On March 9, 2023, the Securities and Exchange Commission (SEC) reached a settlement with Blackbaud – a client relationship management (CRM) service provider for nonprofits – over allegations that Blackbaud (i) made materially misleading statements in its securities filings regarding a ransomware attack that it had suffered, and (ii) failed to maintain adequate disclosure controls designed to ensure that information it was required to disclose about the ransomware attack in its securities filings was, in fact, accurately and timely disclosed. The SEC settlement did not allege any intentional misconduct by Blackbaud – which was itself the victim of the ransomware attack – but nevertheless required Blackbaud to pay $3 million in penalties as a result of these violations.
The Blackbaud settlement reflects two recent trends in the SEC’s enforcement cases. First, it is the latest in a series of settlements in which the SEC has sanctioned a company for deficient disclosure controls over non-financial matters (here, cyber breaches) that resulted in important information not being shared with senior management. In this matter, those control deficiencies resulted in inaccurate statements in the company’s securities filings about the nature of the information that had been exfiltrated during the incident.
Second, this settlement reflects the SEC’s continued focus on “hypothetical” risk factors, and in particular, its willingness to sanction companies for disclosures that describe risks as hypothetical in circumstances where the company knows that those risks have, in fact, occurred. In this matter, the SEC focused specifically on a risk factor that referred only to the possibility that sensitive customer information could be exfiltrated, when various personnel at the company in fact knew that this had actually occurred.
We have provided a summary of the key facts and findings in the SEC Cease and Desist Order (“order”), as well as key tips for issuers in light of this settlement. We are happy to answer any additional questions you may have on the topic.
Key Facts and Findings1
On May 14, 2020, Blackbaud technology personnel detected unauthorized access to the company’s systems. Blackbaud technology personnel and third-party vendors conducted a review of the incident, and ultimately coordinated payment of ransom in exchange for the attacker’s promise to delete any exfiltrated data.
On July 16, 2020, Blackbaud disclosed the incident on its website, and sent notices to impacted customers. Those disclosures stated that “[t]he cybercriminal did not access . . . bank account information, or social security numbers.” In the days following this disclosure, however, company personnel became aware that—in fact—the attacker had accessed bank account information and social security numbers in unencrypted form. However, the company’s senior management responsible for disclosures were not informed of this update, and the company did not have in place policies and procedures designed to do so.
On August 4, 2020, the company filed a Form 10-Q in which it stated—in reference to the incident—that the “cybercriminal removed a copy of a subset of data.” The disclosure made no reference to the attacker removing any sensitive donor data, and in particular, the removal of social security numbers and bank account numbers. In that same Form 10-Q, the company also stated in its risk factors that a compromise of its data security “that results in customer or donor personal or payment card data being obtained by unauthorized persons could adversely affect our reputation . . . as well as our operations . . . .” (emphasis added). The SEC found that both of these disclosures were inaccurate: the first because it was inconsistent with the information learned in late July, and the second because the company knew at this time that such an attack had occurred.2
- Issuers should ensure that their disclosure controls operate broadly and facilitate the escalation of information about both financial and non-financial information.
- Issuers should ensure that their disclosure controls continually reassess public statements, in order to ensure that they remain materially accurate and complete. This is especially critical in cyber matters, which continued forensic investigation can result in updated findings.
- Issuers should ensure that their risk factors appropriately reflect known risks, and that any hypothetical risk factors are considered and reviewed on a regular basis to ensure that the identified risk has not, in fact, occurred.
1 All facts described here are drawn from the SEC settlement document, to which Blackbaud agreed on a no admit/no deny basis.
2 The SEC order appears to assume that the hypothetical risk being described is simply the unauthorized access of data. We note that the disclosure could also be read to refer to the (hypothetical) risks that could flow from such an event – i.e., the potential impact on reputation or operations – which are less obviously implicated by the facts identified in the order.