which systems were damaged or shut down, pointing to the company’s public statements.
chief information and data officer, and CISO
are among the employees working on incident response, the spokeswoman said.
Under the SEC’s new rules passed in July, a company has four days to outline the nature, scope and timing of a cyber incident after determining it will have material consequences.
The agency wants investors to have access to more standardized information about significant cyber breaches, said
a lawyer with the firm BakerHostetler who focuses on cyber risk and incident response. He declined to comment directly on the situation at Clorox.
A clear, documented process for deciding whether a cyberattack is material is new ground for some companies, Gyasi said. “Make sure there’s a process for bringing actionable information to disclosure committees,” he said. The procedure will likely include the CISO, working with legal, finance and other departments, he said.
At Clorox, leaders are still evaluating the financial and business impact, but the company said that its first-quarter earnings would take a hit from the attack. Clorox’s fiscal 2024 first quarter ends Sept. 30.
“Due to the order processing delays and elevated level of product outages, the Company now believes the impact will be material on Q1 financial results,” Clorox said in an SEC filing. “It is premature for the Company to determine longer-term impact, including fiscal year outlook, given the ongoing recovery.”
Write to Kim S. Nash at firstname.lastname@example.org
Copyright ©2022 Dow Jones & Company, Inc. All Rights Reserved. 87990cbe856818d5eddac44c7b1cdeb8
Clorox Cyberattack Brings Early Test of New SEC Cyber Rules
#Clorox #Cyberattack #Brings #Early #Test #SEC #Cyber #Rules