The Clorox Company has incurred $49 million in costs related to an August 2023 cyberattack as of Dec. 31, according to a recent Securities and Exchange Commission filing.
The costs primarily relate to third-party consulting services, including information technology recovery and forensics work, as well as “incremental operating expenses” accrued as a result of system disruptions, according to the filing.
The company said it expects to incur “lessening costs related to the cyberattack in future periods.”
Oakland, California-headquartered Clorox makes household products such as Clorox bleach, Pine-Sol and Fresh Step cat litter.
The company disclosed last August that it had identified unauthorized activity on some of its IT systems. After becoming aware of the breach, the company took steps such as placing certain systems offline and engaging third-party cybersecurity experts to support investigation and recovery efforts, according to the SEC filing.
Despite these efforts, the incident resulted in “wide-scale disruptions to the Company’s business operations throughout the remainder of the quarter ended September 30, 2023,” the filing said.
The system disruptions triggered order processing delays and “significant product outages,” negatively impacting net sales and earnings, the company said.
The disclosure highlights the escalating costs of cybersecurity breaches and related pressures weighing on the office of the CFO.
The global average cost of a data breach between March 2022 and March 2023 was $4.45 million, a 15% increase over three years and an all-time high, according to IBM. Detection and escalation costs jumped 42% during the same period, representing the highest portion of breach costs, and indicating a shift towards more complex breach probes, the research found.
Meanwhile, businesses are also grappling with heightened regulatory risks associated with cybersecurity.
The SEC last October sued Austin, Texas-based software provider SolarWinds and its chief information security officer, Timothy Brown, for allegedly defrauding investors by mischaracterizing cybersecurity practices that were in place at the company leading up to a major breach discovered in December 2020. The company has denied the charges.
In December, the SEC began enforcing new rules that require public companies to disclose “material” cybersecurity incidents within four days of determining that it is a material breach. The rules, which build on prior agency guidance, substantially raise the stakes for public companies and their executives, including CFOs, analysts say.
“I think we’ve already seen the SEC kind of turning up the heat on this issue, and the stakes are even higher with a formal rule now in place,” Cara Peterman, a partner in Alston & Bird’s Securities Litigation Group, previously told CFO Dive.