Industry giants Clorox and Johnson Controls report financial losses from cyberattacks

Two quarterly earnings reports filed this week with the Securities and Exchange Commission illustrate the deep financial impact ransomware attacks and cyber incidents can have on a company’s bottom line.

On Thursday, cleaning product giant Clorox explained in its earnings report that over the last six months the company suffered from a 6% lower sales volume due to a decrease in shipments caused by a cyberattack in August.

Meanwhile, technology and industrial business multinational Johnson Controls — which reported a cyber incident in September — similarly said in its earnings report that the attack cost the company $27 million.

The building automation giant said it has restored all of the impacted applications and systems but attributed the large financial losses to expenses associated with the response and remediation of the cyber incident, which they confirmed was a ransomware attack.

The $27 million figure does not include potential cyber insurance payouts which may cover “a substantial portion” of the costs. The company also “expects to incur additional expenses” throughout the 2024 fiscal year.

“These expenses include third-party expenditures, including IT recovery and forensic experts and others performing professional services to investigate and remediate the incident, as well as incremental operating expenses incurred from the resulting disruption to the Company’s business operations,” Johnson Controls said.

“Further, the cybersecurity incident caused disruptions to certain of the Company’s billing systems, which negatively impacted cash provided from operations during the first quarter of fiscal 2024. The overall impact of the cybersecurity incident in fiscal 2024 is not expected to be material to net income, net of insurance recoveries, or cash flows from continuing operations.”

Investigations into the incident are still ongoing and the company is still analyzing the data that was accessed and stolen by the hackers.

The attack on Johnson Controls caused particular alarm in the U.S. because the incident may have exposed “sensitive physical security information such as DHS floor plans,” according to an internal memo from the U.S. Department of Homeland Security that was obtained by CNN after the attack was announced.

‘Wide-scale disruptions’

In its filing, Clorox said it suffered “wide-scale disruptions” to its business throughout the last quarter — including order processing delays and significant product outages that negatively impacted sales and earnings. The company also had to hire consulting services, IT recovery firms, forensic experts and others to investigate and remediate the attack.

All of this took place during the first quarter of the company’s fiscal 2024 year, which ends in June 2024. In the months since the attack, Clorox has been able to move back to automated order processing but is still feeling operational impacts.

The filing notes that the Clorox has not received insurance payments to cover the attack.

Clorox initially disclosed the attack on August 14, telling the public that it began on August 11 and was discovered that evening. Clorox officials took systems offline and immediately hired cybersecurity experts to lead the investigation.

“The Company implemented its business continuity plans, including manual ordering and processing procedures at a reduced rate of operations in order to continue servicing its customers. However, the incident resulted in wide-scale disruptions to the Company’s business operations throughout the remainder of the quarter ended September 30, 2023,” Clorox said.

“The effects of the cyberattack are expected to negatively impact fiscal year 2024 results, though some of the anticipated net sales not recognized in the first quarter as a result of the disruptions were recognized in the second quarter, and some are expected to be recognized in subsequent quarters of fiscal year 2024 as customers rebuild inventories.”