Clorox cyberattack brings early test of new SEC cybersecurity rules

Clorox cyberattack brings early test of new SEC cybersecurity rules


A cyberattack on cleaning products maker Clorox provides an early test for new rules on disclosing cyberattacks, in a case closely watched by company leaders.

Clorox is one of the first major U.S. companies to suffer a cyberattack since the Securities and Exchange Commission’s tough new cybersecurity rules took effect on September 5.

Since an initial notice posted on its website and another filed with the SEC on August 14, Clorox has issued six more, including another 8-K filing, each adding details of the operational disruptions as they become available. progress of the episode. The company said the financial impact was still unknown.

Clorox’s more than four-week series of bulletins shows how determining the material impact of a cyberattack is uncharted territory for businesses. Such decisions can take longer than evaluating more common significant events, such as the departure of an executive, said Andrew Heighington, chief information security officer and head of technology and privacy at the software provider Visit.org.

“The haze of these incidents will make it difficult to provide reliable information at first,” Heighington said. “An 8-K stream will be the new standard,” he said.

Most public companies will be required to report significant hacks to the SEC in Form 8-K starting December 18.

Clorox, whose many brands include Burt’s Bees cosmetics and Glad trash bags, said the cyberattack damaged some technology systems and the company shut down others to stop the spread. As a result, order processing and some manufacturing were disrupted, leading to product shortages. On Monday, Clorox said it was working on system repairs and expected order processing to return to normal next week.

Clorox’s initial statement was vague, said Heighington, who has held cybersecurity positions at Bank of America and JPMorgan Chase..

Clorox said “unusual activity” on its systems prompted the company to remove some technology and that “some operations were temporarily disrupted.”

“I’m not sure the initial disclosure had much value to investors other than letting them know they were facing an incident,” he said. Later notifications were more useful, reflecting the nature of a cyber incident, the consequences of which become clear over time and investigation, he said.

Clorox did not specify which products were affected and to what extent. A spokeswoman declined to comment on which systems were damaged or shut down, pointing to the company’s public statements. Chau Banks, chief information and data officer, and CISO Amy Bogac are among the employees working on incident response, the spokeswoman said.

Under new SEC rules adopted in July, a company has four days to describe the nature, scope and timing of a cyber incident after determining that it will have significant consequences.

The agency wants investors to have access to more standardized information about significant cyber breaches, said Eric Gyasi, an attorney with the firm BakerHostetler who focuses on cyber risks and incident response. He declined to comment directly on the situation at Clorox.

A clear, documented process for deciding whether a cyberattack is significant is new territory for some companies, Gyasi said. “Make sure there is a process for getting actionable information to the disclosure committees,” he said. The process will likely involve the CISO, working with legal, finance and other departments, he said.

At Clorox, executives are still assessing the financial and business impact, but the company said its first-quarter results would be impacted by the attack. Clorox’s first quarter of fiscal 2024 ends September 30.

“Due to order processing delays and high level of product failures, the Company now estimates that the impact will be material to the first quarter financial results,” Clorox said in an SEC filing. “It is premature for the Company to determine the long-term impact, including the outlook for the financial year, given the ongoing recovery.”

Write to Kim S. Nash at kim.nash@wsj.com

Copyright ©2022 Dow Jones & Company, Inc. All rights reserved. 87990cbe856818d5eddac44c7b1cdeb8



With a penchant for words, Eleon Smith began writing at an early age. As editor-in-chief of his high school newspaper, he honed his skills telling impactful stories. Smith went on to study journalism at Columbia University, where he graduated top of his class. After interning at the New York Times, Smith landed a role as a news writer. Over the past decade, he has covered major events like presidential elections and natural disasters. His ability to craft compelling narratives that capture the human experience has earned him acclaim. Though writing is his passion, Eleon also enjoys hiking, cooking and reading historical fiction in his free time. With an eye for detail and knack for storytelling, he continues making his mark at the forefront of journalism.
Back to top button