On March 9, 2023, the SEC announced that it had settled charges that data management software company Blackbaud, Inc. had settled charges that the company’s cybersecurity disclosure policies and procedures violated the agency’s public company disclosure reporting requirements and that the company had made misleading disclosures about a 2020 ransomware attack that impacted more that 13,000 of its customers. The company, which neither admitted or denied the charges, agreed to a cease-and-desist order and to pay a $3 million penalty. The action, which follows a similar proceeding involving cybersecurity disclosures and procedures, highlights the agency’s focus on cybersecurity-related disclosures.
The SEC’s March 9, 2023, press release about the charges can be found here. The cease-and-desist order can be found here. The company’s March 9, 2023, filing on Form 8-K about the charges and their resolution can be found here.
Blackbaud provides donor management software to non-profit organizations, such as charities and schools. On May 14, 2020, Blackbaud’s IT personnel detected an unauthorized access to the company’s systems that may have begun as early as February 2020. Among other things, the personnel found a message from the attacker claiming to have Blackbaud customer data and demanding payment. Working with a third-party cybersecurity firm, the company’s IT personnel coordinated the payment of a ransom in exchange for the attacker’s promise to delete the “exfiltrated” customer data.
By July 16, 2020, the company’s IT personnel understood that the attacker had exfiltrated at least one million files impacting over 13,000 customers. That same day, the company announced the incident for the first time on its website, saying, among other things, that “the cybercriminal did not access [customer] bank account information or social security numbers.” However, by the end of July 2020, the IT personnel determined that the attacker had in fact accessed donor bank account information and social security numbers in an unencrypted form.
Because of communications and questions from customers, Blackbaud IT personnel conducted further analyses and confirmed that certain donor bank account information had been accessed in unencrypted form. The SEC’s subsequent cease and desist order stated that “although the company’s personnel were aware of the unauthorized access and exfiltration of donor bank account numbers and social security numbers by the end of July 2020, the personnel with this information …. did not communicate this to Blackbaud’s senior management responsible for disclosures, and the company did not have policies or procedures in place designed to ensure they do so.”
On August 4, 2020, the company filed its quarterly report on Form 10-Q. The report referred to the ransomware attack did not mention the exfiltration of donor social security numbers and bank account numbers. The report did say that while a “compromise of our data security that results in customer or donor personnel or payment care data being obtained by unauthorized persons could adversely affect our reputation with customers and others,” the report omitted to state that the risks of such an attack were no longer hypothetical.”
On September 29, 2020, in a filing on Form 8-K, the company for the first time acknowledged that “the cybercriminal may have accessed some unencrypted fields intended for bank account information, social security numbers, usernames and/or passwords.”
The SEC alleges that during the relevant time period, that is, between the time of the company’s initial disclosure and its clarifying 8-K, the company offered and sold stock to its employees through an Equity and Incentive Compensation Plan.
The SEC’s Charges
Based on these allegations, the SEC alleged that the company had violated Rule 13a-15(a) under the Securities Exchange Act of 1934, which, the agency noted, required “every issuer of a security registered pursuant to Section 12 of the Exchange Act” to “maintain disclosure controls and procedures designed to ensure that the information required to be disclosed by an issuer in reports it files or submits under the Exchange Act is recorded, processed, summarized, and reported within the time periods specified by the Commission’s rules and forms.” Further, the SEC alleged that the company violated Sections 17(a)(2) and (3) of the Securities Act, which prohibits any person from obtaining money or property by means of any untrue statement of a material fact or omission to state a material fact. Finally, the SEC alleges that the company violated Section 13(a) of the Exchange Act, and Rule 13a-13 thereunder, which requires reporting companies to file quarterly reports in compliance with the agency’s rules an regulations, as well as Rule 12b-20 of the Exchange Act, which requires quarterly reports to include material information necessary to make the reports not misleading.
The order further states that, in anticipation of the cease-and-desist proceedings, the company had submitted an offer of settlement, which the agency accepted. Without admitting or denying the agency’s charges, the company consented to the entry of an order finding violation of the cited Rules. The order requires the company to pay a civil money penalty in the amount of $3 million and to cease and desist from further violations.
