How listed companies like Clorox can establish cybersecurity good governance in 2023

Courtesy of Brett Sayles

Clorox, a NASDAQ-listed maker of cleaning products, suffered a cyberattack in August that brought its manufacturing facilities to a grinding halt. The attack ultimately cost the company up to $593 million in reduced sales revenue. Manufacturers are often the least well-equipped to deal with a cyberattack, yet they are also the most exposed to making huge losses when their operations are disrupted. Regulators have taken note that businesses like Clorox are engaged in a losing battle against both foreign and domestic cyber criminality. By introducing stringent cybersecurity regulation, their focus is to ensure that companies treat cyberattacks as an increasingly systemic threat.

Impact of the new SEC cyber incident disclosure rules

Dec. 8, 2023, is the compliance deadline for companies to adhere to the U.S. Securities and Exchange Commission’s (SEC) finalized historic cyber incident disclosure rules. This applies to all publicly listed companies, including foreign issuers, who must be prepared to make timely determinations about whether an attack underway may have a “material” effect on their enterprise. The rule, which came into effect on Sept. 5, 2023, now requires that companies make those determinations “without unreasonable delay,” meaning that disclosure teams must get involved in cyber incident response activities much earlier than before. Companies will then have four days to inform core stakeholders such as investors, customers and regulators.

In addition, publicly listed companies will also need to provide more comprehensive discussions about the kinds of cybersecurity threats they have prepared for, especially severe ones that can have material impacts on the company. They should also outline the approaches they have in place to minimize the effects of such events on the company’s business strategy, operations or financial conditions. Although the compliance deadline is yet to pass, companies are already taking action to demonstrate transparency with their investors and stakeholders. Clorox serves as case in point, originally disclosing the cyber incident in an 8-K form filing to the SEC in line with the new regulations.

The new SEC regulations are designed to better inform investors about an organization’s cyber defensive capabilities and ensure prompt reporting of material cybersecurity incidents, intensifying the pressure on organizations to enhance their communication with customers and investors on the safety of their data and the measures they are taking to defend themselves. Currently, 85% of data breaches never reach the public domain and are not disclosed by companies who fear damage to reputation and a fall in share price.

In a time of immense upheaval in both the threat and regulatory landscape, particularly with the proliferation of new generative artificial intelligence (AI) tools in the hands of attackers, companies need to improve their processes and practices to protect vulnerable and sensitive data and systems. The effects here for cyber practices from the new SEC regulations are similar to the positive effects that the Sarbanes-Oxley (SOX) regulations had on financial reporting two decades ago. Most companies have long known what to do. Like with SOX, they will likely help to foster greater adoption of best practices for withstanding severe cyber events more broadly across public reporting companies.

Best practices for companies, like Clorox, hit by a cyberattack

Cybercrime is predicted to cost the world $10.5 trillion annually by 2025, but the impact of a cyberattack extends far beyond the economic costs. It also degrades trust and damages the reputations of public and private service providers. Clorox is still making headlines due to its poor commercial performance post-hack. Now, a spotlight is being placed on the importance of securing critical infrastructure, from manufacturers like Clorox to banks and technology, to combat heightened threats.

Companies need to take more proactive steps not only in protecting their critical infrastructure but also to practice defending it under severe circumstances, all the way through to the rapid and full restoration of systems after an attack has been contained. Best-practice companies have been investing in advanced, military-grade cyber defense strategies like adopting a zero-trust approach and testing their people, processes and technology in simulated cyber range environments before an attack occurs. As cyber threats and attacks are becoming more common, sophisticated and damaging, developing a company’s cyber defense capability and stress-testing capacity is key to mitigating risk. It is what CEOs, boards, audit committees, investors, regulators and insurers most want to know.

NATO’s cyber defense teams and their counterparts in the U.S. have long prepared to defend against nation-state attacks by training in advanced cyber ranges that replicate the real production information technology (IT) and operational technology (OT) environments that they have to defend every day. Security teams are equipped with the same defensive tools, combatting the same tactics, techniques and procedures implemented in high-profile attacks. Many leading publicly listed companies have followed suit with those best practices; and now, a broad cross section of listed companies needs to take on the same best practice of military-grade protections.

These best-practice environments enable companies to explore and make sure their defenses are as good around key specialty systems, like the billing system that took down the Colonial Pipeline and the order entry and another system that have recently proven to be critical in the Clorox attack. This ability for companies to rehearse for the unfortunate eventuality that they are hit by a significant cyber event is also helping companies to integrate their financial and disclosure teams right into their incident processes to help them work the early stages of their materiality determinations in parallel with the incident response teams to help them to make their determinations “without unreasonable delay.”

Similar early integration of legal teams is also helping best-practice companies to have the right triggers so they can better utilize the national security exception provided for in the new SEC regulations. This is helping them not only to bring in national cyber teams earlier and at the right times but also, under certain circumstances, to have more than the standard four days allotted to make disclosures.

Preparing employees for a real cyber event

Companies have long thought that traditional tabletop exercises will be sufficient to prepare teams to timely and accurately respond to a severe cyberattack, but occasions like the Clorox attack prove this not to be the case. Years ago, the U.S. Air Force learned that the chances of survival went up substantially for a flier that had already successfully flown 10 missions. As a result, they created training environments so that their fliers could get that experience under severe circumstances before going into actual combat.

Cyber Command in the U.S. did the same thing as they stood up their cyber training exercises in 2010, and best-practice companies should follow suit. They all want their teams practiced and regularly scored for effectiveness on high-fidelity replicas of the actual production systems that they defend so that their leadership will know that they can be successful on the day that the potentially material real cyber event occurs

Ultimately, these companies adopt a model of continuous improvements to sustain performance as new threats emerge. Leadership feels more confident that their teams and tools will be able to withstand severe attacks and rapidly restore capabilities. Investors, regulators and insurers do, too.

Although the material threats posed by nation-state-backed groups have awoken many organizations to the systemic risk that attacks against any of our large, publicly traded companies pose, we need to remain vigilant in our war against cyber threat actors. In the upcoming year and with the advent of these new SEC cyber regulations, every public company CEO will be looking at unfortunate cases like Clorox and thinking about how to better prepare their organizations for the continuing cyberthreats.




Keep your finger on the pulse of top industry news