SEC Charges Public Company For Alleged Misleading Disclosures Surrounding Ransomware Attack

By Jonathan S. Kolodner, Rahul Mukhi, Lilianna Rembar & Jackie M. Brune on March 16, 2023

Posted in Breach Notifications, Cybersecurity, Privacy, SEC Guidance, United States

On March 9, 2023, the Securities and Exchange Commission (“SEC”) brought an enforcement action against a public company, Blackbaud Inc. (“Blackbaud” or the “Company”), alleging that it had made misleading disclosures about a 2020 ransomware attack.[1] This is the fourth SEC settled enforcement action concerning disclosures following a cyberattack.[2] This development highlights increased regulatory scrutiny that public companies face related to cyberattacks and serves as a potential prelude to the SEC’s aggressiveness in enforcing its upcoming revised rules on cybersecurity incident disclosures.

The SEC’s Enforcement Action

Blackbaud provides software to non-profit organizations for managing data about their donors, including personal identifying information, donation history, and other financial information.[3] On May 14, 2020, the Company discovered a ransomware attack on its systems.[4] As is typical in these incidents, Blackbaud received messages from the attacker claiming to have exfiltrated data concerning the Company’s customers and demanding payment.[5] Blackbaud hired a third-party vendor to engage in communications with the vendor and coordinate a ransom payment in exchange for the attacker’s promise to delete the exfiltrated data.[6]

On July 16, 2020, Blackbaud announced the incident on the Company’s website and notified the impacted customers, claiming that the attacker did not access any donor bank account information or social security numbers.[7] According to the SEC, prior to this statement, neither the Company nor its third-party vendors had analyzed the content of the exfiltrated files; instead, they had only analyzed file names.[8] Within days of the July statement, Blackbaud began to receive communications from concerned customers, as customers had uploaded sensitive data to Blackbaud that was not encrypted.[9] By July 21, Blackbaud customer service personnel were using a script acknowledging that certain attachments and fields containing sensitive data were, in fact, not encrypted.[10] In light of the customer communications, Company personnel investigating the incident conducted further analysis, and by the end of July, learned that the claims made in the July 16 announcement were untrue, according to the SEC.[11] The SEC alleged that, in fact, the attack resulted in the unauthorized access and exfiltration of over one million files concerning approximately 13,000—roughly one-quarter—of the Company’s customers.[12]

As alleged, the Company’s personnel who learned this information through the investigation did not update the senior management responsible for the Company’s disclosures, nor did Blackbaud have policies or procedures in place designed to ensure that they do so.[13] The SEC further alleged that, on August 4, Blackbaud filed a Form 10-Q that discussed the incident while omitting material information about the scope of the attack – including that bank account information and social security numbers had in fact been impacted for certain customers – and misleadingly characterizing the risk of exfiltration of sensitive data as hypothetical.[14] At the end of September 2020, Blackbaud disclosed for the first time, in a Form 8-K, that the attacker accessed the unencrypted donor bank account information as well as social security numbers of certain impacted customers.[15] Around the same time, Blackbaud sent supplemental notices to customers whom Blackbaud believed had sensitive donor information accessed and exfiltrated.[16]

As a result of the above, the SEC found that Blackbaud violated Sections 17(a)(2) and 17(a)(3) of the Securities Act and other statutory sections and SEC rules prohibiting misleading disclosures, as well as Exchange Act Rule 13a-15(a), which requires issuers to maintain effective disclosure controls and procedures.[17] Blackbaud was ordered to cease and desist from committing or causing any violations of the above-referenced rules as well as to pay a civil money penalty in the amount of $3 million.[18] The Company neither admitted nor denied the allegations.

Blackbaud also continues to face civil litigation by its customers, stemming from the same cyberattack.[19]

Key Takeaways

Both this action and prior settled ones highlight the importance of ensuring that company personnel responsible for disclosure are informed and kept updated about potentially material incidents, including by ensuring such controls are integrated into the company’s incident response plan.[20] According to the SEC, the Company’s disclosure failure was a direct result of a failure of communication between the team investigating the ransomware attack and those responsible for disclosure.[21] The SEC has repeatedly emphasized that “[c]ompanies are required to establish and maintain appropriate and effective disclosure controls and procedures that enable them to make accurate and timely disclosures of material events, including those related to cybersecurity.”[22]

It is also critical that, if a company makes a disclosure about an incident, it stay vigilant about any need to promptly update the disclosure if potentially material different facts are uncovered by subsequent investigation. Failure to do so quickly can risk second guessing by enforcement agencies and courts, as was the case here, where the SEC took issue with the Company taking approximately two and half months to update its initial disclosure about whether data had been exfiltrated.[23] Again, this is consistent with the SEC’s prior guidance that “[c]ompanies should consider whether they need to revisit or refresh previous disclosure, including during the process of investigating a cybersecurity incident.”[24]

