Apparel Giant VF Corp. Discloses Cyberattack Under New SEC Rules

VF Corp., the parent company for Vans, The North Face, and several other well-known apparel brands became one of the first notable companies to disclose a cyberattack under new US Securities and Exchange (SEC) rules that went live last week, according to a filing.
Earlier this year, the SEC adopted new rules on cybersecurity disclosures for public companies. Those rules, requiring companies to disclose cybersecurity incidents within four business days of determining materiality, went into effect on Dec. 15. VF Corp. was hit with a cyberattack that it disclosed under the new rules. It filed an 8-K on Dec. 15.

What does the material cybersecurity incident at VF Corp. look like, and what will continued reporting under the SEC’s disclosure rules look like for public companies?

The Cyberattack on VF Corp.

VF Corp. detected the cybersecurity incident on Dec. 13, according to its 8-K. The company shares that the threat actors encrypted some of its IT systems and stole data. It notes that it is working through incident response and attempting to implement workarounds, but the cyberattack is impacting its ability to fulfill orders.

“For the four business days that they had it was a little more detail than I've seen coming out of other 8-Ks that we saw filed before the requirement was in place,” Summer Fowler, CISO of Torc Robotics, an autonomous vehicle company, and faculty at IANS Research, a security insights nonprofit, tells InformationWeek.

Related:Will More Threat Actors Weaponize Cybersecurity Regulations?

Operational Disruption

In many cases, a full understanding of a cyberattack’s impact unfolds over time. VF. Corp has 12 brands. Mehran Farimani, CEO of vulnerability management company RapidFort, points out that the company has grown via a number of acquisitions. “They probably have a lot of disparate systems,” he says. “It's quite challenging to sort of understand what the attack is, what its blast radius is, what was causing it, what are the mitigations.”

Just how disruptive a cyberattack can be depends on a multitude of factors. How did the threat actor gain access? How long did they go undetected? What systems have been compromised? What does data exfiltration and encryption look like? How long will it take to work through the incident response plan? Is there a ransom demand?

A cyberattack may not impact multiple systems, but the response may lead to further operational disruption. “A company wants to first contain the blast radius. In order to do that, sometimes the best thing to do is to shut things down,” says Fowler.

The widespread and costly consequences a cybersecurity incident can have were illustrated earlier this year in the ransomware attacks on MGM Resorts and Caesars Entertainment. At MGM hotels and casinos, digital keys for rooms and slot machines weren’t working. Caesars paid a $15 million ransom, while MGM refused to pay.

Related:SolarWinds Fires Back at SEC Fraud Charges

The fallout of a cyberattack on Clorox earlier this year unfolded in a series of updates. On Aug. 14, the cleaning products company filed an 8-K briefly detailing “unauthorized activity on some of its Information Technology (IT) systems.” On Sept. 18, it filed another 8-K reporting difficulties with order processing and product availability. It provided an operational update in its Oct. 4 8-K, sharing that it was restoring its systems and operations.

“They [Clorox] filed multiple 8-Ks with more detail as they learned more. That's something I think we're going to see as organizations understand the full impact,” says Fowler.

The company noted the significant impact that the cyberattack had on its Q1 fiscal year 2024 results. Net sales dropped 20%, representing a $356 million decrease.

Impact of the SEC’s Rules

The SEC’s disclosure rule is meant to give investors and shareholders relevant information. “In this case, if someone was thinking of investing in VF Corp. they would know that they just got hit by a cyberattack right in the heat of the holiday season, and that may affect someone's desire to invest in a company,” says Adam Marrè, CISO of cybersecurity company Arctic Wolf.

Related:Clock Starts on SEC Cyberattack Rules: What CISOs Should Know

This disclosed information has value for the public, but it does add a layer of complexity to incident response. “Now, they [response teams] have to also worry about getting someone to decide if it's material as quickly as possible, write up this report, get that report reviewed by legal and everybody else. And then get that put out,” says Marrè. “That's a whole other workstream now that has to happen in the beginning heat of the moment.”

Fowler anticipates that there will be an adjustment period now that the disclosure rule is officially in place. “You might see overreporting or reporting that is too specific or the other way, where the SEC views that it's still too generic and hypothetical and then it's going to have to sort of even out over time,” she explains.

It also remains to be seen how the markets will react to these disclosures over time. Will a company’s stock price take a hit each time shares an update following a cybersecurity incident? “I'm wondering if after a time, after we get used to this, we'll build up some cultural tooling to deal with this,” says Marrè. “In other words, people will withhold their judgment on one of these events until more information does come out.”

While time will tell what an adjustment period will look like, it is clear that the SEC’s rules cannot be ignored. Organizations need processes around defining materiality and reporting. “That way when there is scrutiny from the SEC or any external organization…the organization can justify the decisions that were made and show the documentation to prove how they came to those conclusions,” says Fowler.

The SEC’s new rules aren’t just about cybersecurity incident disclosures. Public companies are also required to disclose information on cybersecurity risk management in their 10-Ks.

“I do believe that CISOs…and those who are responsible for the 10-K really need to make sure that they are looking at what they're putting out into those documents as [to] how cyber risk management processes are handled in the company,” says Fowler.

The SEC has signaled that it is willing to scrutinize the way companies handle cybersecurity risk and incidents. The SEC is charging SolarWinds and its CISO with fraud and internal control failures. It alleges that the company “misled investors by disclosing only generic and hypothetical risks.”

More regulatory scrutiny on cybersecurity practices potentially exposes companies to more liability. “The SEC has got their teeth into this issue now, and I think that's going to drive more attention to the security function within organizations,” says Farimani.