Crimson Wine Group, Ltd - (CWGL)
8-K Filing Date: July 25, 2024
Item 1.05. Material Cybersecurity Incidents.
As previously disclosed on the Current Report on Form 8-K filed by Crimson Wine Group, Ltd. (the “Company”) on July 5, 2024 (the “Initial Report”), on June 30, 2024, the Company detected a cybersecurity incident in which an unauthorized third party gained access to certain information systems of the Company. Upon detection, the Company promptly initiated response protocols and began taking steps to contain, assess and remediate the cybersecurity incident, including launching an investigation with external cybersecurity experts. As the Company was in early stages of its investigation and assessment of the incident, it was unable to determine at the time of the Initial Report whether the incident had or will have a material impact on the Company.
On July 25, 2024, the Company determined that the cybersecurity incident has likely had a material impact on the Company’s business operations. The incident consisted of the third party’s unauthorized access to a portion of the Company’s internal information systems and the exfiltration of certain files, including files potentially containing sensitive personal information. The Company is still investigating the extent of any personal or otherwise sensitive information contained in the files acquired by the unauthorized third party, including if any personal information of customers was impacted. The Company intends to provide required notifications to affected and potentially affected parties and to applicable regulatory agencies. As part of its process to contain, assess and remediate the incident, the Company took measures, including shutting down certain of its systems, to isolate its operations from the Internet, which resulted in disruption to the Company’s business operations, despite the implementation of workarounds for certain offline operations, and limitation of access to portions of the Company’s business applications supporting aspects of the Company’s operations and corporate functions, including financial and operating reporting systems. Although the Company has substantially restored its information systems and data that were impacted by the cybersecurity incident and has resumed normal business operations, it continues to assess operational impacts and evaluate additional measures to strengthen its surveillance of cybersecurity threats and to prevent unauthorized cybersecurity incidents on or conducted through its information systems and to strengthen its information backup protocols.
Although the Company has determined that the cybersecurity incident has likely had a material impact on the Company’s business operations, as of the date of this Current Report on Form 8-K, the Company believes that the cybersecurity incident has not had a material impact on the Company’s overall financial condition or results of operations. and the Company does not believe the cybersecurity incident is reasonably likely to materially impact the Company’s overall financial condition or results of operations. The Company believes it holds adequate cybersecurity insurance to offset a substantial portion of the costs of the cybersecurity incident; however, the Company may incur expenses and losses related to this incident that are not covered by insurance. To the extent the Company incurs future, material direct expenses or other losses as result of this cybersecurity incident, and those costs are not covered by insurance, the Company will report such material losses in the appropriate period.
The Company remains subject to various risks due to the cybersecurity incident, including potential litigation, changes in customer behavior, additional regulatory scrutiny, and the
subsequent availability of, or increase in cost to the Company of, its insurance policy covering cybersecurity incidents.
Forward-Looking Statements
This Current Report on Form 8-K contains forward-looking statements, including, but not limited to, statements regarding the Company’s current beliefs, understanding and expectations regarding the cybersecurity incident and its impact or anticipated impact on the Company’s business, operations and financial results. Factors that could cause actual results to differ from those expressed in these forward-looking statements include the ongoing assessment of the cybersecurity incident; legal, reputational and financial risks resulting from the cybersecurity incident or additional cybersecurity incidents; and the risks described in the Company’s Annual Report on Form 10-K for the year ended December 31, 2023 and subsequent Quarterly Reports on Form 10-Q. Unless required by law, the Company expressly disclaims any obligation to update publicly any forward-looking statements, whether as result of new information, future events or otherwise.