CDK hack shows SEC disclosure standards are unsettled
As the damage from the ransomware attack on automotive software provider CDK Global has become clear over recent weeks, numerous auto dealers felt compelled to notify the Securities and Exchange Commission that the breach had harmed their operations.
CDK’s parent company, Brookfield Business Partners, which apparently paid nearly $25 million in ransom to attackers, does not feel the same way. In a press release issued July 3, the company said “we do not expect this incident to have a material impact on Brookfield Business Partners.”
Despite the attack’s downstream effect on the U.S. auto industry, CDK and its parent company did not file with the SEC under its new rules for reporting breaches.
Attorneys and cybersecurity experts whom CyberScoop spoke to found that dichotomy between how the victim company approached its disclosures compared to its indirect victims somewhere between inevitable and absurd. The differing approaches straddle the perceived ambiguity of SEC rules that kicked into effect late last year governing when publicly traded companies must report a cyber incident to the regulator.
At issue is the definition of what counts as “material,” the threshold under which companies must report an attack to the commission — a term that relies on a firm’s assessment of whether a “reasonable investor” would want to know about it before deciding to invest in a company.
“I certainly am sympathetic to the argument that what is material for one entity is not material for another entity,” said Bob Kolasky, a former top official at the Cybersecurity and Infrastructure Security Agency and now a nonresident scholar in the technology and international affairs program at the Carnegie Endowment for International Peace.
On the other hand, “based on my understanding of the ransomware attack on CDK, yes, I believe a reasonable investor would want to know about it because of the nature of the attention it has gotten and the tail that will happen because of that attention,” said Kolasky, who’s also senior vice president of critical infrastructure at Exiger, a supply chain risk management company. “It creates a ton of uncertainty about the kind of scrutiny that’s going to follow from this.”
Allan Liska, a threat intelligence analyst at Recorded Future, said he found Brookfield Business Partners’ assessment that the CDK Global hack wouldn’t have a material impact to “complete bulls–t,” adding, “it has to be [material], given the scope and the level of disruption that it caused.”
But if a business is sufficiently dominant, Liska pointed out, companies can easily absorb the financial pain of even a major breach. “Maybe it’s not going to affect their bottom line, and part of that, of course, is that CDK, as far as I can tell, has a pretty big market share and there aren’t many alternatives,” he said.
Brookfield Business Partners didn’t respond to questions about how it determined the materiality of the CDK Global breach. The attack, which impacted software used by nearly 15,000 auto dealerships, crippled sales operations in the U.S. auto industry for several weeks.
Some of the affected auto dealerships commented on the disruption in their filings to the SEC, but included caveats about materiality. “While this incident has had, and is likely to continue to have, a negative impact on the Company’s business operations until the relevant systems are fully restored, the Company has not yet determined whether the incident is reasonably likely to materially impact the Company’s financial condition or results of operations,” wrote Lithia Motors.
Fort Lauderdale, Florida-based AutoNation, one of the country’s biggest car dealership chains announced Monday in an SEC filing that the attack lowered its second-quarter profit by about $1.50 a share. Despite the loss, the company said it doesn’t expect the incident to have a material impact on its overall financial condition or ongoing results.
Without being privy to all the details of the CDK attack, Elizabeth Wharton — who worked as an attorney for the city of Atlanta and now serves as founder of Silver Key Strategies — said that after breaches, companies’ stock prices often bounce back. And some of CDK Global’s customers might decide that even when dealing with the fallout of a cyberattack, switching to its competitors isn’t worth the trouble, which could minimize the impact on the company’s anticipated bottom line.
“It’s not like every car dealership, car loan financial company or supplier can just pivot on a dime and pick up a new vendor to use,” she said. “If you’ve ever tried switching between SalesForce and HubSpot, I feel like every sales and marketing head would just start weeping. It’s not easy and it sets you back a couple months just to get used to the new system.”
SEC guidelines say the size of a ransomware payment is not solely determinative of whether a cyber incident is material. Its guidance also has provided further answers about the conditions under which a ransomware attack would meet the materiality threshold.
The very first standard for determining materiality is whether a company is subject to reporting cyber incidents is whether it is publicly traded or privately held, noted Brian Finch, a lawyer and partner at Pillsbury Public Policy. (Brookfield is a client of Pillsbury, so its attorneys wouldn’t comment directly on the breach or the companies involved.)
CDK is a privately owned company and thus not subject to the SEC regulations, but its publicly traded parent company, Brookfield is.
Brookfield Business Partners managed nearly $16 billion in assets last year, according to its annual report, and the Brookfield Corporation, of which Brookfield Business Partners is a part, reported revenues of nearly $96 billion for 2023, its annual report states.
For businesses of this size, $25 million — the reported size of the CDK ransom payment — represents a drop in the bucket for its bottom line, Finch said.
To be sure, if the SEC decides a company should have disclosed something as material, “having the SEC investigate you is a really big deal, and it’s a big deal for any number of reasons, including their ferocious investigators,” Finch said. “They have a lot of power, they have a lot of expertise, and they can impose really significant fines.”
As a result, “companies seem to be erring on the side of over-disclosure,” said David Oliweinstein, also a partner at Pillsbury who once worked in the SEC’s enforcement division.
But because the rules are so new, it might take SEC action and case law to settle the precise boundaries of how materiality applies to a cyber incident reporting threshold, the experts said.
Right now, situations like the CDK Global hack are causing a different kind of divide, Liska said.
“My first interpretation, and what I think a lot of cybersecurity people’s first impression of the SEC guidelines are, are very, very different than what the lawyers for these companies are interpreting the guidelines to mean,” he said.