Expert: Clorox ‘trying to do the right thing’ with rapid cyberattack disclosures
The timing of a recent cyberattack against Clorox juxtaposed against the Securities and Exchange Commission’s (SEC) adoption of its cybersecurity incident disclosure rule soon to take effect has presented a case study regarding how companies might seek to meet the requirements of the rule.
The SEC’s rule, finalized in July, will require public companies to disclose the nature, scope, timing, and impact of cybersecurity incidents deemed to be material within four business days. Large companies could be required to begin making the new disclosures as soon as December.
The case of Clorox’s cyberattack has been chronicled by media outlets, including the Wall Street Journal, as an example of what those types of disclosures might look like.
Clorox disclosed in an Aug. 14 regulatory filing it had been disrupted by a significant cybersecurity incident. A follow-up disclosure more than a month later revealed it shut down automated order processing and was handling orders manually, which impacted operations.