We’ve explored this idea before, looking at:

• Disclosure of risks related to artificial intelligence; 

• Discussion of cash from operating activities;

• Presentation of restricted cash.

Today let’s look at another common headache for issues: disclosure of cybersecurity incidents.

This is a fairly new requirement, driven by SEC rules adopted last year requiring issuers to disclose “material cybersecurity incidents” as 8-K filings within four days of deciding that the incident you just suffered is indeed material. 

Specifically, companies file the 8-K as Item 1.05 — and you can indeed find those disclosures via Calcbench. You can either track individual companies and be alerted when they submit new filings, if you know specific companies you want to follow; or you could visit our Filings page, which lets you see all recent filings and filter them by specific filing type. Just filter for ‘1.05’ and you’ll see a list of recent disclosures for cybersecurity incidents.

For example, we hopped onto the Filings page and searched for cybersecurity disclosures from July 1 through Sept. 10. We found 10 (including several companies that had filed original and then amended 8-Ks). Let’s take a look.

Sonic Automotive

Sonic Automotive ($SAH) first disclosed a cyber incident on July 5, when the company reported that it was one of many auto sales businesses disrupted by a ransomware attack that struck CDK Global ($CDK), a software company that helps car makers and dealerships manage their sales. CDK was knocked on its heels in late June, causing weeks of grief to all manner of other companies.

What caught our eye is that Sonic then filed an updated 8-K disclosure about the attack on Aug. 5, as the full scope of damage to Sonic became more clear:

As of the date of this filing, access to the Company’s information systems affected by the Incident has been restored, including its dealer management system (“DMS”) and customer relationship management system (“CRM”). However, the Company experienced operational disruptions throughout July related to the functionality of certain CDK customer lead applications, inventory management applications and related third-party application integrations with CDK.

The Company has concluded that the Incident had a material impact on the Company’s business during and results of operations for the second fiscal quarter ended June 30, 2024 (“Q2”). The Company’s GAAP earnings per diluted share for Q2 were $1.18, and the Company estimates that the Incident adversely affected its GAAP earnings per diluted share for Q2 by approximately $0.64 without taking into account any potential recoveries related to the Incident and after factoring in estimated lost income and expenses attributable to the Incident.

Sonic also said it does not believe the attack will have any material effects in Q3 or beyond.

Key Tronic Corp. 

Key Tronic Corp. ($KTCC) is a manufacturer of printed assembly boards and other electronic components. The company first reported in May that it had suffered an unauthorized intrusion to its manufacturing systems. What happened then? The company filled in more details in a follow-up 8-K filing on Aug. 6… 

As a precautionary measure, the Company halted domestic and Mexico operations for approximately two weeks during remediation efforts. After production was restarted, these locations returned to near capacity approximately another two weeks later. Other international operations continued production without material disruption from the cybersecurity incident. During the disruption of business, the Company continued to pay wages in accordance with statutory requirements. The Company also deployed new IT-related infrastructure and engaged cyber security experts to remediate the incident. The Company’s operations and corporate functions were restored in mid-June, and we believe that the unauthorized third party no longer has access to the Company’s IT systems… 

The Company has determined that, due to the cybersecurity incident, it incurred approximately $2.3 million of additional expenses, and was unable to fulfill approximately $15 million of revenue during the fourth quarter. Most of these orders are expected to be fulfilled in fiscal year 2025.

Key booked $559 million in annual sales for its fiscal 2024, which ended June 30, so that $15 million loss in its final quarter probably stings. 

Halliburton 

Oil services giant Halliburton ($HAL) suffered an unauthorized intrusion on Aug. 21, and first filed an 8-K disclosure about the attack two days later — a rather bland, six-sentence item that the company was looking into the matter. (“The Company activated its cybersecurity response plan and launched an investigation internally with the support of external advisors.”) 

Ten days later, Halliburton filed a more expansive 8-K drilling a bit more deeply into the situation:

The incident has caused disruptions and limitation of access to portions of the Company’s business applications supporting aspects of the Company’s operations and corporate functions. The Company believes the unauthorized third party accessed and exfiltrated information from the Company’s systems. The Company is evaluating the nature and scope of the information, and what notifications are required.

The Company has incurred, and may continue to incur, certain expenses related to its response to this incident. As of the date of this Current Report on Form 8-K, the Company believes that the incident has not had, and is not reasonably likely to have, a material impact on the Company’s financial condition or results of operations.

Three different companies, three different approaches to providing more detail to investors about cybersecurity incidents. 

External reporting teams grappling with what to say about their own incident will always still need to make their own judgments, based on the facts of your own specific attack and advice of legal counsel; but studying the path that others have trodden can always make your own journey a bit more bearable. Calcbench data is always there to help.