SEC Brings Cyber Disclosure Enforcement Action

On
March
9,
2023,
the
U.S.
Securities
and
Exchange
Commission
(SEC)
announced
settled
administrative
charges
against
Blackbaud
Inc.
The
case
stems
from
disclosures
Blackbaud
made
to
investors
regarding
a
2020
ransomware
attack
that
targeted
donor
data
management
software
the
company
provides
to
non-profit
organizations.

The
SEC’s

order
alleges
that
Blackbaud
initially
announced
details
of
the
incident
on
the
company’s
website
and
notified
impacted
customers
in
July
2020.
In
the
website
post
and
related
notices,
the
company
indicated
that
the
threat
actor
did
not
access
any
donor
bank
account
information
or
social
security
numbers.
Within
days
of
these
statements,
however,
the
SEC
observed
that
the
company’s
technology
and
customer
relations
personnel
learned
that
these
claims
with
respect
to
bank
account
information
and
social
security
numbers
were
untrue.
Nevertheless,
according
to
the
SEC,
the
company
filed
a
quarterly
report
on
Form
10-Q
in
August
2020
that
discussed
the
incident,
but
omitted
material
information
about
the
scope
of
the
attack,
and
misleadingly
characterized
the
risk
of
exfiltration
of
such
sensitive
donor
information
as
hypothetical.
At
the
end
of
September
2020,
the
SEC’s
order
alleges
that
Blackbaud
disclosed
for
the
first
time
that
the
attacker
accessed
unencrypted
donor
bank
account
information
and
social
security
numbers
for
certain
of
the
impacted
customers.

The
SEC’s
order
finds
that
Blackbaud
violated
the
antifraud
provisions
of
Sections
17(a)(2)
and
17(a)(3)
of
the
Securities
Act
of
1933;
the
reporting
provisions
of
Section
13(a)
of
the
Securities
Exchange
Act
of
1934
and
Rules
12b-20
and
13a-13
thereunder;
and
the
disclosure
controls
provisions
of
Rule
13a-15(a).
The
SEC
accepted
Blackbaud’s
settlement
offer,
which
included
a
cease-and-desist
order
and
a
$3
million
civil
monetary
penalty.
We
note
that
this
amount
is
three
times
the
penalty
assessed
against
another
public
company
in
a
similar

2021
case.

The
settlement
underscores
both
the
perils
for
public
companies
that
make
incomplete
investor
disclosures
about
cybersecurity
events
as
well
as
the
challenges
that
U.S.-listed
companies
will
face
when
the
SEC
adopts
its

proposed
rules
on
cybersecurity
disclosure,
which
the
agency
has
reported
may
come
as
soon
as
April
2023.
The
SEC
has
identified
cybersecurity
as
an
enforcement
priority,
and
has
recently
been
increasing
attorney
staffing
in
its
specialized
enforcement
unit
that
targets
cybersecurity
and
cryptocurrency
frauds.
The
agency
has
also
been
making
increased
use
of
enforcement
cases
to
demonstrate
market
failures
that
necessitate
rulemaking
in
support
of
its
ambitious
rulemaking
agenda,
and
more
such
SEC
enforcement
cases
can
be
expected.

About Author

AndyC

Andy Curtis is an award-winning security consultant, researcher and public speaker. He has been working in the computer security industry since the early 1990s, having been employed by state and federal government, leading healthcare and banking providers across three continents. He has given talks about computer security for some of the world’s largest companies, worked with law enforcement agencies on investigations into hacking groups, and is a regular voice on TV and radio explaining IT security threats.

See author's posts