So there we were today, scanning the latest corporate filings to the Securities and Exchange Commission, when we noticed that Johnson Controls ($JCI) had filed its latest earnings report.
We started reading, and were immediately stopped short by this earnings adjustment, right there in the second bullet point:
Fiscal Q4 GAAP EPS of $0.80; Q4 Adjusted EPS of $1.05, including a $0.04 headwind from the cyber incident.
Hold up — what cybersecurity incident? When did that happen, and what has Johnson Controls said about it so far? (Calcbench regrets to admit that with cybersecurity attacks happening so often these days, our crack research team doesn't always notice every one.)
We read the rest of Johnson’s earnings release, and to our surprise found that the company provided no further discussion of exactly what the cyber incident was. Clearly the incident was material; the company reported $549 million in net income attributable to Johnson, and $0.80 EPS. If the cyber incident reduced EPS by $0.04, that implies a cost of $27.3 million.
A quick scan of Johnson’s recent 8-K filings began filling in the details. According to one filing on Sept. 27, the company “has experienced disruptions in portions of its internal information technology infrastructure and applications resulting from a cybersecurity incident.”
Johnson provided few other details, and ended with a bland, “The Company is assessing whether the incident will impact its ability to timely release its fourth quarter and full fiscal year results, as well as the impact to its financial results.”
The company provided an update on Nov. 13 with much more detail. The incident was a ransomware attack that hackers had launched against Johnson the week of Sept. 23, and which disrupted various parts of Johnson’s IT systems. (By then the cybersecurity media had also reported various details about the attack, including that overseas attackers had stolen terabytes of data and demanded a $51 million ransom.)
By Nov. 29, Johnson Controls announced that it would be late filing its quarterly report (for fiscal fourth-quarter and full-year results ending on Sept. 30). Those late results are what arrived this morning in the earnings release.
Perhaps we’ll see more information about the cyber incident whenever Johnson Controls files its full 10-K. We can’t say exactly when that will be, but for comparison purposes, Johnson had a 12-day gap between earnings release and 10-K in 2022.
We also can’t help but notice that Johnson issued no press release about its attack or the consequent effect on operations, earnings, or filings. Hence it’s so important to read the filings and all the fine print in them — because that’s where you’re likely to see the juicy details, such as a cyber attack cutting quarterly EPS by a material amount.
OK, so Johnson Controls reported earnings adjusted for a cybersecurity attack. We wondered: how have other companies treated major attacks in their earnings reports?
One primary example is Clorox Corp. ($CLX) which suffered a hugely disruptive ransomware attack in August. The company’s first 8-K filing on Aug. 14 reported the attack with typical sparse detail. By Oct. 4, however, Clorox filed a preliminary earnings release with a painfully extensive update on the damage.
Most notably, Clorox reported an estimated GAAP loss of $0.35 to $0.75 EPS — and an attack-adjusted EPS of $0.00 to $0.40. So Johnson Controls isn’t alone in reporting “earnings before cyber incident” after all.
And why are we so obsessed over this? Don’t forget that starting next week, new SEC rules for expanded disclosure of cybersecurity incidents go into effect. Companies will need to discuss their general cybersecurity risks and how they manage those risks in the annual report; and will need to disclose “material cybersecurity incidents” in 8-K filings within four days of deciding any such attack is indeed material.
Translation: we’ll be seeing lots more disclosure of cybersecurity attacks in the future. Tracing all the details might still be a bit tricky, but Calcbench will have all the disclosures and data to help you do it.