The 8-Ks Have Arrived
10–9–2023 (Monday)
Hello and welcome to another edition of The Intentional Brief - your weekly video update on the one big thing in cybersecurity for growth stage companies, investors, and management teams.
I’m your host, Shay Colson, Managing Partner at Intentional Cybersecurity, and you can find us online at intentionalcyber.com.
Today is Monday, October 9, 2023, and we’re back after a week off (which, really, was just a day off in a busy week). Back, and plenty to discuss.
Cyber Disclosure 8-K’s Have Arrived!
By now, regular viewers are well aware of the issues that MGM and Caesar’s have had from the ransomware crew dubbed Scattered Spider. What yo might not have heard is that this same crew has also spent time attacking Clorox - a story that Bloomberg broke this week.
In line with the new SEC cyber disclosure rules - something we’ve talked about here extensively - Clorox has filed two different 8-K notices, one on August 14 and another on September 18. Now we’re seeing the true impact of this event in their Preliminary Financial Guidance - and the impact is pretty significant.
Net sales dropping by 23-28%
Organic sales dropping 21-26%
Clorox explicitly attributes this to the cyber attack, noting these sales drops are “due to the impacts of the recent cybersecurity attack that was disclosed in August, which caused wide-scale disruption of Clorox's operations, including order processing delays and significant product outages.”
They also note that margin will be down, and that earnings per share is expected to be a loss for the quarter.
One article notes the impact, given these percentages and the other financials available, to be somewhere between $487M - $593M.
This is a tremendous amount of money, and likely only the first of many disclosures we’ll see through the end of the year.
I think it also highlights the challenges - particularly for manufacturers and other companies with physical infrastructure or logistical components - around Business Continuity and Disaster Recovery needs. The 8-K filings from Clorox indicate that they activated their BCP during the August event, but more than a month later, still hadn’t returned to normal operations and couldn’t give an accurate estimate of when that might occur.
While many firms have these plans notionally in place, testing, practice, and defined details need to be in place prior to activating the plan, or else the road to recovery is going to be much longer, and much more expensive.
While discussion about this Scattered Spider group is ongoing, the suggestion that it’s made up of US and UK based teens is an interesting development, both Boards and Executive Leadership Teams must remain laser focused on implementing preventive and detective security controls and building plans, processes, and procedures to remain resilient in the face of these new challenges.
Nobody likes that this is what it’s come to, but that’s besides the point and out of our control. Let’s make sure we’ve done everything we can before the moment we’ll need to find out if we’ve done enough.
Fundraising
Solid week of fundraising, led by Brookfield’s $12B sixth flagship private equity fund - with a good range of other funds bringing the total up to $18.6B in total.
That said, we also saw some articles indicating that recent IPO deals underwhelmed - the Financial Times noting that both Arm and Instacart underwhelmed and VCs are advising late-stage startups to delay IPO plans, which of course will impact the back end of the deal flow funnel.
Time will tell, but this part of the cycle remains tremendously interesting. Slower exits, longer hold periods, and active threat actors are going to pose significant headwinds to the investment theses of many firms - we’ll see which part gives first, and how much.
You can find all the links to the stories we covered in the comments section below, find back issues of these videos and the written transcripts at intentionalcyber.com, and we’ll see you next Monday for another Intentional Brief.
Links
https://www.ft.com/content/2b8f723d-52b0-4ea5-9703-7c65e3c6bd35
https://www.sec.gov/ix?doc=/Archives/edgar/data/0000021076/000120677423000969/clx4231381-8k.htm
https://www.sec.gov/ix?doc=/Archives/edgar/data/0000021076/000120677423001133/clx4242401-8k.htm