In light of the SEC’s proposed revised cybersecurity disclosure rules, which are slated to be finalized in April, we expect the SEC to continue to actively investigate cybersecurity-related disclosures.[25] As we previously discussed here, the proposed rules released last year impose various new requirements, including the disclosure of: (i) material cybersecurity incidents within four days after a registrant determines that it experienced such an incident; (ii) a company’s cybersecurity policies and procedures and governance; and (iii) cybersecurity expertise of board members. Regardless of the shape of the final rules, it is clear that the SEC will continue to actively investigate and prosecute cyber disclosure cases, particularly in areas where it has given public guidance, such as the importance of implementing effective disclosure controls and updating public statements when new facts emerge during the course of an incident response.[26]

[1] In the Matter of Blackbaud, Inc., Securities Act Release No. 11165, Exchange Act Release No. 97098 (Mar. 9, 2023) (cease and desist orders), https://www.sec.gov/litigation/complaints/2023/comp-pr2023-48.pdf.

[2] The other three settled actions in this space are: In the Matter of Altaba Inc., f/d/b/a YAHOO! Inc., Securities Act Release No. 10485, Exchange Act Release No. 83096 (Apr. 24, 2018) (cease and desist orders), https://www.sec.gov/litigation/admin/2018/33-10485.pdf; In the Matter of First Am. Fin. Corp., Securities Act Release No. 92176 (June 14, 2021) (cease and desist orders), https://www.sec.gov/litigation/admin/2021/34-92176.pdf; In the Matter of Pearson plc., Securities Act Release No. 10963, Exchange Act Release No. 92676 (Aug. 16, 2021) (cease and desist orders), https://www.sec.gov/litigation/admin/2021/33-10963.pdf.

[3] Id. at 2.

[4] Id.

[5] Id. at 2–3.

[6] Id. at 3.

[7] Id. at 2.

[8] Id. at 3.

[9] Id.

[10] Id.

[11] Id.

[12] Id.

[13] Id. at 2–3.

[14] Id. at 2, 4; Blackbaud, Inc., Quarterly Report (Form 10-Q) (Aug. 4, 2020) (“A compromise of our data security that results in customer or donor personal or payment card data being obtained by unauthorized persons could adversely affect our reputation with our customers and others, as well as our operations, results of operations, financial condition and liquidity and could result in litigation against us or the imposition of penalties.”).

[15] In re Blackbaud, Inc., supra note 1, at 2; Blackbaud, Inc., Current Report (Form 8-K) (Sept. 29, 2020) (“After July 16, further forensic investigation found that for some of the notified customers, the cybercriminal may have accessed some unencrypted fields intended for bank account information, social security numbers, usernames and/or passwords.”).

[16] In re Blackbaud, Inc., supra note 1, at 4.

[17] Id. at 5–6.

[18] Id. at 6.

[19] In re Blackbaud Inc., Customer Data Sec. Breach Litig., No. 3:20-mn-02972 (D.S.C.).

[20] Similarly, “First American did not have any disclosure controls and procedures related to cybersecurity, including incidents involving potential breaches of that data” and was also charged with violating Exchange Act Rule 13a-15(a). In the Matter of First Am. Fin. Corp., supra note 2, at 2.

[21] The SEC came to a similar conclusion as well in First American, in which, due to a lack of disclosure controls, senior executives approving the company’s disclosures “lacked certain information to fully evaluate the

company’s cybersecurity responsiveness and the magnitude of the risk from the vulnerability [associated with the company’s application].” Id. at 6.

[22] “Comm’n Statement and Guidance on Pub. Co. Cybersecurity Disclosures”, Release Nos. 33-10459, 34-82746, Federal Register, 6-7 (Feb. 21, 2018), https://www.sec.gov/rules/interp/2018/33-10459.pdf.

[23] In Altaba, the company took approximately two years to disclose a data breach rendering SEC filings during that time “materially misleading in that they claimed the company only faced the risk of potential future data breaches.” See In the Matter of Altaba Inc., f/d/b/a YAHOO! Inc., supra note 2, at 2. Similarly, in Pearson, the company only disclosed a data breach following a media inquiry – after it had known about the breach for approximately four months – and understated its scope, including by characterizing the exfiltration of certain types of information as hypothetical when Pearson already knew that such data had been exfiltrated. In the Matter of Pearson plc., supra note 2.

[24] Comm’n Statement, supra note 22.

[25] In fact, on March 15, 2023, the SEC issued proposed rules to address the cybersecurity risks faced by “market entities,” including broker-dealers, clearing agencies, major security-based swap participants, the Municipal Securities Rulemaking Board, national securities associations, national securities exchanges, security-based swap data repositories, security-based swap dealers, and transfer agents. See “Cybersecurity Risk Management Rule for Broker-Dealers, Clearing Agencies, Major Security-Based Swap Participants, the Municipal Securities Rulemaking Board, National Securities Associations, National Securities Exchanges, Security-Based Swap Data Repositories, Security-Based Swap Dealers, and Transfer Agents,” Release No. 34-97142 (Mar. 15, 2023) https://www.sec.gov/rules/proposed/2023/34-97142.pdf.

[26] For additional details, see our February 2018 alert memo here.