The days of manufacturers quietly cleaning up from the damage of successful cyberattacks and their financial ramifications are over, and shareholders are paying attention.
Clorox on August 14 disclosed via an SEC filing that the company had “identified unauthorized activity on some of its Information Technology (IT) systems” that was “expected to continue to cause disruption to parts of the Company’s business operations.”
Then, on September 18, Clorox filed another SEC report stating it believed the hack was contained but resulting in slower production rates and “an elevated level of consumer product availability issues.” News of the filing spread widely throughout the press and Clorox’s stock price dropped roughly 2% between market close on September 18 and market open the following day.
It’s a textbook example for why no company wants to advertise a cybersecurity breach and also suggests why manufacturers are so likely to pay ransomware bounties and eliminate the problem. But Clorox’s disclosures are in keeping with new SEC rules that require disclosure of material cybersecurity incidents within four days of the incident.