Cybersecurity incidents in 2023 cost Clorox and Johnson Controls nearly $76 million combined, according to reports filed with the Securities and Exchange Commission (SEC). The incidents underscore the painful reality that such attacks cost real money.
Security pros said the level of transparency in filings from public companies since the start of 2024 has increased, a trend largely driven by regulatory pressures, shareholder demands, and a growing acceptance among the C-suite that cybersecurity has become an important part of risk management.
While the new SEC rule on cybersecurity risk governance that went into effect Dec. 18 aims to standardize disclosures related to cybersecurity incidents, it’s unclear if these specific filings by Clorox and Johnson Controls were directly in response to the new filing rule.
However, Callie Guenther, senior manager, cyber threat research at Critical Start, said the transparency offered by such filings serves multiple stakeholders.
“For investors and shareholders, it offers a clearer picture of the financial and operational health of a company, including potential vulnerabilities and the costs associated with managing cyber incidents,” said Guenther. “For the broader industry, it serves as a valuable data point on the nature of cyber threats and the financial implications of such incidents, helping other companies to better prepare and allocate resources towards their cybersecurity efforts.”
In its filing with the SEC, Clorox said it incurred incremental expenses of up to $49 million through the end of last year as a result of a cyberattack in August. The money was spent on third-party consulting services, including IT recovery and forensic experts and other professional services incurred to investigate and remediate the attack. Clorox also incurred incremental operating costs from the disruption to the company’s business operations. The company said it expected to incur fewer costs related to the cyberattack in the months ahead.
“Our second-quarter results reflect strong execution on our recovery plan from the August cyberattack,” said chair and CEO Linda Rendle. “We are rebuilding retailer inventories ahead of schedule, enabling us to return to merchandising and restore distribution.”
Johnson Controls reported in its SEC filing that a ransomware attack last September cost the company nearly $27 million — costs primarily related to expenses associated with the response and remediation of the incident.
The company said it expects to incur additional expenses tied to the response to the cybersecurity incident, mostly in the first half of 2024 These include costs from hiring IT recovery and forensic experts and others performing professional services to investigate and remediate the incident, as well as incremental operating expenses incurred from the resulting disruption to the company’s billing systems.
“Today, it’s become more routine to report these incidents, especially when the attacks come with a large unplanned price tag,” said John Bambenek, president of Bambenek Consulting. “Incident response firms and other third-parties coming in to help come with real costs. Largely this is driven by insurance companies, who require third-party remediation and response.”
It should be noted that Johnson Controls said in its SEC filing that a "substantial portion" of its direct costs to remediate the incident and pay for its operations losses will come via insurance recoveries.