A Look at Actual Cyber Disclosures
Today I want to return to cybersecurity disclosures. Before we even get to the Securities and Exchange Commission’s new rule for expanded disclosure of cybersecurity issues, perhaps we should pause to consider: what have companies already been disclosing about cyber incidents?
After all, the most contentious part of the SEC’s new cyber disclosure rule is the section requiring companies to disclose “material cybersecurity incidents” within four days of deciding that the incident is material. If we examine what companies have already been disclosing, that might give us all a better sense of the challenges ahead to meet those new and expanded disclosure details.
To answer that question I skimmed through the most recent quarterly filings of S&P 500 firms, looking for any reference to “cybersecurity incident” or “cybersecurity event.” I did indeed find several, so let’s take a look.
AmerisourceBergen
The first one I found was AmerisourceBergen, the pharmaceutical giant with $238.6 billion in annual sales. Tucked away in the Management Discussion & Analysis of its quarterly report, the company said it suffered a cybersecurity incident at a foreign subsidiary in March 2023. The incident struck a legacy IT platform and disrupted the foreign unit’s operations for roughly two weeks.
AmerisourceBergen didn’t disclose the precise cost of that attack, but it did leave some clues elsewhere in the 10-Q. Specifically, the company said that its costs to recover from the event were a majority of its “Other” expenses listed for both Q2 and the preceding nine months. Those amounts were reported as $2.33 million and $40.54 million, respectively.
Well, do the math. If a majority of those costs were due to the cyber incident, the amount had to be at least $20.3 million, which is 50.1 percent of $40.54 million. (It’s quite possible the actual total was much more than $20.3 million; we don’t know.)
I also looked back to Amerisource’s previous quarterly report for Q1 2023, filed on May 2 of this year, which would have included March 2023 events. It said essentially the same thing: attack at a foreign subsidiary, legacy system knocked down for two weeks, majority of “Other” costs for the quarter.
This disclosure raises some interesting questions about materiality. Clearly a $20.33 million (at least) cybersecurity incident is not quantitatively material to a company with $238.5 billion in revenue — but is it somehow qualitatively material? For example, did the attack happen because of some inexcusably weak access control regime or a failure of staff cybersecurity training?
We don’t know. Amerisource doesn’t tell us anything about how the attack happened. Then again, that’s always been a chief fear of the new disclosure rules: that a company might disclose too much about how an attack happened (“We spaced on patching the ERP system, happens all the time around here”) and attackers would use that information to launch yet more attacks.
Ingersoll Rand
Industrial equipment manufacturer Ingersoll Rand discussed two cybersecurity incidents in its most recent quarterly report: one that had just happened, and another that had happened a while back.
Let’s start with the recent attack. In a section titled “Recent Developments,” Ingersoll had this to say:
On April 27, 2023, the company detected a cybersecurity incident that resulted in a disruption of several of our information technology systems. We immediately launched a thorough investigation with the assistance of external cybersecurity experts to assess and mitigate impacts of the incident. The company proactively took immediate actions to maintain business continuity and to minimize disruption to operations and customers, including isolating systems and implementing workarounds. As a result, we do not expect this incident to have a material impact on our business, results of operations or financial condition. Although an investigation is ongoing, the company is not aware of any confidential customer information having been exfiltrated. If the Company becomes aware of any such information having been exfiltrated, it will make appropriate notifications.
The final SEC rule for cybersecurity disclosure (and to be clear, Ingersoll did not have to meet that standard yet; the new rule goes into effect in 2024) requires companies to discuss “the nature, scope, and timing of the incident,” along with any likely material impact.
The disclosure above kinda sorta meets those future criteria. We know when the company discovered it; but not how long the attack might have been ongoing (timing). We know it disrupted several IT systems but didn’t breach customer data; but not what those systems did or whether they were mission-critical (scope). We know the attack didn’t seem material, but we don’t know how it happened (nature).
Ingersoll’s other cybersecurity incident peeks out at us from its financial reporting. When the company reported adjusted EBITDA for Q2 2023, it included a $2.2 million adjustment labeled “cybersecurity incident costs.” In a footnote the company further described that item as “non-recoverable costs associated with a cybersecurity event,” whatever that means. See Figure 1, below.
I’m tempted to roll my eyes at a non-GAAP adjustment like that since cybersecurity events happen all the time now; they are an unpleasant fact of business life. Then again, cyber events are also discrete, on-time incidents with clearly associated costs, like a restructuring or a litigation settlement. So perhaps we’ll see more such “earnings before cyber attack” disclosures in the future.
Conagra Brands
Surprise! We have another cyber non-GAAP adjustment right away. Conagra Brands reported a $4.4 million adjustment to earnings for its most recent fiscal year (which ended May 28) under the label “Third-Party Vendor Cybersecurity Incident.” Even better, the company assigned the costs of this incident to specific operating units: its refrigerated & frozen foods division ($4.2 million) and its foodservice division ($200,000). See Figure 2, below.
OK, but nowhere in Conagra’s earnings release (filed July 13) did the company describe what that third-party security incident was, or when it happened. For that information you had to read Conagra’s 10-K (also filed July 13), which didn’t offer much more:
In the fourth quarter of fiscal 2023, we incurred charges totaling $4.4 million ($3.3 million after-tax) related to supply chain disruptions caused by a third-party vendor’s system shutdown in connection with the third party experiencing a cybersecurity incident. The vendor’s shut-down disrupted our operations and negatively impacted our ability to fulfill customer orders.
Conagra made $683 million in net income for the year and had $12.23 billion in sales, so we can’t say that this $4.4 million cyber cost is quantitatively material (although it’s close enough that you can see materiality on a clear day).
But just like AmerisourceBergen, this does raise questions about whether or when a cyber incident might be qualitatively material. For example, was this a mission-critical vendor? Seems possible, since its failure disrupted Conagra’s ability to fulfill customer orders. So how had Conagra assessed its vendors’ cybersecurity? What backup plans were or weren’t in place to activate a backup system?
We don’t know the answers to those questions. Still, this rather cryptic disclosure does help us understand the types of questions that might be asked by outsiders, potentially as part of civil litigation by people unhappy with some cyber attack your company suffers. So audit and compliance teams should be asking themselves those sorts of questions well in advance of any cyber attack, as part of your risk assessment and ensuing efforts to build better policies, procedures, and controls.
That’s enough for today. Later this week we’ll take a closer look at what the new SEC rules will be forcing companies to disclose.