Blackbaud was in effect charged with two violations here: (1) failing to have policies and procedures in place to ensure that its disclosures were accurate: and (2) filing a quarterly report that was not in compliance with requirements due to its omission of material information. Although there are two violations involved, the crux of the SEC’s case is that the company did not have sufficient procedures in place to make sure that information that needed to be upstreamed to senior management was in fact made available to them.
I emphasize that the importance of the SEC’s “policies and procedures” allegations because this is not the first time that the agency has brought a settled enforcement action against a company for failing to have policies and procedures in place sufficient to ensure that disclosures with respect to a cybersecurity incident were accurate.
As I discussed in a blog post at the time (here), in July 21, 2021, the SEC brought a settled enforcement action against a company (in this case, First American Financial Corp.) based on allegations that the company lacked sufficient policies and procedures to ensure that the company’s disclosures relating to a cybersecurity incident were accurate. In both that prior case and the case against Blackbaud, It personnel had become aware of further details about a cybersecurity incident but the details had not been communicated to senior management, and therefore in each case the respective company’s disclosures about the cybersecurity incident omitted important information.
The company has of course brought enforcement actions against other companies as well relating to cybersecurity disclosures. For example, as discussed here, in August 2021, the agency brought an enforcement action against U.K publishing company Person plc alleging that the company misled investors about a 2018 data breach. That case settled for payment of a $1 million civil penalty. And as discussed here, in April 2018, the SEC agreed with Altaba, Yahoo’s successor interest, to settle charges related to disclosures surrounding Yahoo’s massive data breach.
These various enforcement actions underscore that cybersecurity-related disclosure issues are an important agency priority, and that the agency is prepared to take actions relating to cybersecurity disclosures. Indeed, as discussed here, in March 2022, the agency proposed new cybersecurity related disclosure guidelines; the proposed guidelines have not yet been finalized or approved, but the agency’s issuance of the guidelines underscores the agency’s priority with respect to cybersecurity-related disclosures.
Within the larger context of the agency’s focus on cybersecurity-related disclosures, it is important to appreciate the significance of the agency’s concentration in this action, as well as in the earlier action against First American Financial Corp., on the issue of information and reporting controls and procedures to ensure that cybersecurity disclosures are accurate and complete. In that regard, it is important to note that the agency’s statements in the cease-and-desist order are not just commentary, they are the essence of the agency’s charges against the company.
The agency’s observations in this case and in the earlier case against First American Financial represent a wake-up call to all reporting companies. The obvious implication is that companies that do not have cybersecurity disclosure controls and procedures in place are vulnerable to allegations that they companies are in violation of the SEC’s public company reporting requirements. Companies would be well advised to take steps to ensure that it has controls and procedures in place to ensure that the company’s cybersecurity disclosures meet the agency’s standards.
I think it is particularly important in connection with the Blackbaud case that the disclosures involved related not just to a cybersecurity incident but to a ransomware attack. I say this because a ransomware attack may be a particularly distressing and confusing set of circumstances, the very existence of which could create challenges with respect to full disclosure. Given the likely disorienting and uncertain circumstances that could be involved in the event of a ransomware attack, it could be particularly important to have information-flow controls, policies, and procedures in place – and that were set up at a time when the company was not in crisis mode – to ensure that information gets where it needs to go to ensure that disclosures about incidents are accurate.
Given what was alleged to have happened with respect to Blackbaud, companies will want to ensure that they have a mechanism in place to ensure that management personnel responsible for reporting and disclosures are fully apprised on cybersecurity incident and vulnerabilities, particularly as the incident investigation progresses and unfolds.
In that regard, it is important to note that the SEC’s proposed cybersecurity guidelines specifically require reporting companies to develop and put in place policies and procedures for cybersecurity-related disclosure and detection, and to disclose those policies and procedures to investors. Well-advised companies will not wait for the proposed guidelines to be finalized and approved to begin to take steps to fulfill these requirements. The SEC enforcement action against Blackbaud highlights the fac that the agency expects companies to have these kinds of policies and procedures in place, even in the absence of the adoption of the proposed new guidelines.