Johnson Controls Discloses Ransomware Breach Costs in SEC Filing
Johnson Controls International says that a ransomware attack in September 2023 has cost the company $27 million so far in response and remediation. According to a filing with the US Securities and Exchange Commission (SEC), “the cybersecurity incident consisted of unauthorized access, data exfiltration and deployment of ransomware by a third party to a portion of the Company’s internal IT infrastructure.” The company has restored affected systems, and anticipates that they will incur additional related expenses. Johnson makes fire, HVAC, and security equipment for buildings.
To give you an idea of why cybersecurity is often NOT the top priority of the CEO or Board of Directors: In their SEC filing, Johnson Controls notes they are carrying $96M of cost for dealing with asbestos usage/exposure lawsuits and are carrying $328M of liabilities for self-insuring “… liabilities for its workers' compensation, product, general and auto liabilities.” That $27M cost for this incident (after insurance payout) looks a good deal smaller in perspective. But, a relatively small investment in security operations would have likely avoided the full expense of this incident. If Johnson had avoided this incident, it’s reported profit for the quarter would have been 7% higher, not a bad return.
The attack in September by the Dark Angels gang claimed to have stolen 27Tb of data and sought a $51 million ransom, which is still more than the $27 million cost so far. Note that the cost includes lost or deferred revenue and business disruption, as well as costs which are expected to be covered by insurance. Make sure that if you're in a position to report the cost, you've got coverage for not only the cyber and IT activities but also the overall costs to the business.
While $27M seems like a big number, when put in the context of annual revenue of $26.6B, it isn’t. Additionally, the company carried cybersecurity insurance and given the cybercriminals demand of $51M for the decryption key, unlikely that they paid the extortion. Finally, with the SEC’s new cybersecurity reporting requirements, it is doubtful that they will change the reporting of the event to that of a material cybersecurity incident.