Software provider Blackbaud’s recent data security breach disclosure settlement with the Securities and Exchange Commission highlights the growing regulatory risks faced by U.S. companies with lax cybersecurity measures, according to legal observers.
As part of the settlement, announced earlier this month, Blackbaud agreed to pay $3 million to resolve SEC charges that it made misleading disclosures about a 2020 ransomware attack that impacted more than 13,000 customers.
The alleged violation was a direct result of a communication breakdown between the team investigating the ransomware attack and those responsible for disclosure, according to the commission.
“It’s a cautionary note of the need to have industry best practices in place,” Kristin Bryan, a cybersecurity partner at Squire Patton Boggs, told CFO Dive.
The settlement underscores both the perils for public companies that make incomplete investor disclosures about data breaches as well as new challenges they will face under cybersecurity regulations the SEC is expected to adopt as soon as next month, according to a March 13 report from law firm Hunton Andrews Kurth.
“The SEC has identified cybersecurity as an enforcement priority, and has recently been increasing attorney staffing in its specialized enforcement unit that targets cybersecurity and cryptocurrency frauds,” the report states.
The SEC has been stepping up its cybersecurity enforcement in recent years to ensure clear cyber risk disclosures and internal controls, with one senior counsel in the Cyber Unit of the SEC Enforcement Division warning in 2021 that there would be more enforcement actions, CFO Dive previously reported.
At the same time, finance leaders appear to be ready to be preparing to open their wallets wider to harden their cyber defenses. Global cybersecurity spending is expected to reach $219 billion this year and grow to nearly $300 billion in 2026, according to research firm IDC.
Cybersecurity ranked among the top three challenges faced by finance leaders for the second consecutive quarter, according to a survey released by Grant Thornton in February. Forty-five percent of respondents ranked cybersecurity as a top-three area of focus, a rise of 11 percentage points over the previous quarter.
Blackbaud is a Charleston, South Carolina-based public company that provides donor data management software to non-profit organizations.
The company discovered the ransomware attack in May 2020. The company’s subsequent investigation indicated the attack resulted in the theft of more than 1 million files concerning over 13,000, or roughly a quarter, of the company’s customers, according to the commission.
Two months after discovering the attack, Blackbaud said the attacker didn’t access donor bank account information or social security numbers. Days later, however, the company’s technology and customer relations personnel learned the attacker had in fact accessed and extracted this information.
The employees didn’t communicate this information to senior management responsible for making a public disclosure because the company failed to maintain appropriate controls and procedures, according to the commission. “Due to this failure, in August 2020, the company filed a quarterly report with the SEC that omitted this material information about the scope of the attack and misleadingly characterized the risk of an attacker obtaining such sensitive donor information as hypothetical,” the regulator said in a press release issued when the settlement was announced.
Blackbaud violated Sections 17(a)(2) and 17(a)(3) of the Securities Act of 1933 and Section 13(a) of the Securities Exchange Act of 1934, the commission alleged. Without admitting guilt, Blackbaud agreed to cease and desist from committing violations of those provisions and to pay a $3 million civil penalty.
“Companies would be well-served to have protocols in place that identify the immediate steps to be taken in the event of a cybersecurity compromise, which should include involving the individuals who can assess whether there are any disclosure obligations,” attorneys at Norton Rose Fulbright wrote in a report on the case.
Blackbaud CFO Tony Boor said the company is pleased that it was able to resolve the SEC matter.
“Blackbaud continues to strengthen its cybersecurity program to protect customers and consumers, and to minimize the risk of cyberattacks in an ever-changing threat landscape,” he said in an emailed statement.