The Clorox cyberattack crisis warrants every board’s attention. The consumer-products giant spent over $500 million on IT upgrades and earned a spot on the 2023 Forbes Most Cybersecure Companies list. Nonetheless, an August breach halted its operations with devastating supply chain and business consequences.
While the cybercrime details remain unclear, Clorox disclosed that it was forced back to manual processes, as automation systems took nearly six weeks to normalize. That left retailers and consumers scrambling for merchandise. In terms of the financial aftermath, its preliminary FY2024 Q1 results suffered significantly:
- “Order processing delays and significant product outages” dented quarterly sales by 28%.
- Lower gross margins are anticipated, as “the impact of the cybersecurity attack more than offset the benefits of pricing, cost savings and supply chain optimization [and] lower cost absorption driven by lower volume.”
- Quarterly earnings per share will show a loss rather than positive result.
- Remediation efforts and expenditures will extend well into FY 2024.
The capital markets have not responded kindly, as Clorox shares are down over 25% since the August news, trading at or near five-year lows. That’s over $3 billion in lost market valuation.
The damage is measurable and the lessons should be clear. As cyber threats surge, the alarming scale, speed and scope of the upheaval at Clorox should motivate senior leaders in all organizations to question, assess and fortify business resilience, operational agility and technological readiness — before it’s too late.
Fight Fire With Fire
While no company is immune to cyber risk, strong, substantive digital era leadership is widely lacking. Here are four immediate, meaningful actions organizations can take to boost business resilience:
1. Seriously address board composition.
The SEC’s long-awaited cybersecurity regulations exclude board tech expertise. Not surprisingly, cyber expertise on boards remains rare. According to recent research by the Wall Street Journal, only “107 directors at 113 [S&P 500] companies had professional experience in cybersecurity.” Further, those leaders “held a total of 124 [2.3%] of S&P 500 board seats.”
Clorox was no exception. Astonishingly, despite the ongoing cyber crisis, its 2023 Proxy Statement reveals no plans for a board technology committee and none of the twelve seated and nominated directors has any credible tech experience. One member, Julia Denman, works in Microsoft’s audit and finance function. However, tech firm employment does not constitute the background cyber threats demand.
2. Equip the board with independent insights.
Chris Hetner, former senior cybersecurity advisor to SEC Chairs Mary Jo White and Jay Clayton and currently Nasdaq Center for Board Excellence Insights Council member and senior cyber risk advisor to the National Association of Corporate Directors (NACD), advocates mirroring risk transfer market methodologies. For instance, the NACD endorsed X-Analytics as the preferred boardroom cyber risk reporting solution for their over 23,000 members. X-Analytics is a patented and validated cyber risk decisioning platform that ties an enterprise’s cyber risk probability, severity and control effectiveness to financial loss probabilities.
Hetner explained, “Clorox’s shutdown reinforces that cybersecurity threats introduce business, operational and financial harm. Now’s the time to deliver effective executive and boardroom reporting that expresses cyber threats and resilience strategies through the business lens.”
3. Set business interruption tolerance and deploy capital accordingly.
Hetner urges boards to re-center cybersecurity discussions on “the financial and business impact associated with each digital risk type, such as intellectual property theft, business interruption, ransomware, loss of customer data or misappropriation of funds. That immediately connects continuous cyber risk assessment to strategy and balance sheet stress.”
He suggested that cybersecurity consideration start with how much business interruption an enterprise is willing to tolerate. Boards, CEOs and CFOs must first understand the costs of a “six hour, daylong or weeklong” shutdown. Accepting that downside then more easily defines the justifiable capital allocation for adequate countermeasures,” Hetner explained.
That’s thinking differently — with a much higher chance of better outcomes. “The default tendency of CIOs and CISOs is to rely on periodic tactical and technical reports to justify tech solutions spending that may suppress risk,” Hetner highlighted. “That too often gets ‘lost in translation’ when engaging board members and the wider c-suite — leaving leadership unsure of precisely what they are funding and where residual gaps remain.”
Hetner emphasized, “When a leadership team possesses an aggregate view of risk tied to financial exposure, they can then best decide how much risk to accept, transfer or deploy capital to manage.” That downside-first view raises cybersecurity from a technical afterthought to the business strategy forefront.
4. Simulate cyberattack responses.
Last year, CNBC’s CFO Council Summit attendees participated in a ransomware attack simulation. Most senior executives felt quite unprepared, scrambled for legal advice and all paid the ransom. Noname Security CISO Karl Mattson observed. “The CFOs really struggled with calculating the break-even point of ‘to pay or not to pay. In our simulation, we realized that our business really does have a threshold of pain and lost revenue, above which the ransom payment is entirely rational. We had to build that cost/loss model on the fly.”
In the Clorox case, SafeBreach CISO Avishai Avivi, told IndustryWeek, “The fact that it will take Clorox more than a month to recover normal operations is not a good sign. It indicates to me that the adversary was able to penetrate the backbone of Clorox operations and impact multiple systems.”
He added, “While Clorox indicated in their August notification that they have activated their business continuity plan (BCP), the fact that they have still not recovered full operational capability indicates that their BCP was not complete for this particular type of disruption. A good BCP [includes] a recovery time objective (RTO). It is very rare that an RTO will be longer than a month.”
Most executives stand unready to credibly make such estimates. That’s because few have ever challenged themselves with realistic simulations.
Roll The Bones
Cyber criminals are targeting larger and seemingly more secure targets daily. Even well-funded and highly-touted Clorox was not ready, willing and able enough to withstand its breach. Who else is relying on chance over serious change?
Read the full article here