# Opener

The Clorox Approach to the SEC’s New Cyber Rules

Published by Joe Breen

In less than a month, the SEC’s new cybersecurity mandates go into effect for all publicly-traded companies. As the December 15th “go live” date rapidly approaches, we are closely watching any public companies that fall victim to a security event and how they respond. Since the formal SEC announcement earlier this year, companies have struggled to grasp what the SEC is specifically looking for and how the regulators will enforce these requirements in practice. We have already seen a half dozen events take place during this “rolling start” period between the announcement and the December 15th deadline, with targeted companies taking varying divergent approaches in navigating these new rules.

Clorox’s strategy has stood out. The company has aggressively set the pace for how cyber incident impacts are being reported and disclosed to the SEC and to the public. On August 14th, Clorox detected unusual activity in their IT Systems. They swiftly took down affected systems and contacted law enforcement to aid in the investigation. Three days later, they informed their customers what they had discovered while also noting an unclear timeline moving forward. Following that statement, the company shared they would be moving most of their processes to their manual workarounds given the need to take most of their systems offline to mitigate the threat. Throughout September, Clorox saw their productivity and sales slowly increase despite the continued interruptions and challenges. Finally, on September 29th, the company announced that its business operations had been fully restored, all systems and applications were back online and running.

In contrast to other companies who have experienced cyber breaches during this interim holding period, Clorox’s SEC filings are robust and extensive. Their initial Form 8-K on August 14th stated that the corporation had discovered the unusual activity, but it was too soon to conduct any materiality assessments. In their follow-up Form 8-K on September 18th, the company determined that the incident is material to the business as the costs to resolve the threat would impact their Q1 financials, but the degree of the long-term impact was yet to be determined. From an operational standpoint, Clorox also noted that their systems should be restored and running at full capacity by the end of the month. On October 4th, the company published a final Form 8-K detailing a comprehensive expected financial impact of the incident, including projected declines in net sales, gross margin, and earnings per share.

Clorox’s progressive approach should be highlighted. Upon discovering the unusual activity in their systems, the company promptly began assessing how and to what extent their business would be affected. The corporation appropriately informed the SEC and the public once determining that the event was indeed material. Even where the scope of the financial impact was relatively unclear, Clorox nevertheless provided estimated ranges to inform its investors. In sum, unlike MGM or Caesars, Clorox’s disclosures were timely, informative, and appropriately kept the SEC and investors apprised of any new developments on the matter. Looking ahead, the SEC and regulators are likely to point to Clorox as an example of how to sufficiently adhere to their new cybersecurity disclosure and reporting mandates. Finally, one might also project a rosier financial outlook for Clorox heading into 2024, as educated and informed investors will applaud the company’s ability to navigate this crisis with a reasoned, complete approach.

Clorox’s disclosures were timely, informative, and appropriately kept the SEC and investors apprised of any new developments on the matter.

We have already learned so much about the implementation of the SEC’s new rules, but we are far from even scratching the surface. It is going to be crucial for professionals working with public companies in security, compliance, and other areas to stay up to date on any information surrounding the SEC’s ruling. We at Axio have acknowledged this and are stepping up to provide this information for anyone who needs it. We will be gathering information on public events, different interpretations of the rules, new regulations inspired by the SEC, and any other relevant pieces of information we think you’ll want to know. We will even package it up in an easy-to-digest newsletter and send it straight to your email, so you can enjoy it over a cup of coffee!

If you want to let us do the work for you, sign up here to stay ahead of the curve.

Newsletter Sign-up