On August 14, 2023, bleach and cleaning product giant Clorox filed a form 8-K with the Securities and Exchange Commission, notifying the financial regulator that it had experienced a cybersecurity incident that had disrupted the company’s business operations.
A month later, the company filed another 8-K saying that the damage to its IT infrastructure from what it characterized as unauthorized activity was still wreaking havoc on its production systems, causing processing delays and an elevated level of product outages, all of which would have a material effect on its quarterly financials. The company said it would produce an updated financial impact of the incident once it had increased visibility.
Clorox’s SEC filings were the first reports of a material cyber incident following the SEC’s release of its new cyber incident reporting rules in late July. Under the new SEC rules, which don’t take effect until December 18, 2023, publicly traded companies will be required to:
- Disclose within four days any cybersecurity incident they determine to be material and describe the material aspects of the incident’s nature, scope, and timing, as well as its material impact or reasonably likely material impact on the registrant.
- Describe their processes for identifying and managing material risks from cybersecurity threats, as well as the material effects or reasonably likely material effects of risks from cybersecurity threats and previous cybersecurity incidents.
- Describe the board of directors’ oversight of risks from cybersecurity threats and management’s role and expertise in assessing and managing material risks from cybersecurity threats.
Even though the rules don’t kick in until December, the Clorox incident highlights what experts say is a new sense of urgency by SEC-regulated companies to report data breaches. Moreover, they say that once the new rules take effect, companies will need closer working relationships between CISOs and the upper echelons of management to determine the financial materiality of the incidents.
Companies already feeling the heat from the upcoming regulations
“What I take out of the Clorox incident is interesting in that companies are starting to feel already the pressure of regulation from the SEC’s new rules, and they feel the need to promptly disclose that they have an incident that might be material,” Nick Sanna President of the FAIR Institute and President of the cyber risk quantification firm, SAFE, tells CSO.
“But it is also notable that it is absent of indication of the size of the materiality,” he adds. “And so, we don’t know exactly what it translates to in potential financial impact. I’ve heard about other companies that are now accelerating their investigation into how they respond to this question of materiality.”