The U.S. Securities and Exchange Commission ("SEC" or the "Commission") has ordered Blackbaud, Inc. ("Blackbaud") to pay $3 million to resolve claims that it made materially misleading statements about a 2020 ransomware attack and failed to maintain adequate disclosure controls related to cybersecurity. The SEC's March 9, 2023 order and accompanying press release focuses on three allegedly material misstatements: Blackbaud's failure to correct a statement on its website that the attack did not compromise bank account information or Social Security numbers—even after Blackbaud personnel investigating the attack found clear information to the contrary; the company's failure to disclose the compromise of that sensitive data in a Form 10-K; and the company's cybersecurity risk statement in its Form 10-Q characterizing the risk of sensitive data exfiltration as merely hypothetical, despite knowing that exfiltration of unencrypted bank account information, Social Security numbers, and usernames and/or passwords had occurred as a result of the ransomware attack.
Overview of the SEC Order
Blackbaud is a public company that provides software to non-profit organizations to help them manage data about their donors. The SEC order asserts that Blackbaud identified the attack on May 14, 2020 and identified messages from the attacker in its systems claiming to have exfiltrated data concerning Blackbaud's customers. Blackbaud investigated the unauthorized activity with the assistance of a third-party cybersecurity firm that helped Blackbaud communicate with the attacker and coordinated payment of a ransom in exchange for the attacker's promise to delete the exfiltrated data.
By July 16, 2020, Blackbaud had determined that the attacker had exfiltrated at least a million files and based on a review of the exfiltrated file names, Blackbaud identified 13,000 impacted customers. On July 16, Blackbaud announced the incident on its website and sent notices to the impacted customers. In both communications, Blackbaud asserted that the attacker had not accessed bank account information or social security numbers.
After announcing the incident, Blackbaud received over a thousand communications from customers, many raising concerns that they had uploaded sensitive data to fields in Blackbaud's software that were not encrypted. In response to these customer inquiries, Blackbaud personnel conducted further analysis and confirmed that donor bank account information and Social Security information had been accessed and exfiltrated during the ransomware attack in an unencrypted format.
Notably, the personnel that conducted this review did not communicate to senior management that sensitive customer information had been identified, and the SEC alleged that Blackbaud had no policies or procedures in place to require that these findings be reported to senior management. On August 4, 2020, Blackbaud filed its Form 10-Q with the SEC acknowledging the attack but failing to disclose the exfiltration of significant amounts of donor Social Security numbers and bank account numbers. Regarding compromise of data, the 10-Q stated only that "the cybercriminal removed a copy of a subset of data." The Form 10-Q also contained the company's discussion of its cybersecurity risks, which included a statement that the compromise of sensitive donor data "could adversely affect" the company's reputation, operations and finances (emphasis added).
On September 29, 2020, Blackbaud filed a Form 8-K concerning the attack and for the first time publicly acknowledged that the attacker "may have accessed some unencrypted fields intended for bank account information, social security numbers, usernames and/or passwords."
The SEC alleged that Blackbaud made material misstatements and omissions regarding the ransomware attack and the resulting compromise of sensitive donor information in violation of Sections 17(a)(2) and (3) of the Securities Act, Section 13(a) of the Exchange Act and Exchange Act rules 13a-13 and 12b-20. The SEC further alleged that the company violated Exchange Act Rule 13a-15(a), which requires issuers to maintain disclosure controls and procedures, including those designed to ensure that material information is communicated to the issuer's management. The SEC asserted that Blackbaud violated this requirement by failing to have disclosure controls and procedures related to the disclosure of cybersecurity risks or incidents, including incidents involving the exposure of sensitive donor information.
The SEC's enforcement action against Blackbaud provides several takeaways for publicly traded companies:
- The SEC continues to make cybersecurity disclosures and disclosure controls a major enforcement priority. We previously have analyzed several significant SEC settlements with Pearson plc and First American Financial Corp. that focused both on public companies' disclosures of cybersecurity incidents and risk and their controls for identifying and reporting such incidents and risks to senior management.
- Companies must maintain disclosure controls for cybersecurity risks—including those that require incident investigators to report significant findings to senior management. Investigations of cybersecurity incidents can be chaotic, with new information emerging constantly and rapidly. But businesses that have clear policies and procedures in place to timely process findings from their investigation, and report material information to senior management contemporaneously, are best positioned to avoid regulatory inquiry and enforcement.
- Companies that have suffered a cybersecurity incident should carefully scrutinize any proposed public disclosure about the incident and ensure that those statements are supported by the company's investigation. Understandings of cybersecurity incidents and their effects can evolve dramatically over the course of an investigation. While it may be tempting to make definitive statements shortly after an attack to provide assurances to customers and others, companies can run afoul of securities, consumer protection, and other laws if they allow their public statements about an incident to get ahead of the investigation. By rushing to make public statements, companies may subsequently be forced to make embarrassing and confidence-undermining corrective statements about the incident after the investigation is completed. The best compliance safeguard against these potential mistakes is a clear set of procedures and protocols which ensure that senior management is informed of all material investigative developments.
- The SEC, along with state attorneys general and other government agencies, continue to carefully scrutinize companies' public statements related to security incidents and data breaches. In addition to our analysis of the Pearson plc and First American settlements, we have discussed the SEC's close reading of breach disclosure in a settlement with a set of broker-dealers and investment advisors and similar approaches by other government agencies such as the New York attorney general. Companies must draft their disclosures carefully and avoid common pitfalls, such as mischaracterizing confirmed compromises merely as possibilities.
- Now is an ideal time for companies to revisit their cybersecurity disclosure controls and other cybersecurity-related policies and procedures. As we noted in a recent post, the SEC intends to finalize proposed cybersecurity risk management, strategy, governance, and incident disclosure rules for public companies in April of this year. We analyze the SEC's proposed rules here. The SEC also is holding an open hearing today, March 15, 2023, to discuss the proposal of several additional data privacy and cybersecurity rules for SEC-regulated entities.
DWT's Privacy & Security and Financial Services practices groups regularly advise our clients on the SEC's rules, guidance, and enforcement activity related to cybersecurity, and the best approach to meeting evolving regulatory expectations. We will continue to monitor the SEC's activity in this area—particularly its forthcoming cybersecurity regulations for public companies.