SmileDirectClub: Attack Taking Big Bite Out of RevenueSEC Filing Predicts $10 Million to $15 Million Impact
SmileDirectClub, which sells teeth-straightening appliances, expects that a recent cyberattack, which disrupted the manufacturing of its products, will take a $10 million to $15 million bite out of its second-quarter revenue.
Nashville, Tennessee-based SmileDirectClub, in an 8-K filing with the Security and Exchange Commission, says that it experienced a systems outage caused by a cybersecurity incident on April 14, which it expects to result in a cut in revenue for the second quarter ending June 30.
"While it is too early to assess the full impact of the incident on the second quarter of 2021, the company now expects second quarter 2021 revenue to be approximately $195 million - $200 million," the SEC filing notes. "These estimates reflect an approximately $10 million - $15 million revenue impact in the quarter from the cyberattack and the associated downtime in treatment planning and manufacturing."
Despite insurance coverage, the incident may have a "material impact" on the company's overall financial results for the quarter, the report adds.
No Ransom Paid
SmileDirectClub declined Information Security Media Group's request for additional information about the incident, including whether ransomware was involved.
In its SEC filing, however, the company notes it was "able to successfully block the attack" and that it paid no ransom. The company’s systems and operations are back online and performing normally, the Monday filing says.
"The company promptly implemented a series of containment and remediation measures to address the incident, including temporarily isolating and shutting down affected systems and related manufacturing operations," the filing says.
SmileDirectClub says it immediately mobilized its internal engineering security team and engaged forensic information technology firms to assist in the investigation.
"Since the date of the incident, the company has been, and is, actively managing the incident and, in consultation with its third-party advisers, investigating and seeking to understand and quantify the impact on the company, its business operations and financial results," the SEC filing notes.
'No Data Loss'
The company says it's not aware of any data loss or loss of assets as a result of the incident.
"The incident, however, has caused, and may continue to cause, delays and disruptions to parts of the company’s business, including treatment planning, manufacturing operations and product delivery," the SEC filing says.
"While the company maintains insurance coverage for certain expenses and potential liabilities that may be associated with the incident … at this time, the company expects that the incident may have a material impact on its business operations and financial results in the second quarter."
Cost of Attacks
The recent surge of ransomware attacks in the healthcare sector has shined a light on the costs associated with losing the availability of systems and data, says Jon Moore, chief risk officer at the privacy and security consultancy Clearwater Compliance.
"We find that more organizations are now becoming aware - unfortunately sometimes the hard way - of the impact on their bottom line from losing access to the systems and data they need to operate," he says.
Compared to many nonprofit healthcare delivery organizations, publicly traded companies - such as SmileDirectClub - generally have more resources to apply to implementing security safeguards to reduce their risks, Moore contends.
"Their boards and leadership are becoming more sophisticated in their understanding of cybersecurity and cyber risk, and therefore may be more likely to make the needed investments," he says.
"If they do this and stay ahead of the perpetrators of these attacks, they will be less likely to suffer an attack with a material impact on their business and will have no need to report."
The financial impact of a cyber incident is frequently underestimated, says former healthcare CIO David Finn, executive vice president at the consultancy CynergisTek.
"In a hospital, for example, if the electronic medical records system goes down for two weeks, you are not capturing charges, orders, results. Claims processing stops," he says.
"On top of that is lost revenue when you are not performing elective procedures. You have also depleted cash reserves so no interest or investment income."
For healthcare entities, cyber incidents typically can lead to a 6% to 10% reduction in revenue from lost charges, Finn says. "Not infrequently, IT projects are deferred to reduce capital costs, but that may keep operating costs higher than if the IT solutions were implemented."
Business Impact Analysis
Organizations should conduct a business impact analysis and feed that information into their risk analysis in case of a security incident, Moore says.
"We have found this to be particularly effective in helping an organization understand the importance of its different IT systems to its business and to consider the impact to the business if the confidentiality, integrity or availability of the information processed by that system is lost."
Regulatory attorney Marti Arvin of CynergisTek adds: "The discussion of cyberattacks is often fragmented. Thus, there is not an assessment of the overall impact on business resilience. Incident response exercises should be enterprise-focused and not an IT-only exercise. This will help senior leaders understand the possible implications to the ability to continue revenue-generating activities and the potential impact on the bottom line."