On August 14, 2023, bleach and cleaning product giant Clorox filed a form 8-K with the Securities and Exchange Commission, notifying the financial regulator that it had experienced a cybersecurity incident that had disrupted the company’s business operations.
A month later, the company filed another 8-K saying that the damage to its IT infrastructure from what it characterized as unauthorized activity was still wreaking havoc on its production systems, causing processing delays and an elevated level of product outages, all of which would have a material effect on its quarterly financials. The company said it would produce an updated financial impact of the incident once it had increased visibility.
Clorox’s SEC filings were the first reports of a material cyber incident following the SEC’s release of its new cyber incident reporting rules in late July. Under the new SEC rules, which don’t take effect until December 18, 2023, publicly traded companies will be required to:
- Disclose within four days any cybersecurity incident they determine to be material and describe the material aspects of the incident’s nature, scope, and timing, as well as its material impact or reasonably likely material impact on the registrant.
- Describe their processes for identifying and managing material risks from cybersecurity threats, as well as the material effects or reasonably likely material effects of risks from cybersecurity threats and previous cybersecurity incidents.
- Describe the board of directors’ oversight of risks from cybersecurity threats and management’s role and expertise in assessing and managing material risks from cybersecurity threats.
Even though the rules don’t kick in until December, the Clorox incident highlights what experts say is a new sense of urgency by SEC-regulated companies to report data breaches. Moreover, they say that once the new rules take effect, companies will need closer working relationships between CISOs and the upper echelons of management to determine the financial materiality of the incidents.
Companies already feeling the heat from the upcoming regulations
“What I take out of the Clorox incident is interesting in that companies are starting to feel already the pressure of regulation from the SEC’s new rules, and they feel the need to promptly disclose that they have an incident that might be material,” Nick Sanna President of the FAIR Institute and President of the cyber risk quantification firm, SAFE, tells CSO.
“But it is also notable that it is absent of indication of the size of the materiality,” he adds. “And so, we don’t know exactly what it translates to in potential financial impact. I’ve heard about other companies that are now accelerating their investigation into how they respond to this question of materiality.”
“They thought they had a lot of time, and now they feel like other companies are upping the game by starting to file these 8-Ks more rapidly than before and probably not comparing well if they don’t do it even though the rule again is not in full effect yet,” Sanna says.
Adding to the sense of urgency is that under the new rules, the determination of “materiality has to be made without unreasonable delay, which actually is a new standard,” James Gerber, CFO of SimSpace, tells CSO. “There’s a clock on every single incident.”
Greater collaboration between C-Suite and cybersecurity teams is needed
Calculating the financial ramifications of a cybersecurity incident under the upcoming rules placed pressure on corporate leaders to collaborate more closely with CISOs and other cybersecurity professionals within their organizations. Right now, a “gulf exists between boards and CFOs and their cybersecurity defense teams, their chief information security officers,” Gerber says. “The two aren’t speaking the same language yet.”
Gerber thinks that “what companies and CFOs are realizing is that they need to get their teams into these exercises so that they can practice making their determinations as accurately and clearly as they can and early as they can.”
“I think that the general counsels and the CISOs have been at arm’s length of each, and I’m going to tell you one extreme,” Sanna says. “One CISO told us that their legal or general counsel did not want them to assess cyber risk in financial terms so they could claim ignorance and not have to report it.”
CISOs need to become “best friends” with corporate attorneys and CFOs, Sanna says, “because the legal counsel needs to translate the findings of the CISO in terms of assessing risk and reporting it when it’s deemed to be material. And this is where the finance people come in.”
Transparency is important
CISOs and the C-Suite will also need to establish tighter working relationships to comply with other aspects of the upcoming rules, including reporting details about the incidents, describing material risks, and describing the board oversight process.
The SEC will say, “Show me the process by which you assess and manage cyber risk and expose it,” Sanna says. “And if you suck, if you don’t do that, you need to be transparent about it. By the way, they’re not asking you to be good. They’re asking you to be transparent.”
Clorox’s SEC filing, however, wasn’t very transparent. Roger Grimes, Data-Driven Defense Evangelist at KnowBe4, tells CSO: “They haven’t released a whole lot of details. I can’t even tell if it’s a ransomware attack or a data exfiltration attack.”
Whatever happened at Clorox, it’s clear the incident was damaging. “The first takeaway [from Clorox’s SEC filings] is that something very serious happened, and they probably didn’t mitigate it as quickly or effectively as they could have,” Gerber says.
A Sarbanes-Oxley moment for publicly traded companies
The fact that companies have started to position themselves to comply with the new rules leads Sanna to believe the regulations already have a Sarbanes-Oxley-like effect on SEC-regulated companies. The Sarbanes-Oxley Act of 2002, called SOX for short, mandates certain financial record-keeping and reporting requirements for public companies and provides companies with a framework to assess their financial risks.
“I think this is like a SOX moment,” Sanna says. “The SEC is saying cyber risk is a business risk.”
Grimes applauds the new SEC rules as “long overdue” and says the Clorox incident “is certainly a wake-up call. The board of directors, the CEO, and the C-level should be intimately involved in all risks, but the SEC particularly called out cybersecurity risks.”