[Material-Incidents] No. 9

Costly breaches disclosed in annual filings

Hey Everyone,

Back after a week of work travel! In the world of SEC filings, it seems I didn’t miss much, but an extra week of research got me thinking — what about security incidents that occurred before the new disclosure rules in December? The December regulations required businesses to disclose material incidents within four business days, but incidents that happened pre-December would'n’t have necessarily an 8-K. They might, however, be disclosed in an annual 10-K. With minimal digging, I found thirteen filings with incidents that cost companies serious money! Filing details suggest the majority of incidents were driven by compromised emails, phishing or ransomeware (chart below). And they say Security is a cost center… 🤔

Let’s take a look:

Brunswick Corp - While short on details, they suffered an incident on June 13, 2023, which impacted business operations for nine days. This outage resulted in an estimated loss of $80-85 million in revenue.

Tempur Sealy International - Also light on details, an incident last July incurred $14.3 million in total costs.

Argan Inc - Targeted by a complex criminal scheme in March 2023, involving fraudulently induced wire transfers. They suffered a $2.7 million loss.

Loan Depot - This incident was apparently filed as an 8-K earlier in the year, but wasn’t on my radar as it wasn’t filed correctly with the SEC under item 1.05 (Material Incidents). The filing called out that the estimated $12-17 million cost associated with the incident will likely have a material impact on their first quarter earnings (now Loan Depot can empathize with cash-strapped home buyers!). If you recall, I recently discussed another filing that made reference to missing earnings due to an incident.

Grpyhon Digital Mining - The first crypto related incident I’ve come across in these filings (outside of ransomware payments). The company was impacted by a spear-phishing attack where an attacker imitated the company’s CFO and directed the company to transfer 26 BTC to a wallet the attacker controlled. Bitcoin is currently trading around ~$67,000, so that’s over $1.7 million dollars lost.

Four Leaf Acquisition Corp - Is a blank check company, which was the subject of last week’s post. The post covered how many of these blank check companies claim they don’t face cyber security risk. Four Leaf makes the same claim but also disclosed a phishing attack that lead to a unauthorized $54,300 payment…

I won’t summarize all thirteen companies, but if you’re interested in learning more, feel free to leverage the Material Incident index with the query I used. There will be more incident disclosures in 10-Ks over the next 6 months because there wasn’t an 8-K disclosure requirement until December 2023, so I’ll be following along & sharing learnings here.

Thanks for reading! If you enjoyed this weeks post let me know or forward along to someone who might find it interesting.

Matt

[Appendix Chart: Incident drivers for the 13 compromised companies]