Last week, the SEC announced settled charges against Blackbaud, Inc., a provider of donor data management software to non-profit organizations, for misleading disclosures and disclosure control failures. According to the SEC, in May 2020, employees at the company discovered evidence of a ransomware attack. After an investigation, the company announced the incident and advised affected customers—specifying that sensitive donor data was not involved. But just a couple of weeks later, the SEC alleged, company personnel learned that the attacker had, in fact, accessed sensitive donor data for a number of customers—including bank account and social security numbers. But—you guessed it—it’s disclosure controls again! The personnel with knowledge of the scope of the breach “did not communicate this to Blackbaud’s senior management responsible for disclosures, and the company did not have policies or procedures in place designed to ensure they do so.” As a result, the SEC claimed, the company filed a Form 10-Q that still omitted mention of the exfiltration of sensitive donor data and framed its cybersecurity risk factor disclosure as purely hypothetical. The SEC viewed Blackbaud’s disclosure as misleading and its disclosure controls as inadequate and imposed a civil penalty of $3 million. According to the Chief of SEC Enforcement’s Crypto Assets and Cyber Unit, “Blackbaud failed to disclose the full impact of a ransomware attack despite its personnel learning that its earlier public statements about the attack were erroneous….Public companies have an obligation to provide their investors with accurate and timely material information; Blackbaud failed to do so.”
As described in the SEC Order, Blackbaud provides software used by non-profits to “manage data about their donors, including identifying information, donation history, and financial information”; that is, central to its business is software that “managed sensitive financial and personal data.” In mid-May 2020, the SEC alleged, Blackbaud’s tech personnel detected unauthorized access to the company’s systems and found messages demanding a ransom, claiming that the attacker had exfiltrated customer data. It turned out to be over a million files. After an investigation conducted in consultation with a third-party cybersecurity firm and communications with the attacker, the Order claimed, the company paid a ransom in exchange for the attacker’s promise to delete the exfiltrated data. The company identified which products and customers were affected—over 13,000—but, the SEC alleged, did not have the content of any of the exfiltrated files analyzed.
In mid-July, according to the Order, the company announced the breach on its website and notified the affected customers, stating, in both cases—without having analyzed the content of the files—that “[t]he cybercriminal did not access . . . bank account information, or social security numbers.” Following the announcement and notice, the SEC claimed, Blackbaud received over a thousand communications from customers, many raising concerns about unencrypted sensitive data—including social security numbers and bank account information—that had been provided. As a result, the SEC alleged, company personnel conducted further analyses and, by the end of July 2020, confirmed that, for some donors, bank account information and social security numbers had been exfiltrated by the attacker. Of course, that was not consistent with the information disclosed by the company in mid-July. However, the SEC alleged, “the personnel with this information about the broader scope of the impacted data did not communicate this to Blackbaud’s senior management responsible for disclosures, and the company did not have policies or procedures in place designed to ensure they do so.”
As a result, according to the Order, in analyst calls at the end of July, in responding to cybersecurity-related questions, the company did not answer questions about the nature of the data impacted. And, in its Form 10-Q filed August 4, the company’s discussion of the scope of the incident stated “only that ‘the cybercriminal removed a copy of a subset of data.’ In that discussion, the company made no reference to the attacker removing any sensitive donor data, and in particular made no mention of the exfiltration of donor social security numbers and bank account numbers.” The SEC viewed this omission as material, observing that the information conflicted with “the company’s unequivocal, and ultimately erroneous claims in the July 16, 2020 website post and customer notices.” In addition, even though the breach was disclosed in the Form 10-Q, the company’s cybersecurity risk factor in the same 10-Q—which specifically referred to the possible adverse effects of a cyberattack that “results in customer or donor personal or payment card data being obtained by unauthorized persons”—was framed in the hypothetical, omitting the “material fact that such customer or donor personal data was exfiltrated by the attacker.” (Emphasis added.) The SEC viewed these statements as misleading “because they perpetuated the false impression, started with the company’s earlier website post and customer notices, that the incident did not result in the attacker accessing highly sensitive donor data—data at the core of the company’s business as a service provider helping institutions manage donor relationships—when in fact the company’s personnel learned before August 4, 2020 that such data had been accessed and exfiltrated by the attacker.” Throughout this period, the company sold shares on a Form S-8.
