What happened, exactly? We’re not sure, and it seems that Krispy Kreme isn’t either. The company only disclosed that on Nov. 29 it was “notified regarding unauthorized activity on a portion of its information technology systems… The company is experiencing certain operational disruptions, including with online ordering in parts of the United States. Daily fresh deliveries to our retail and restaurant partners are uninterrupted.”

OK, that’s not good. Krispy Kreme then continued, saying that the attack “has had and is reasonably likely to have a material impact on the company’s business operations until recovery efforts are completed. The expected costs related to the incident… are reasonably likely to have a material impact on the company’s results of operations and financial condition.”

That disclosure arises from a rule the Securities and Exchange Commission adopted in 2023 requiring companies to disclose material cybersecurity incidents. Companies need to disclose the nature and scope of the attack, along with any estimate of the attack’s impact on the company’s operations and financial condition. 

Typically those incidents are privacy breaches, which might result in painfully expensive litigation and regulatory costs — but more and more often, we’re also seeing incidents that are ransomware attacks disrupting actual operations. That seems to be the case for Krispy Kreme here. 

One interesting thought experiment is to look at Krispy Kreme’s recent financial reports, to get a sense of how much this attack might cost. 

For example, Krispy Kreme already says the attack will be material to operations. Well, in Krispy’s most recent quarterly report, it reported net income of $55.2 million. If we define material as 2 percent of that number, the attack is costing the company at least $1.1 million.

To be clear, that is speculation on our part. When Krispy says the attack will have a “material impact on the company’s results of operations, we don’t know whether the company is talking about revenue, operating income, or some other metric. But something material is going on.

Astute analysts might also be wondering: “If Krispy Kreme suffered a material attack, doesn’t that mean its IT controls were weak? Isn’t that the sort of thing a company is supposed to discuss in its Controls & Procedures disclosure?”

Yes it is, and you raise an excellent question. Using our Footnotes and Disclosure Query tool, we found that Krispy Kreme reported in its Q3 2024 report that internal controls over financial reporting were fine. Ditto for its more fulsome discussion of internal control in the 2023 10-K filing from earlier this year. We at Calcbench don’t have a good answer for what went wrong now; you might want to ask that question on Krispy’s next earnings call. 

As Krispy Kreme gets a grip on this incident and the damage becomes more clear, the company should disclose more precise details about the cost. We’ve found other filers, for example, that even reported “earnings adjusted for cybersecurity incident.” 

Thankfully, you can still get donuts at Krispy Kreme locations. Food for thought as you’re standing in line.