New regulatory filings have exposed the skyrocketing costs of major cyber incidents, as big brands Clorox and Johnson Controls admitted collectively suffering more than $75 million in attack-related expenditures last year.
Cleaning giant Clorox was struck by an unspecified cyber event discovered in August 2023. The incident disrupted operations so severely that the company reverted to manual ordering and processing as a containment measure—a response indicating ransomware, experts say. A recent SEC filing put Clorox's six-month cyber incident cost at a staggering $49 million.
"The incidents involving Clorox and Johnson Controls highlight significant operational disruptions and financial losses due to cyber-related incidents," said Callie Guenther, Senior Manager of Cyber Threat Research at Critical Start. "This emphasizes the rising costs and complexities associated with managing and mitigating such threats in today's landscape."
Meanwhile, construction and facilities management conglomerate Johnson Controls was definitively hit by ransomware in September. Their Q4 SEC report alone logged $27 million in spending related to incident response and recovery efforts.
"While it's a simple fact that it is impossible to prevent every attack, steps can and should be taken to mitigate the access of cybercriminals, and minimize the impacts on their systems, data, and operations," said Darren Guccione, CEO at Keeper Security. "With the right solutions to address common attack vectors, IT teams can confidently report an accurate threat picture instead of feeling pressured to downplay realities."
Both Clorox and Johnson Controls shouldered major costs from tapping cybersecurity consultants, pursuing IT recovery and forensic analysis, and grappling with business interruptions. Guenther suggests that their cybersecurity programs were outmatched.
"Their substantial expenditure on remediation, including third-party services and IT recovery, indicates the incidents required extensive external expertise," she said. "This could mean existing defenses were circumvented, insufficient, or unprepared for the attack sophistication."
[RELATED: Clorox's Cybersecurity Chief Departs Amidst Incident Recovery Efforts]
John Bambenek, President at Bambenek Consulting, emphasized security spending constraints. "The reality is any company can spend a near infinite amount on security—every dollar of which does not increase revenue," he said. "Businesses make calculated risk decisions balancing attack prevention costs against potential breach impact."
These incidents underscore regulatory aims for public cyber risk transparency. Offering stakeholders clear visibility into attack-driven disruptions and response outlays, these SEC disclosures aid investors while informing industrywide cybersecurity priorities.
"Such filings provide a clearer picture of a company's financial and operational health, including vulnerabilities and breach costs," Guenther explained. "For the broader industry, it's valuable threat intelligence highlighting the financial implications of cyber incidents."
While Clorox intends to claim cyber insurance, Johnson Controls said insurance will cover a "substantial portion" of breach response costs. Comparatively, Clorox painted its cyber response positively amidst 16% quarterly sales growth.
Follow SecureWorld News for more stories related to cybersecurity.