In addition, the SEC alleged that, although Blackbaud’s primary business included providing software that managed sensitive financial and personal data, it did not have disclosure controls and procedures designed to ensure that information relevant to cybersecurity incidents and risks, including incidents involving the exposure of sensitive donor information, were communicated to the company’s senior management and other disclosure personnel. As a result, the SEC claimed, “relevant information related to the incident was never assessed from a disclosure perspective.”
There have been a number of cases involving inadequate disclosure controls and risk disclosures presented as hypothetical when those risks have actually come to fruition—a presentation that has now repeatedly drawn scrutiny in the context of cybersecurity disclosure. For example, in 2021, the SEC announced settled charges against Pearson plc, an NYSE-listed, educational publishing and services company based in London, for failure to disclose a cybersecurity breach involving exfiltration of private data and failure to maintain adequate disclosure controls and procedures. In its disclosures, Pearson decided not to disclose the breach and framed its cybersecurity risk factor disclosure as purely hypothetical. The SEC viewed that disclosure as misleading and imposed a civil penalty on Pearson of $1 million. (See this PubCo post.) Just a few months earlier, the SEC brought charges against First American Financial Corporation for failure to timely disclose a cybersecurity defect. When the company was advised of the defect, the company issued a public statement and, on the next trading day, furnished a Form 8-K to the SEC. However, as it turned out, the company’s information security personnel had already identified the vulnerability about five months earlier, but failed to remediate it in accordance with the company’s policies. They also failed to apprise senior executives about the report, including those responsible for making public statements, even though the information would have been “relevant to their assessment of the company’s disclosure response to the vulnerability and the magnitude of the resulting risk.” There were no charges of securities fraud; the company was found to have violated only the requirement to maintain disclosure controls and procedures and ordered to pay a penalty of almost a half million dollars. (See this PubCo post.) Sense a pattern here?
Finally, at the end of September, the company filed a Form 8-K acknowledging that the attacker may have accessed sensitive donor data (social security numbers, bank accounts, passwords) and sent supplemental notices to affected customers.
The SEC charged Blackbaud with securities fraud in violation of Sections 17(a)(2) and (3) of the Securities Act (which does not require scienter), filing misleading periodic reports in violation of Section 13(a) of the Exchange Act and Rule 13a-13 thereunder, as well as Rule 12b-20 of the Exchange Act. Finally, the SEC charged that the company violated the disclosure controls and procedures provisions of Exchange Act Rule 13a-15(a). In settlement, the company agreed to pay $3 million as a civil penalty.
The SEC’s 2018 guidance on cybersecurity disclosure addressed disclosure obligations under existing laws and regulations, cybersecurity policies and procedures, disclosure controls and procedures, insider trading prohibitions and Reg FD and selective disclosure prohibitions in the context of cybersecurity. In determining whether disclosure regarding cybersecurity risks and incidents is necessary, “companies generally weigh, among other things, the potential materiality of any identified risk and, in the case of incidents, the importance of any compromised information and of the impact of the incident on the company’s operations.” But how is “materiality” assessed in the context of cybersecurity? The SEC noted that the Basic v. Levinson probability/magnitude test is still a relevant part of the analysis. The SEC also advised that “materiality of cybersecurity risks or incidents depends upon their nature, extent, and potential magnitude, particularly as they relate to any compromised information or the business and scope of company operations.” In that regard, the SEC noted that compromised information “might include personally identifiable information, trade secrets or other confidential business information, the materiality of which may depend on the nature of the company’s business, as well as the scope of the compromised information.” Materiality “also depends on the range of harm that such incidents could cause. This includes harm to a company’s reputation, financial performance, and customer and vendor relationships, as well as the possibility of litigation or regulatory investigations or actions, including regulatory actions by state and federal governmental authorities and non-U.S. authorities.” (For more information about the SEC guidance, see this PubCo post and this Cooley Alert.)
In March 2022, the SEC proposed rule amendments to enhance issuer disclosures regarding cybersecurity risk governance. According to then-Corp Fin Director Renee Jones, the SEC approached the rulemaking from two perspectives: first, incident reporting and second, periodic disclosure regarding cybersecurity risk management, strategy and governance. Under the proposal, companies would be required to disclose material cybersecurity incidents on Form 8-K within four business days after they have determined that they have experienced a material cybersecurity incident. In addition, the proposal would require disclosure in periodic reports of policies and procedures to identify and manage cybersecurity risk, including the impact of cybersecurity risks on strategy; management’s role and expertise in implementing the company’s cybersecurity policies, procedures and strategies; and the board’s oversight role and cybersecurity expertise, if any. (See this PubCo post.) The SEC has targeted April 2023 for final action on the proposal.