The recent ransomware attack that crippled the operations of customers of CDK Global, a software provider to nearly 15,000 vehicle dealerships across North America, is emerging as a stark illustration of issues with Securities and Exchange Commission (SEC) cybersecurity reporting requirements as they exist today.
Although the incident affected dealerships around the country for two weeks and almost certainly had an impact on June auto sales nationwide, CDK parent company Brookfield Business Partners insists it is not expected to have a material impact on the business. The company therefore will not be submitting an 8-K filing to the SEC.
I’m sorry, what?
This is in spite of CDK reportedly paying a ransom of $25 million in Bitcoin to restore its systems, according to CNN, and several CDK customers submitting their own filings to the SEC as a result of the incident.
Autonation, for example, a Fort Lauderdale-based Fortune 200 company with over 300 locations, was more certain that the CDK’s snafu would impact its business outlook.
"As a result of the incident’s impacts,” the company wrote in its SEC filing, “we currently estimate earnings per share for the quarter ended June 30, 2024, will be negatively impacted by approximately $1.50 per share.”
The thing is, I believe Brookfield may be completely correct in its assessment. Analysis conducted by the consumer research firm Comparitech found that stocks tend to recover to their pre-incident price levels as soon as four days following a ransomware incident. And, as Cyberscoop notes, $25 million is a “drop in the bucket” for a company that reported $96 billion in revenue in 2023.
Nevertheless, I think this particular incident raises some serious questions about SEC cybersecurity filings, “materiality” thresholds, and how we define business impact.
For example:
What if the SEC filing is what makes an incident material?
Is there a chicken-and-egg problem here?
A study by Cyberreason found more than half of companies indicated ransomware attacks damaged perception of their brand. Reputations built over decades can be destroyed overnight, and organizations must consider public sentiment when filing their 8-K reports. While it’s not always possible to quickly switch to a competitor, some consumers may be more likely to jump ship following a ransomware attack.
Companies in the pre-SEC reporting rules days were notoriously sheepish about disclosing ransomware incidents for fear of the “scarlet R” they would be branded with going forward. Although CDK’s incident was far too impactful to escape notice, with or without an SEC filing, that doesn’t hold true for all incidents. There was a day when these happenings, and companies’ responses to them, were kept close to the vest (Uber, anyone?).
Companies that have fallen victim to ransomware attacks certainly don’t revel in the added attention from SEC filings. I’m not saying it will be possible – or desirable – to sweep all cyber incidents under the rug, merely that we must factor the additional impact of greater public attention into the overall cost of an incident.
Do filings unfairly punish partners and customers? Or simply encourage finger-pointing?
While CDK’s parent company did not deem the incident material, several of its saw reason to file. In addition to the aforementioned Autonation, the incident caused “a flurry of SEC filings” from customers including Group 1 Automotive, Penske Automotive, and others. They join the ranks of the publicly listed companies affected by ransomware through no apparent fault of their own.
Granted, these companies may be taking the opportunity to ensure someone else takes the blame for disruption to their own operations. Downstream dealers got the chance to go on record about CDK being the source of their distress, and several seem to have taken it.
But it also may not be viewed as an entirely desirable course of action. Affected companies have only days to decide if an incident at an IT supplier will have a material effect on their shareholders, or they could presumably be subject to penalties for not filing.
Arguably, though, they file because an incident like this one will have a much larger impact on its dealer customers than the software provider itself.
Which brings me to my final question.
Can a company be too dominant for an incident to be material?
According to the trade publication Dealer Tech Nerd, 80% of the market for Dealer Management Systems (DMS), the type of software offered by CDK, is controlled by three companies. Vendor lock-in is an issue that spans companies and industries, but can be especially tricky when dealing with software suppliers.
IT systems like those offered by CDK can become integral parts of a company’s operations, and choosing another vendor would require dealerships to reopen lengthy procurement processes, retrain staff, and shell out for additional IT support.
Even if CDK customers were upset enough about the incident to switch to a competitor, they would be unable to do so before their operations were disrupted by the ransomware attack. The costs of switching DMS providers could easily outweigh the sunk cost of lost sales stemming from the incident itself.
CDK almost certainly understands its own stickiness. It’s likely that the decision by its parent company not to deem this incident material was at least in part informed by that fact.
Collision repair
My colleague Rob Sloan’s own research suggests public companies are still refining their standards for cyber oversight. Only a minority of boards have committees dedicated to cybersecurity, there is little consensus over whether or what to disclose following a cyber incident, and few boards include directors with significant cyber expertise.
"An analysis of S&P 500 company proxy statements shows considerable variation in what
investors are told," Sloan writes. As we’ve seen, that variation certainly played out in response to the CDK compromise.
The first year of the SEC’s new rules for cyber incident reporting was bound to be rocky. Public companies are still experimenting with how much to divulge and when. The SEC will no doubt continue to refine its guidance for submitting filings, and the rules themselves will likely be refined by legal battles.
In other words, what “materiality” means today may not be what it means tomorrow.
What to read next
Understanding board oversight of cybersecurity: Key findings from recent research
Zscaler 2023 Ransomware Report Shows a Nearly 40% Increase in Global Ransomware Attacks