Get Ready for More Cybersecurity Disclosures

Ryan Spurr

Over the past few years, we’ve seen a rise in cybersecurity events in manufacturing, both in the public domain and through our client engagements. This also bears out in industry statistics, with manufacturing becoming the #1 most attacked industry two years in a row1 and with a heavy focus of attacks targeting operational technology environments. Despite this increased visibility, many incidents remain hidden as disclosure is left to the organization, ransoms are quietly paid, or post-incident responses are handled without much public exposure. That is all about to change.

The Securities and Exchange Commission (SEC) has adopted new rules to enhance and standardize disclosures regarding cybersecurity risk management, strategy, governance, and incident reporting by public companies. The new rules, which were adopted in November 2022 and became effective in November 2023, require public companies to:

  • Disclose material cybersecurity incidents on Form 8-K within four business days of determining that the incident is material
  • Disclose on an annual basis material information regarding their cybersecurity risk management, strategy, and governance in their annual reports on Form 10-K
  • Disclose whether and how their boards of directors oversee cybersecurity risk
  • Disclose management’s role and expertise in assessing and managing cybersecurity risk and implementing cybersecurity policies and procedures

The SEC’s cybersecurity rule is designed to improve investor access to information about how public companies manage cybersecurity risks. The SEC believes that this information is necessary to investors because cybersecurity incidents can have a significant impact on a company’s financial performance and position.

The First of Many

While this isn’t unique to manufacturing, with a rise in attacks in the industry—and the very first instance of SEC reporting on this subject coming from Clorox, a chemical manufacturer—you should expect more manufacturing companies to publicly report cybersecurity incidents and a generally alarming increase in the number of visible occurrences. In the first case, according to Clorox’s investor documentation, the company had incurred $24M in costs related to the cybersecurity incident according to their Form 8-K.2 In their Q1 2024 reporting, Clorox disclosed a 20% decline in net sales—or a financial impact of $356 million.3

Expect this level of transparency to become the new normal and shed light on the alarming trends in our trade—as well as bring about more insight into cybersecurity risks and the costs associated with successful incidents. The SEC regulations will improve the timeliness and quantitative impacts, and act as a lesson for all. 

Setting an Example

All publicly traded organizations have been put on notice. For private entities, while the regulatory requirements may not apply, don’t expect the standards it sets to stop there. I expect cybersecurity insurance providers and customers to set new contractual expectations on their suppliers, and the shift to this level of scrutiny and investment expectation to enhance the broad manufacturing complex’s security hygiene. 

The SEC rules were designed not only to inform investors but to help public companies improve their cybersecurity posture. By requiring companies to disclose their cybersecurity risk management, strategy, and governance, the SEC is encouraging companies to think critically about their cybersecurity programs and to make necessary investments in cybersecurity solution—a wise strategy for any manufacturing company regardless of their size or classification.

Let’s Make Manufacturing More Secure

At Connection, we understand that manufacturers have a diverse range of equipment and roles in their factories, and it’s essential to meet both cybersecurity best practices while ensuring a highly productive environment. This calls for solutions that meet the needs of IT, security, and operations.

Our Manufacturing Practice regularly works with manufacturing organizations to help them meet security requirements while ensuring operational excellence, providing a great workplace, and applying right-sized technology to enable better outcomes.

If your business is interested in our OT security solutions, engage Connection’s Manufacturing Practice to learn more about available cybersecurity solutions, services, and the many use cases that may benefit your organization.

1 IBM, 2023, X-Force Threat Intelligence Index 2023
2 SEC, 2023, Commission File Number: 1-07151
3 Clorox Company, 2023, Clorox Reports Q1 Fiscal Year 2024 Results, Updates Outlook

Ryan Spurr is the Director of Manufacturing Strategy at Connection with 20+ years of experience in manufacturing, information technology, and portfolio leadership. He leads the Connection Manufacturing Practice, go-to-market strategy, client engagement, and advisory services focusing on operational technology (OT) and information technology that make manufacturers more digitally excellent.