On March 9, 2023, the Securities and Exchange Commission (“SEC”) announced that Blackbaud Inc. (“Blackbaud”) agreed to pay $3 million to settle charges for alleged misleading disclosures about its 2020 ransomware attack and for alleged disclosure control failures.1
Blackbaud, a South Carolina-based company that provides data management software to colleges, universities, and non-profit organizations, suffered a ransomware attack in 2020 impacting more than 13,000 customers. According to the SEC’s order, unauthorized access to Blackbaud systems began in February of 2020 and was first discovered in May 2020.
According to the SEC’s March 9, 2023, press release, on July 16, 2020, Blackbaud notified its customers and publicly announced on its website that it had fallen victim to a ransomware attack.2 The press release stated that the company asserted the attacker did not access any donor bank account information or Social Security numbers and instead stated the compromised data was limited to names, contact information, some health information, and similarly related personal data. But upon further investigation, the company’s technology and customer relations personnel learned that the attacker did in fact access and exfiltrate this information. According to the SEC order, this development was not brought to the attention of senior managers because the company did not maintain adequate disclosure controls and procedures. No follow-up disclosure correcting the inaccurate statement was provided by Blackbaud, and, in its quarterly report on Form 10-Q filed in August 2020, it omitted the fact that the attacker exfiltrated the sensitive donor data. The SEC viewed this omission as material and found that the company, in its disclosures, misrepresented the scope of the attack and the nature of the data impacted.
According to David Hirsh, Chief of the SEC Enforcement Division’s Crypto Assets and Cyber Unit, “Blackbaud failed to disclose the full impact of a ransomware attack despite its personnel learning that its earlier public statements about the attack were erroneous. … Public companies have an obligation to provide their investors with accurate and timely material information; Blackbaud failed to do so.”3
The SEC found that Blackbaud violated Sections 17(a)(2) and (3) of the Securities Act, filing misleading periodic reports in violation of Section 13(a) of the Exchange Act and Rule 13a-13 thereunder, as well as Rule 12b-20 of the Exchange Act.4 Lastly, the SEC charged the company with having failed to maintain disclosure controls and procedures as required by Exchange Act Rule 13a-15e.5 As part of the settlement, the company agreed to pay $3 million as a civil penalty. Notably, this reflects a trend in which the SEC has criticized entities for characterizing a risk that has in fact occurred as “hypothetical.”
This serves as a reminder for public companies to review and test carefully, through tabletop exercises for example, internal policies and procedures that apply following cybersecurity incidents. Importantly, there are additional SEC proposed rules on the horizon that would, among other things, be more prescriptive regarding written policies and notification requirements.6 With that in mind, a particular focus on assessing internal cybersecurity escalation policies and disclosure controls and procedures, including appropriate stakeholder review of public notices and disclosures, will be valuable parts of this review and testing.
2 In a subsequent September 29, 2020 8-K, the company advised that a “subset of data” was removed from their environment.
4 See SEC Order, In the Matter of Blackbaud, Inc., Respondent, available at comp-pr2023-48.pdf (sec.gov)
6 See also our March 10, 2022, Legal Update “SEC Proposes Amendments That Would Place New Cybersecurity Reporting and Disclosure Requirements on Public Companies.”