Clorox cyberattack brings early test of new SEC cybersecurity rules

Since an initial notice posted on its website and another filed with the SEC on August 14, Clorox has issued six more, including another 8-K filing, each adding details of the operational disruptions as they become available. progress of the episode. The company said the financial impact was still unknown.

Clorox’s more than four-week series of bulletins shows how determining the material impact of a cyberattack is uncharted territory for businesses. Such decisions can take longer than evaluating more common significant events, such as the departure of an executive, said Andrew Heighington, chief information security officer and head of technology and privacy at the software provider Visit.org.

“The haze of these incidents will make it difficult to provide reliable information at first,” Heighington said. “An 8-K stream will be the new standard,” he said.

Most public companies will be required to report significant hacks to the SEC in Form 8-K starting December 18.

Clorox, whose many brands include Burt’s Bees cosmetics and Glad trash bags, said the cyberattack damaged some technology systems and the company shut down others to stop the spread. As a result, order processing and some manufacturing were disrupted, leading to product shortages. On Monday, Clorox said it was working on system repairs and expected order processing to return to normal next week.

Clorox’s initial statement was vague, said Heighington, who has held cybersecurity positions at Bank of America and JPMorgan Chase..

Clorox said “unusual activity” on its systems prompted the company to remove some technology and that “some operations were temporarily disrupted.”

“I’m not sure the initial disclosure had much value to investors other than letting them know they were facing an incident,” he said. Later notifications were more useful, reflecting the nature of a cyber incident, the consequences of which become clear over time and investigation, he said.

Clorox did not specify which products were affected and to what extent. A spokeswoman declined to comment on which systems were damaged or shut down, pointing to the company’s public statements. Chau Banks, chief information and data officer, and CISO Amy Bogac are among the employees working on incident response, the spokeswoman said.

Under new SEC rules adopted in July, a company has four days to describe the nature, scope and timing of a cyber incident after determining that it will have significant consequences.

The agency wants investors to have access to more standardized information about significant cyber breaches, said Eric Gyasi, an attorney with the firm BakerHostetler who focuses on cyber risks and incident response. He declined to comment directly on the situation at Clorox.

A clear, documented process for deciding whether a cyberattack is significant is new territory for some companies, Gyasi said. “Make sure there is a process for getting actionable information to the disclosure committees,” he said. The process will likely involve the CISO, working with legal, finance and other departments, he said.

At Clorox, executives are still assessing the financial and business impact, but the company said its first-quarter results would be impacted by the attack. Clorox’s first quarter of fiscal 2024 ends September 30.

“Due to order processing delays and high level of product failures, the Company now estimates that the impact will be material to the first quarter financial results,” Clorox said in an SEC filing. “It is premature for the Company to determine the long-term impact, including the outlook for the financial year, given the ongoing recovery.”

Write to Kim S. Nash at kim.nash@wsj.com