Apparel giant VF reports cyberattack on first day of SEC disclosure rule

One of the biggest apparel companies in the world reported a “material” cyberattack to the U.S. Securities and Exchange Commission (SEC) on the first day that a new cyber incident reporting rule went into effect.

VF Corporation said it detected unauthorized activity on a portion of its information technology systems on December 13 and was forced to shut down some systems. Known for popular brands like North Face, Vans, Timberland and Jansport, it reported more than $11.5 billion in revenue in its latest fiscal year.

“The threat actor disrupted the Company’s business operations by encrypting some IT systems, and stole data from the Company, including personal data,” VF reported. “The Company is working to bring the impacted portions of its IT systems back online and implement workarounds for certain offline operations with the aim of reducing disruption to its ability to serve its retail and brand e-commerce consumers and wholesale customers.”

The announcement did not use the word “ransomware,” and the company did not respond to requests for comment. No cybercrime group has taken credit for the incident as of Monday afternoon.

The SEC filing says all of the corporation’s retail stores globally are open but they are experiencing some operation disruptions — their ability to fulfill orders was impacted by the attack.

Federal law enforcement has been notified and VF said it is working with cybersecurity experts to investigate the incident and mitigate the impacts.

“As of the date of this filing, the incident has had and is reasonably likely to continue to have a material impact on the Company’s business operations until recovery efforts are completed,” VF said. “The Company has not yet determined whether the incident is reasonably likely to materially impact the Company’s financial condition or results of operations.”

Material matters

The word “material” in VF’s SEC filing is important. As of Monday, the SEC is now requiring businesses to report such incidents within 96 hours of determining that they meet the standard.
The rules have faced stiff backlash and outrage from companies concerned about what the SEC means by “material” and concerns that the reports will expose victim organizations to further cyberattacks as well as negative news coverage.

Erik Gerding, director of the SEC’s Division of Corporation Finance, published additional guidance late last week on what must be disclosed and the FBI provided clarifications on national security exceptions for which businesses can apply in special cases.

Gerding reminded companies that the SEC is not necessarily looking for technical details about an incident and is more interested in the potential business ramifications of an incident on its market performance.

Nakul Goenka, risk officer at cybersecurity firm ColorTokens, told Recorded Future News that the disclosure rules will force companies to give chief information security officers a “seat at the table” and will prompt organizations to start preparing and thinking about their policies, procedures, organizational structure and tool sets immediately.

“While the rules do offer flexibility to determine what is considered a ‘material’ incident and hence reportable, we might also see some litigation based on decisions taken by the management teams,” Goenka added.

“It will be interesting to see how these rules are actually applied and whether the benefits will offset the costs and burden.”

Tough season

The attack comes at a particularly inopportune time for VF, as millions of people rush to e-commerce sites to purchase goods from brands like the ones owned by VF Corporation.

Several experts noted that VF Corporation has acquired dozens of brands over the last decade, exposing themselves to vulnerabilities in the systems of companies they purchased.

Lior Yaari, CEO of Grip Security, said the company’s IT environment is “probably very challenging because they grew by acquiring a number of different companies over time.”

“This creates a complex IT environment because each company has its own set of apps and technologies. The internal workflows and policies also differ, creating a complex environment,” Yaari said. “The different brands that make up VF Corporation are likely impacted more than others.”