Apparel Giant VF Corp. Discloses Cyberattack Under New SEC Rules
VF Corp. filed an 8-K describing a cybersecurity incident that has disrupted order fulfillment.
At a Glance
- Companies must detail cyberattacks within four business days.
- Apparel company says cyber criminals stole company data and disrupted operations.
- New rules add a layer of complexity and tight timeframe to incident response.
VF Corp., the parent company for Vans, The North Face, and several other well-known apparel brands became one of the first notable companies to disclose a cyberattack under new US Securities and Exchange (SEC) rules that went live last week, according to a filing.
Earlier this year, the SEC adopted new rules on cybersecurity disclosures for public companies. Those rules, requiring companies to disclose cybersecurity incidents within four business days of determining materiality, went into effect on Dec. 15. VF Corp. was hit with a cyberattack that it disclosed under the new rules. It filed an 8-K on Dec. 15.
What does the material cybersecurity incident at VF Corp. look like, and what will continued reporting under the SEC’s disclosure rules look like for public companies?
The Cyberattack on VF Corp.
VF Corp. detected the cybersecurity incident on Dec. 13, according to its 8-K. The company shares that the threat actors encrypted some of its IT systems and stole data. It notes that it is working through incident response and attempting to implement workarounds, but the cyberattack is impacting its ability to fulfill orders.
“For the four business days that they had it was a little more detail than I've seen coming out of other 8-Ks that we saw filed before the requirement was in place,” Summer Fowler, CISO of Torc Robotics, an autonomous vehicle company, and faculty at IANS Research, a security insights nonprofit, tells InformationWeek.
Operational Disruption
In many cases, a full understanding of a cyberattack’s impact unfolds over time. VF. Corp has 12 brands. Mehran Farimani, CEO of vulnerability management company RapidFort, points out that the company has grown via a number of acquisitions. “They probably have a lot of disparate systems,” he says. “It's quite challenging to sort of understand what the attack is, what its blast radius is, what was causing it, what are the mitigations.”
Just how disruptive a cyberattack can be depends on a multitude of factors. How did the threat actor gain access? How long did they go undetected? What systems have been compromised? What does data exfiltration and encryption look like? How long will it take to work through the incident response plan? Is there a ransom demand?
A cyberattack may not impact multiple systems, but the response may lead to further operational disruption. “A company wants to first contain the blast radius. In order to do that, sometimes the best thing to do is to shut things down,” says Fowler.
The widespread and costly consequences a cybersecurity incident can have were illustrated earlier this year in the ransomware attacks on MGM Resorts and Caesars Entertainment. At MGM hotels and casinos, digital keys for rooms and slot machines weren’t working. Caesars paid a $15 million ransom, while MGM refused to pay.
The fallout of a cyberattack on Clorox earlier this year unfolded in a series of updates. On Aug. 14, the cleaning products company filed an 8-K briefly detailing “unauthorized activity on some of its Information Technology (IT) systems.” On Sept. 18, it filed another 8-K reporting difficulties with order processing and product availability. It provided an operational update in its Oct. 4 8-K, sharing that it was restoring its systems and operations.
“They [Clorox] filed multiple 8-Ks with more detail as they learned more. That's something I think we're going to see as organizations understand the full impact,” says Fowler.
The company noted the significant impact that the cyberattack had on its Q1 fiscal year 2024 results. Net sales dropped 20%, representing a $356 million decrease.