UNITED STATES
SECURITIES AND EXCHANGE COMMISSION
Washington, D.C. 20549
FORM
CURRENT REPORT
PURSUANT TO SECTION 13 OR 15(d)
OF THE SECURITIES EXCHANGE ACT OF 1934
Date of report (Date of earliest event reported):
(Exact name of registrant as specified in charter)
(State or Other Jurisdiction of Incorporation) |
(Commission File Number) |
(IRS Employer Identification No.) |
(Address of principal executive offices)
(Registrant’s telephone number, including area code)
Check the appropriate box below if the Form 8-K filing is intended to simultaneously satisfy the filing obligation of the registrant under any of the following provisions:
Written communications pursuant to Rule 425 under the Securities Act (17 CFR 230.425) |
Soliciting material pursuant to Rule 14a-12 under the Exchange Act (17 CFR 240.14a-12) |
Pre-commencement communications pursuant to Rule 14d-2(b) under the Exchange Act (17 CFR 240.14d-2(b)) |
Pre-commencement communications pursuant to Rule 13e-4(c) under the Exchange Act (17 CFR 240.13e-4(c)) |
Securities registered pursuant to Section 12(b) of the Act:
Title of Each Class |
Trading Symbol(s) |
Name of Each Exchange on which Registered | ||
Indicate by check mark whether the registrant is an emerging growth company as defined in Rule 405 of the Securities Act of 1933 (§230.405 of this chapter) or Rule 12b-2 of the Securities Exchange Act of 1934 (§240.12b-2 of this chapter).
Emerging growth company
If an emerging growth company, indicate by check mark if the registrant has elected not to use the extended transition period for complying with any new or revised financial accounting standards provided pursuant to Section 13(a) of the Exchange Act. ☐
Explanatory Note
Item 1.05 | Material Cybersecurity Incidents. |
As disclosed in the Original Report, on December 13, 2023, VF detected unauthorized occurrences on a portion of its information technology (IT) systems. Upon detecting the unauthorized occurrences, VF immediately began taking steps to contain, assess and remediate the cyber incident, including beginning an investigation with leading external cybersecurity experts, activating its incident response plan, and shutting down some systems. As a result of these and other measures, and while VF’s investigation and remediation efforts remain ongoing, VF believes the threat actor was ejected from VF’s IT systems on December 15, 2023. VF has notified, is cooperating with, and will continue to cooperate with and notify, federal law enforcement and the relevant regulatory authorities as required under applicable law.
As of the date of this Amendment, VF-operated retail stores, brand e-commerce sites and distribution centers are operating with minimal issues. After VF shut down some of its systems, VF experienced disruption to certain of its operations, including interrupted replenishment of retail store inventory and delayed order fulfillment which had impacts such as the cancellation by customers and consumers of some product orders, reduced demand on certain of its brands’ e-commerce sites, and delay of some wholesale shipments. Since the filing of the Original Report, while VF is still experiencing minor residual impacts from the cyber incident, VF has resumed retail store inventory replenishment and product order fulfillment, and is caught up on fulfilling orders that were delayed as a result of the cyber incident. Since the filing of the Original Report, VF has substantially restored the IT systems and data that were impacted by the cyber incident, but continues to work through minor operational impacts.
Based on VF’s preliminary analysis from its ongoing investigation, VF currently estimates that the threat actor stole personal data of approximately 35.5 million individual consumers. However, VF does not collect or retain in its IT systems any consumer social security numbers, bank account information or payment card information as part of its direct-to-consumer practices, and, while the investigation remains ongoing, VF has not detected any evidence to date that any consumer passwords were acquired by the threat actor.
While the investigation remains ongoing, as of the date of this Amendment, VF believes that the material impact or reasonably likely material impact on VF is limited to the material impacts on VF’s business operations disclosed in the Original Report which are no longer ongoing at this time. As of the date of this Amendment, VF also believes the impacts of the cyber incident are not material and are not reasonably likely to be material to its financial condition and results of operations.
VF will be seeking reimbursement of costs, expenses and losses stemming from the cyber incident by submitting claims to VF’s cybersecurity insurers. The timing and amount of any such reimbursements is not known at this time.
Forward-Looking Statements
This Current Report on Form 8-K/A contains “forward-looking statements” within the meaning of the federal securities laws. Forward-looking statements are made based on VF’s expectations and beliefs concerning future events impacting VF and therefore involve several risks and uncertainties. Words such as “will,” “anticipate,” “estimate,” “expect,” “should,” “believe,” and “may” and other words and terms of similar meaning or use of future dates may be used to identify forward-looking statements, however, the absence of these words or similar expressions does not
mean that a statement is not forward-looking. All statements regarding the impact from the cybersecurity incident, the scope of the investigation and VF’s plans, objectives, projections and expectations relating to VF’s operations or financial condition, and assumptions related thereto are forward-looking statements. Forward-looking statements are not guarantees and actual results could differ materially from those expressed or implied in the forward-looking statements. VF undertakes no obligation to publicly update or revise any forward-looking statements, whether as a result of new information, future events or otherwise, except as required by law. Potential risks and uncertainties that could cause the actual results of operations or financial condition of VF to differ materially from those expressed or implied by forward-looking statements include, but are not limited to: VF’s ongoing assessment of the impacts of the cybersecurity incident; VF’s ongoing assessment of the incident, including VF’s potential discovery of additional information related to the incident in connection with its investigation or otherwise; VF’s expectations regarding its ability to contain and remediate the cybersecurity incident; further delays in the time required to verify some or all of VF’s information technology systems; the impact of the incident on VF’s relationships with customers, consumers, vendors and employees, VF’s business operations, financial condition, results of operations and reputation, and confidence in our e-commerce platforms; legal, reputational and financial risks resulting from the cybersecurity incident; the effectiveness of cybersecurity remediation and recovery plans and cybersecurity risk management policies and practices; and that any future, or still undetected, cybersecurity related incident, whether an attack, disruption, intrusion, denial of service, theft or other breach could result in unauthorized access to, or disclosure of, data, resulting in claims, costs and reputational harm that could negatively affect our actual results of operations or financial condition. More information on potential factors that could affect VF’s financial results is included from time to time in VF’s public reports filed with the SEC, including VF’s Annual Report on Form 10-K, and Quarterly Reports on Form 10-Q, and Forms 8-K filed or furnished with the SEC.
SIGNATURES
Pursuant to the requirements of the Securities Exchange Act of 1934, the registrant has duly caused this report to be signed on its behalf by the undersigned hereunto duly authorized.
V.F. CORPORATION | ||
By: | /s/ Jennifer S. Sim | |
Name: | Jennifer S. Sim | |
Title: | Executive Vice President, General Counsel & Secretary |
Date: January 18, 2024