Share this article on:
VF Corporation revealed the incident as new US Securities and Exchange Commission (SEC) reporting rules come into effect in the United States.
VF Corporation, the company behind a range of well-known fashion brands, has revealed in an SEC filing that it has suffered some form of cyber incident.
The company – which owns a raft of brands such as Vans and Timberland – said it noticed “unauthorised occurrences” on its network on 13 December.
According to the filing, some IT systems were encrypted in the attack, and some data – including personal data – was stolen.
“The company is working to bring the impacted portions of its IT systems back online and implement workarounds for certain offline operations with the aim of reducing disruption to its ability to serve its retail and brand e-commerce consumers and wholesale customers,” the company said in its filing.
Stores are open, and sales are still being made, but VF Corporation is noting “certain operational disruptions”, including its ability to actually fulfil any orders – no doubt a blow to some Christmas shopping plans.
Investigations are ongoing, and VF Corporation has hired external experts. So far, no threat actor has taken responsibility for the attack, but the fact that data was both encrypted and stolen could suggest a ransomware incident.
New SEC rules
VF Corporation’s woes come as new SEC rules come into effect in the US, requiring companies that have been impacted by a cyber attack to make a filing with the SEC within four days.
The new rules were announced in July 2023 and were aimed at bringing reporting of cyber incidents into line with other calamities that might materially affect a listed company.
“Whether a company loses a factory in a fire – or millions of files in a cyber security incident – it may be material to investors,” SEC chair Gary Gensler said in a statement at the time. “Currently, many public companies provide cyber security disclosure to investors. I think companies and investors alike, however, would benefit if this disclosure were made in a more consistent, comparable, and decision-useful way. Through helping to ensure that companies disclose material cyber security information, today’s rules will benefit investors, companies, and the markets connecting them.”
The new rule drew some complaints regarding the possibility of providing any kind of full report in such a short time, and it appears the SEC took the feedback on board. In a 14 December blog post, Erik Gerding, the director of the SEC’s division of corporation finance, said that companies would not now need to “disclose any specific or technical information about their incident response, systems or potential vulnerabilities if that could impede their incident response and remediation process”.
Gerding also confirmed the nature of the four-day rule itself.
“Public companies must provide the required cyber security incident disclosure within four business days after the company determines the incident to be material. The deadline is not four business days after the incident occurred or is discovered,” Gerding said.
“This timing recognises that, in many cases, a company will be unable to determine materiality the same day the incident is discovered.”
David Hollingworth has been writing about technology for over 20 years, and has worked for a range of print and online titles in his career. He is enjoying getting to grips with cyber security, especially when it lets him talk about Lego.