TLDR:
- Cybersecurity incidents in 2023 cost Clorox and Johnson Controls nearly $76 million combined, according to reports filed with the Securities and Exchange Commission (SEC).
- Increased transparency in filings from public companies is driven by regulatory pressures, shareholder demands, and a growing acceptance among C-suite executives that cybersecurity is a critical part of risk management.
Cybersecurity incidents in 2023 resulted in Clorox and Johnson Controls collectively losing nearly $76 million, as reported in filings with the Securities and Exchange Commission (SEC). The filings reflect a growing trend of increased transparency in the wake of regulatory pressures, shareholder demands, and the recognition among C-suite executives that cybersecurity plays a crucial role in risk management. The SEC rule on cybersecurity risk governance, which went into effect in December 2023, aims to standardize disclosures related to cybersecurity incidents, although it remains unclear if these specific filings were directly in response to the new rule. However, the transparency offered by such filings has benefits for multiple stakeholders. Investors and shareholders gain a clearer picture of a company’s financial and operational health, including potential vulnerabilities and the costs associated with managing cyber incidents. The broader industry benefits from valuable data on the nature of cyber threats and their financial implications, which allows other companies to better prepare and allocate resources for their cybersecurity efforts.
In its SEC filing, Clorox revealed that it incurred expenses of up to $49 million as a result of a cyberattack in August 2023. The money was spent on third-party consulting services, including IT recovery and forensic experts, as well as other professional services related to investigating and remediating the attack. The company also experienced incremental operating costs due to the disruption of its business operations. However, Clorox expects to incur fewer costs related to the cyberattack in the future. Johnson Controls reported in its SEC filing that a ransomware attack in September 2023 cost the company nearly $27 million primarily for expenses associated with responding to and remediating the incident. The company anticipates additional expenses in the first half of 2024 related to hiring IT recovery and forensic experts, among others, to investigate and remediate the incident. Incremental operating expenses resulting from the disruption to the company’s billing systems are also expected. Notably, Johnson Controls mentioned that a substantial portion of its direct costs will be covered by insurance recoveries.
The increase in reporting cybersecurity incidents is becoming more routine, particularly when attacks come with a substantial financial cost. Incident response firms and other third parties involved in the remediation and response process incur real costs, often driven by insurance requirements. The filings by Clorox and Johnson Controls provide insights into the financial implications of cyber threats and serve as a reminder for companies to prioritize cybersecurity efforts.