author photo
By Bruce Sussman
Wed | Nov 4, 2020 | 11:49 AM PST

Oh, what those SEC forms can reveal.

Toy giant Mattel filed its quarterly 10-Q with the U.S. Securities and Exchange Commission (SEC), and it gave a glimpse into a ransomware attack which hit the company earlier in the year.

What we know about the Mattel ransomware attack

The company's SEC filing revealed the ransomware attack was detected on July 28, 2020.

"Mattel discovered that it was the victim of a ransomware attack on its information technology systems that caused data on a number of systems to be encrypted. Promptly upon detection of the attack, Mattel began enacting its response protocols and taking a series of measures to stop the attack and restore impacted systems."

The company says the attack impacted some business operations temporarily, however, it says it was able to restore its operations. How did it do so? Was it from backups or perhaps paying a ransom? The SEC form leaves us wondering.

The company says that hackers did not steal data in this particular cyber incident.

"A forensic investigation of the incident has concluded, and no exfiltration of any sensitive business data or retail customer, supplier, consumer, or employee data was identified. There has been no material impact to Mattel's operations or financial condition as a result of the incident."

Cyber risk is business risk

Mattel's ransomware attack is more evidence that cyber risk is also business risk.

And look what we found in the small print of Mattel's 10-Q statement, where it lists material risks:

", reputational, and financial risks related to security breaches or cyberattacks."

At SecureWorld virtual conferences, we have tracked a rising trend as security leaders talk about this concept. That includes Randy Raw, VP of Information Security at Veteran's United Home Loans, who says:

"The language of business is about risk. Right now, there are a lot of business leaders who are thinking about risk in ways that they have never contemplated before.

Those risks are different, but those risks are presented in dollars, not in vulnerabilities, not in exploits, not in attacks, not in all the technical things that we think about.

We have to really figure out how to roll that risk up into the idea of what's the dollar cost."

And Raw says security leaders must do this at the same time they become innovators and enablers to serve the needs of the business.

[Randy Raw will be speaking at SecureWorld Denver-Kansas City]