8-K Item 1.05
The first “Material Cybersecurity Incidents” 8-K filing under new SEC rules dropped this morning, the same day the rule went into effect
A new era of cybersecurity disclosure kicked off this morning: VF Corporation (VF) filed the first-ever Item 1.05 Material Cybersecurity Incidents 8-K, following new reporting rules that were finalized earlier this year. Companies were required to begin complying with the new rules beginning today, December 18, 2023 (with a carveout for smaller companies complying by June 15, 2024).
Determination as to the materiality of the incident(s) now are to be made “without unreasonable delay,” understanding that “[i]n the majority of cases, the registrant will likely be unable to determine materiality the same day the incident is discovered.”
The filing from VF is copied below (with emphasis added):
On December 13, 2023, VF Corporation (“VF” or the “Company”) detected unauthorized occurrences on a portion of its information technology (IT) systems. Upon detecting the unauthorized occurrences, the Company immediately began taking steps to contain, assess and remediate the incident, including beginning an investigation with leading external cybersecurity experts, activating its incident response plan, and shutting down some systems. The threat actor disrupted the Company’s business operations by encrypting some IT systems, and stole data from the Company, including personal data. The Company is working to bring the impacted portions of its IT systems back online and implement workarounds for certain offline operations with the aim of reducing disruption to its ability to serve its retail and brand e-commerce consumers and wholesale customers. VF-operated retail stores globally are open, and consumers can purchase available merchandise, but VF is experiencing certain operational disruptions. Consumers are able to place orders on most of the brand e-commerce sites globally, however, the Company’s ability to fulfill orders is currently impacted. The Company, along with its external cybersecurity experts, continues to work diligently to respond to and mitigate the impact from the incident, and has notified and is cooperating with federal law enforcement.
As the investigation of the incident is ongoing, the full scope, nature and impact of the incident are not yet known. As of the date of this filing, the incident has had and is reasonably likely to continue to have a material impact on the Company’s business operations until recovery efforts are completed. The Company has not yet determined whether the incident is reasonably likely to materially impact the Company’s financial condition or results of operations.
**Disclaimer**
The information provided in this blog/email is for general informational purposes only. While I strive to ensure the accuracy and reliability of the content, I make no representations or warranties of any kind, express or implied, about the completeness, accuracy, reliability, suitability, or availability with respect to the blog or the information, products, services, or related graphics contained on the blog for any purpose. Any reliance you place on such information is therefore strictly at your own risk. All posts and opinions expressed on this blog are solely my own and do not reflect the opinions or views of my employer. The content shared here is a representation of my personal thoughts and insights on various topics, and should not be considered as professional advice or the official stance of any organization. Please use your discretion and consult with relevant experts before making any decisions based on the information provided on this blog/in this email.