Another Cyber Disclosure Sanction

Words matter in SEC filings. The Securities and Exchange Commission gave us another example of that point recently when it fined a technology company $3 million for misleading disclosures about a ransomware attack the company had suffered — and the confusion arose from how the company used the word “could.” 

The company in question is Blackbaud Inc., a South Carolina business that sells software to charities, schools, churches, healthcare organizations, and other nonprofits, to help those organizations manage relations with their donors. Blackbaud trades on Nasdaq and did $1.06 billion in revenue in 2022. 

So what happened? As described in a settlement order the SEC announced last week, Blackbaud suffered a ransomware attack in May 2020. IT personnel found messages from the attacker in the company’s software systems, claiming to have stolen data about Blackbaud’s customers and demanding a ransom payment. 

The IT personnel investigated, and by July 2020 they concluded that the attacker had stolen at least 1 million files. The company then disclosed the breach to the public, releasing a notice that “the cybercriminal did not access … bank account information, or Social Security numbers.”

Except, by the end of that month, IT investigators determined that actually the attacker had accessed donor bank account information and Social Security numbers for some number of customers. Still, the company neglected to disclose that fact in its next 10-Q filing, which arrived on Aug. 4, 2020. The filing only said that the cybercriminal “removed a copy of a subset of data,” with no mention of bank account numbers, Social Security numbers, or any other sensitive data. 

Then came this discussion of cybersecurity risk, emphasis added by the SEC:

A compromise of our data security that results in customer or donor personal or payment card data being obtained by unauthorized persons could adversely affect our reputation with our customers and others, as well as our operations, results of operations, financial condition and liquidity and could result in litigation against us or the imposition of penalties.

See what happened there? By using the word “could,” Blackbaud framed its cybersecurity risks as purely hypothetical. In fact, the company had already suffered precisely such an attack, which did indeed affect its reputation with customers as well as its operations; the company had been barraged by thousands of customers calling to ask what had happened with their data. 

“Blackbaud failed to disclose the full impact of a ransomware attack, despite its personnel learning that its earlier public statements about the attack were erroneous,” the head of SEC cyber enforcement said in a statement. “Public companies have an obligation to provide their investors with accurate and timely material information; Blackbaud failed to do so.”

One $3 million civil penalty later (Blackbaud neither admits nor denies the SEC findings, of course), here we are.

The Importance of Disclosure Controls 

An important point here is that while Blackbaud’s IT personnel knew the attack was more serious than the company first understood, they did not pass along that new knowledge to senior executives. Again, quoting the SEC order:

Although the company’s personnel were aware of the unauthorized access and exfiltration of donor bank account numbers and Social Security numbers by the end of July 2020, the personnel with this information about the broader scope of the impacted data did not communicate this to Blackbaud’s senior management responsible for disclosures, and the company did not have policies or procedures in place designed to ensure they do so.

So when the 10-Q arrived with that errant “could,” framing the cybersecurity risks as hypothetical, it’s possible that the executives who drafted the disclosure believed that to be the case — when in fact that wasn’t the case, and therefore Blackbaud was misleading investors about the true nature of the company’s cybersecurity risk. 

This was a failure of disclosure controls. A company needs policies, procedures, and training, so that its IT personnel investigating cybersecurity incidents know when and how to communicate with compliance and disclosure personnel typing up the 10-Q and other communications to investors.

The SEC has warned companies about disclosure controls and cybersecurity before, including two enforcement actions in 2021: one against education publisher Pearson for $1 million, the other against title insurance business First American Financial for $488,000. In both cases, at least some IT personnel and management employees knew the true extent of significant cyber breaches, but neglected to pass along that information to disclosure teams compiling SEC filings. 

The SEC has also proposed enhanced standards for disclosure of cybersecurity incidents, which are likely to come up for final adoption sometime this year. Those proposals would demand more specific details about “material cybersecurity events,” and disclosure of those details more quickly. So the importance of building strong internal processes to track cyber events and assess their severity is becoming more important than ever. 

And the fines for getting that process wrong seem to be growing larger than ever too.

Leave a Comment

You must be logged in to post a comment.