If They Came For Clorox, Who's Next?
Assessing why the winner of the World's Most Boring Business award got hacked, and what it means for other Boring Businesses
Well, That’s Not Good
About a week ago MGM announced to the world that it had been the victim of a cyberattack. A similar attack had been launched on Caesars Palace only a few days prior, and Caesars reportedly paid a ransom to the hackers to avoid the release of customer data.
I’ll presume it to be a matter of fact that you’ve seen Ocean’s 11. And maybe 12 (but hopefully you didn’t) or 13. And there’s a joke to be make here somewhere regarding these movies and these cyberattacks, but it’s just not coming. Anyway, casinos are at the top of the game when it comes to physical security, and so it’s somewhat surprising that (in MGM’s case), it appears that the hackers just needed to impersonate an employee to the IT desk to gain juuuust enough information to gain access to the system. Turns out you don’t need learn some ridiculous dance moves to break into a casino, after all.
I won’t belabor the casino hacks any longer, but the main point is that its not surprising that two casinos, which in some ways are the embodiment of dollar signs, would be the target of hacking attacks. Hackers target these kinds of businesses all the time. I mean, MGM isn’t a boring company like Clorox or anything. It’s not like hackers are interested in that kind of business.
Except for now they are, of course.
Yesterday Clorox announced that:
It had been hacked.
The hack slowed its operations quite a bit.
It expected to sustain a material impact in its quarterly earnings due to the hack.
Now, there are some businesses that are generally presumed to be a higher risk for hacking, and others which are perceived to be at lower risk. Banks, brokerage firms, casinos, etc, are generally at the top. Makers of household disinfectants and wipes typically rank near the bottom.
The attack, I should note, still has Clorox’s operations down and management currently expects to have systems up and running the week of September 25th. In the world of automated business processes, that’s a lifetime.
Of course, it’s not as though Clorox management wasn’t aware of the risk. In the lawyerly, boiler-plate language of risk disclosures, Clorox states the following on page 14 of its latest 10K:
Failure of key technology systems, cyber-attacks, privacy breaches or data breaches could have a material adverse effect on the Company’s business, financial condition, results of operations and reputation.
See? There it is! Of course, this statement is there because the army of lawyers employed by Clorox are good and probably said to management “Look, we don’t know why anyone would hack Clorox but you gotta have this in there because it’s just something you have to say.” [Note: I am not implying that Clorox took a lax stance on cybersecurity as I have no evidence to indicate that, I’m simply saying that, come on man, it’s Clorox.]
Now, let’s pull the lens back a little bit. I would make a pretty big wager that in the headquarters of Boring Companies everywhere today there are lots of phone calls happened between management and directors asking versions of the following questions: “What is our risk?” and “If it happened to Clorox could it happen to us?”
McKinsey estimates that cybersecurity spend by American companies has grown by 12.4 percent annually. They further estimate that the total TAM of the cybersecurity world to be between $1.5-2 trillion.
Now, we can debate the overall size of the market endlessly, but the point here is that the market is a) quite a bit larger than it is today, and b) the spend from companies on cybersecurity is going to grow.
Turning back to Clorox as an extension for other Boring Companies, the company spent $6 million on “IT project personnel costs,” which was down from $11 million the previous year.
This is the extent of Clorox’s disclosures (that I can find) which pertains directly to IT or anything that might indicate a spend of some kind that could be cyber-security related (the remaining IT budget costs are buried within Selling & Administrative).
What can safely be assumed, however, is that the spend for Clorox will go up for cybersecurity. This will likely flow through to margins, which is ultimately what investors will care about.
So, two big takeaways here, I guess:
Cybersecurity likely just became much more top of mind for companies who previously assessed their risk as nominal.
Cybersecurity companies have a lot of runway ahead of them if companies like Clorox are going to be targeted.
(Leveraged) Cash Incinerator
Last week I wrote briefly about zero day options (known as 0DTE), their popularity among retail traders and their gambling-like nature. Since writing about it, a few new things have come to my attention.
First, a 0DTE ETF was launched last week. So, there’s that.
Second, I was only peripherally aware of the insane amount of leverage in this high-stakes market. Bloomberg reported today that 0DTE’s have an average daily notional volume of $516 billion per day against actual premium of $520 million per day. Just some back of the napkin math reveals that the notional value is, like, 1,000% over the actual cash.
I’m sure this will all end well.
Final Thoughts…
FTX is going after fraud-perpetrator-whiz-kid SBF’s parents. Instacart IPO priced at $30. The Fed now gets to deal with rising oil prices (read: Saudi Arabia). Companies are slowing down on their climate promises. China’s currency keeps sliding. Canada thinks India went full Russia and killed a Sikh leader in Canada. That super weird Silicon Valley millionaire that gets blood transfusions from 18 year olds keeps getting headlines for some mystifying reason.
Thanks for reading! As always, nothing here is ever, ever meant to be investment advice.
Please consider sharing or forwarding this article to any friends who may find it interesting.