Companies hit by cyberattacks in the last quarter are detailing the financial hits with earnings on tap and rest assured there will be more disclosures to come. Clorox said it will see a big sales hit in its first quarter. MGM said it will incur costs of $100 million due to a data breach in September. And Caesar's reportedly paid ransomware to avoid a hit to its results.
The trio of disclosures is likely to be just the start. In July, the Securities and Exchange Commission adopted rules requiring public companies to disclose material cybersecurity incidents and report annually on risk management, strategy, and governance.
With the new regulatory requirements, it's possible that the quarterly confessional season will be as much about cyberattacks as earnings and revenue growth.
Here's a look at three recent incidents and the financial hits involved.
Clorox quantified its sales hit due to a cyberattack--a fiscal first quarter loss and a sales decline ranging between 28% to 23% compared to a year ago. In the first quarter of a year ago, Clorox reported revenue of $1.74 billion. Based on Clorox's first quarter guidance sales will fall in a range between $1.25 billion and $1.34 billion.
As previously disclosed in a regulatory filing, Clorox was hit by a cyberattack disclosed in August hampered production. Business was on track leading up to the cyberattack. Because of the attack, Clorox had to restore its systems and manually take orders. On Sept. 25, Clorox began transitioning to automated order processing.
Clorox said in a statement that sales will be down significantly and well below the mid-single digit growth previously outlined. The company is now projecting a loss between 75 cents a share and 35 cents a share. In the first quarter of a year ago, Clorox delivered earnings of 68 cents a share.
According to the company, it expects "to experience ongoing, but lessening, operational impacts in the second quarter as it makes progress in returning to normalized operations." Clorox said it may benefit from retailer restocking. Clorox said it will update investors on the cyberattack impact for the rest of the fiscal year.
MGM said that it suffered an attack on Sept. 11 and discovered the incident on Sept. 29. The high-profile attack forced MGM to go with manual customer facing processes.
Ultimately, MGM said it took a $100 million hit in the quarter. The attackers got information ranging from phone numbers, names, addresses, data of birth and driver's license numbers. A limited number of customers had Social Security numbers and/or passport numbers stolen.
MGM said it has put safeguards in place and the damage was confined to September. MGM said in a regulatory filing that the impact from the cyberattack is about $100 million for its Las Vegas resorts. The company also saw impacts to occupancy through its app and website but has mostly recovered. In addition, MGM had one-time expenses of $10 million in the third quarter due to the attack to cover consulting services, legal fees and third-party advisor expenses. That $10 million is likely to be covered by cyberinsurance.
Caesar's Entertainment disclosed an attack due to a "a social engineering attack on an outsourced IT support vendor used by the company."
The company said that it detected the attack and contained the breach. On Sept. 7, Caesar's determined that the attackers acquired a copy of the company's loyalty database, which included driver's license numbers as well as Social Security numbers.
According to Caesar's the financial hit should be limited, but there will be expenses going forward to remediate. However, Caesar's reportedly paid a $15 million in ransomware to avoid any customer disruption, according to CNBC.
Caesar’s attack happened in the same time frame as MGM's breach.