Source: Kip Evans via Alamy Stock Photo
According to the documents it filed with the Securities and Exchange Commission (SEC) on March 12, MarineMax, a national boat and million-dollar-yacht retailer, has experienced a "cybersecurity incident," disrupting its operations.
The incident occurred due to a third-party gaining unauthorized access to the company's information systems, though the company has not specified who the threat actor was, nor what kind of incident took place, be it a ransomware attack or otherwise.
"MarineMax [has] experienced a 'cybersecurity incident,' as defined in applicable Securities and Exchange Commission rules, whereby a third party gained unauthorized access to portions of its information environment,” the company explained in the filing. The SEC incident-disclosure rules recently changed to require a Form 8-K to be filed within "four business days of determining [a cyber] incident was material," meaning impactful enough to affect operational performance and, therefore, carrying implications for investors.
However, the company also stated that "the incident has not had a material impact on the company's operations," despite the disruption that occurred while it was carrying out containment measures, and that it does not store any sensitive data in its systems that could have been compromised during the incident. It's unclear why there is a discrepancy in its language, but it could be filing a voluntary notice as a precaution against non-compliance while it continues to examine the situation.
At the time of the filing, MarineMax did note that the investigation it is conducting is ongoing and that law enforcement authorities have been alerted.