Before we all forget, compliance and audit professionals should note that HanesBrands coughed up an ugly quarterly report last week — and one principal reason for that awful report was a ransomware attack that apparently cost HanesBrands $100 million in lost revenue.
The ransomware attack itself is not news; Hanes disclosed the matter on May 31 in a filing with the Securities and Exchange Commission. Not until last week, however, did investors and the public get a clear sense of just how much the attack disrupted Hanes’ operations. It was a doozy.
As detailed in an earnings release published Aug. 11, the attack struck Hanes’ global supply chain network and limited the company’s ability to fulfill customer orders for roughly three weeks. That led to $100 million in lost sales for the second quarter, as well as a $35 million cut to adjusted operating profit and $0.08 nicked from earnings per share.
We seldom see a company disclose such specific details about a cyber attack: which part of operations were disrupted, and how much potential business was lost. So with the SEC poised to adopt new rules for expanded disclosures of cybersecurity risk, what lessons can compliance and audit professionals learn from this incident?
To be clear, HanesBrands would’ve had a terrible second quarter even without a ransomware attack making matters that much worse. Net sales were down $238 million from the year-earlier period, a drop of 14 percent; net income fell 28 percent. So the ransomware attack didn’t cause Hanes’ awful quarter, but clearly did have a material effect on the company’s operating results.
On the other hand, Hanes reported $1.51 billion in net sales for the quarter. That means the ransomware attack reduced net sales (which hypothetically would have been $1.61 billion) by roughly 6.2 percent. That is a material disruption to the business by anyone’s yardstick.
Which is exactly the sort of incident that can tie a company’s SEC filings and internal control over financial reporting into knots.
Disclosing a Material Cybersecurity Incident
We can begin with the SEC’s proposal that companies would need to disclose the details of “material cybersecurity incidents” within four days of deciding that, yep, this incident we have here is material. What would you then need to include in an 8-K filing? The SEC has a list:
- When the incident was discovered and whether it is ongoing;
- A brief description of the nature and scope of the incident;
- Whether any data was stolen, altered, accessed, or used for any other unauthorized purpose;
- The effect of the incident on the company’s operations; and
- Whether the company has remediated or is currently remediating the incident.
Now let’s see how Hanes described its ransomware attack:
The above description of the attack certainly fits all the SEC’s disclosure criteria. My question is more about how you determine that a cybersecurity incident is material in the first place.
An attack that cuts net sales by 6.2 percent is material (any loss greater than 1 or 2 percent would be), but we’re looking at that number in hindsight. When a company first discovers that a ransomware attack is afoot, you most likely don’t know how severe the damage will be. You need to monitor the disruption as it unfolds, until it crosses some materiality threshold.
Well, think about what that means. You’d need to understand the value at risk from a cyber disruption. You’d need careful analysis of which systems are mission-critical, and the “hourly rate” of their importance, so to speak, so you can keep a running tally of the financial losses.
For example, you’d need to be able to say something along the lines of, “For every minute our fulfillment system is off-line, we lose $3,300 in orders.” Do the math, and after three weeks a disruption like that would cost you $100 million in sales.
After only one week, however, that disruption would already have cost $33 million in lost sales. For a company with $1.6 billion in total sales, that would be a loss of roughly 2 percent — and plenty of people would say a 2 percent loss to net sales is material. So our hypothetical company would need to file a disclosure about the incident four days after it crossed that threshold, rather than eight or 10 weeks later in the next earnings release.
I only picked those numbers to give an example that roughly fits the losses HanesBrands suffered; everyone following along will need to use whatever numbers make sense for your own business. The underlying math, however, still holds. Under certain circumstances, a ransomware attack could cost you so much money that very quickly it’s material and needs to be disclosed to investors double-quick.
Given all that, compliance and risk teams need to ask yourselves several questions to assure that you’re prepared for such a world. For example, has your company identified its mission-critical, revenue generating systems? Has it modeled out the estimated revenue per hour those processes generate? Have you consulted with finance and accounting teams so that everyone has a clear understanding of the financial threshold for a material loss?
Those are the capabilities companies will need to meet the compliance challenges coming soon.
Materiality and Control Failures
A ransomware attack like the one HanesBrands has described also raises serious internal control questions, too.
For example, exactly how did this ransomware attack penetrate Hanes’ cybersecurity defenses? Did an employee fall for a phishing attack? Did an important technology provider for Hanes fail to patch its ERP software systems? Did Hanes itself fail to patch its own ERP software?
This matters because the specific way that your company falls victim to a ransomware attack could indicate a material weakness in internal control. That, in turn, could lead to potentially serious trouble with your audit firm, regulators, cyber insurance firms, or other parties looking to assign blame for the attack.
For example, if you have fabulous cybersecurity training for employees, and nobody ever fell for a phishing attack until, one day, a new employee fell for such an attack the second day on the job — that doesn’t suggest a material control failure to me. But if your employees routinely fell for phishing attacks you ran as a test, or the company never ran phishing simulations at all — auditors or regulators might construe that as a material weakness in the control environment.
We could say the same for failures in third-party oversight (“oh, um, we never did SOC 2 audits on our tech service providers”) or patch management (“we don’t test patches before implementing them”). Poor management of your cybersecurity regime could be a material weakness in internal control, and then you have a mess.
Imagine, for example, the Hanes ransomware attack happening in the physical world. It would be equivalent to a bunch of thugs changing the locks on your warehouse and loading docks, and management unable to get them open for three weeks. A failure to manage physical assets like that would have the audit committee, shareholders, customers, and insurers screaming for the management team to be drawn and quartered on the front lawn.
Does anyone really believe the day won’t come when we demand the same for failures in the digital world? Anyone at all?