Podcast: How manufacturers are preparing for cyber incidents and new SEC rules

Jan. 31, 2024

In this episode of Great Question: A Manufacturing Podcast, Dennis Scimeca discusses what manufacturers can do to protect themselves against cyberattacks.

Scott Achelpohl

Dennis Scimeca is the senior editor for technology at IndustryWeek. In his current position, he covers a range of topics, including how innovations in the manufacturing sphere are helping companies improve their competitiveness and their profits. He shines a light on the latest and greatest industrial technology, including vision systems, machine learning/artificial intelligence, virtual and augmented reality, and interactive entertainment. Dennis recently spoke with Smart Industry managing editor Scott Achelpohl about how manufacturing companies can comply with new preparedness and reporting standards.

Below is an excerpt from the podcast:

SI: What precisely do the SEC rules say?

DS: OK, so I'm not going to quote from any of the docs, but the new rules adopted in July 2023 and in effect for all U.S. companies as of mid-December state two requirements. So first, in their annual 10-K filing, companies have to report on cybersecurity risk management strategy and governance. Now if you're not familiar, where an annual report to shareholders might focus almost entirely on financials, a 10-K form is much more comprehensive. It’s information about company history, organizational structure, facilities owned. Basically, all the information an investor needs to really understand how the company is doing.

So now, in addition to all of that, companies have to describe how they identify and manage material cybersecurity threats, with the material damage of a cybersecurity attack might do past cybersecurity incidents, how much oversight the board of directors has, and how management assesses and manages material risks from cybersecurity threats.

So if a company isn't paying attention to cybersecurity, now investors are going to know about it.

Second, unless the U.S. Attorney General determines that the disclosure poses a national security or public safety risk, companies must, within four days, disclose cybersecurity incidents that the company determines are material. That's using a new item line on form 8-K. That's the form companies use to report major events that shareholders ought to know about. So now that includes material cybersecurity incidents, incidentally, with material defined as an incident to which there is a substantial likelihood that a reasonable investor would attach importance. And I lied, that is actually quoting something from the SEC. To which there is a substantial likelihood that a reasonable investor would attach importance.

SI: That's a terrific and detailed answer, Dennis. Thank you. Despite your level of detail, these sound like pretty general guidelines, yes?

DS: Here's where things get murky. So what is substantial likelihood? Now, in some cases, like the Clorox breach you mentioned that IndustryWeek reported on last September, there is zero argument that that incident wasn't material because the breach actually affected production. You know, there were severe product shortages on shelves. There was no way profits wouldn't be affected. The stock price actually dropped following when that news broke. It absolutely cost them money and shook investor confidence.

Now, on the other hand, last February, Dole reported a cybersecurity incident after customers in New Mexico and Texas noticed an absence of precut and mixed salad kits on grocery store shelves. So Dole reported it was in the midst of a cyberattack and that slowed its systems down through North America, but also said the effect on operations was minimal. They just put manual operations in place to replace the automated operations and they got things moving again.

So was that actually a material incident if all that happened was customers not being able to purchase a specific product line for a few weeks? How much money does that cost? Maybe not a lot. You know, in the grand scheme of things, I don't know Dole's books, but it maybe doesn't cost a lot. So did they have to report it?

About the Podcast
Great Question: A Manufacturing Podcast offers news and information for the people who make, store and move things and those who manage and maintain the facilities where that work gets done. Manufacturers from chemical producers to automakers to machine shops can listen for critical insights into the technologies, economic conditions and best practices that can influence how to best run facilities to reach operational excellence.

Listen to another episode and subscribe on your favorite podcast app

About the Author

Scott Achelpohl

Scott Achelpohl is the managing editor of Smart Industry. He has spent stints in business-to-business journalism covering U.S. trucking and transportation for FleetOwner, a sister website and magazine of SI’s at Endeavor Business Media, and branches of the U.S. military for Navy League of the United States. He's a graduate of the University of Kansas and the William Allen White School of Journalism with many years of media experience inside and outside B2B journalism.