You may remember that the US SEC is starting to require public companies to disclose "material cybersecurity incidents" pretty quickly after they're discovered. We've been doing a lot of beard-stroking (kidding, I can't grow a beard) about how companies will navigate between the Scylla of SEC wrath and the Charybdis of their obligations to their shareholders.
VF, the parent of The North Face and other brands, disclosed in an 8-K filing on 12/18/23 that they'd had a breach and that it could be impactful.
Want details? Too bad. I won't paste their disclosure here, even though I could because it's one paragraph long. I can paste one sentence of it, because it's fun:
VF Corporation (“VF” or the “Company”) detected unauthorized occurrences on a portion of its information technology (IT) systems. Upon detecting the unauthorized occurrences, the Company immediately began taking steps to contain, assess and remediate the incident, including beginning an investigation with leading external cybersecurity experts, activating its incident response plan, and shutting down some systems.
Let me translate that for you. "Some computers had some bad stuff done to them. As soon as we found out, we started doing what we do when bad stuff is identified."
The whole disclosure is like that – uninformative, traction-less, and so general as to be dismissive (even contemptuous) of the requirement laid down by the SEC.
Which is not to say that this isn't a perfectly good way to thread the needle. Time will tell if VF's stroke of the uninformative pen becomes boilerplate for all of the 8-K Cyber disclosures in the future.