Blackbaud Shows SEC Is Serious On Cyber Incident Reporting
Blackbaud is a South Carolina-based publicly traded company that provides donor relationship management software to various nonprofit organizations, including charities, higher education institutions, and religious and cultural organizations.
As a provider of donor relationship software, Blackbaud maintains highly sensitive personal donor information on its computer systems.
On March 9, the SEC issued an administrative order finding that Blackbaud violated the anti-fraud provisions of the Securities Act and other provisions of the securities laws requiring public companies to maintain adequate controls and procedures to ensure timely and accurate reporting of cybersecurity incidents. The commission also imposed a $3 million civil monetary penalty.
According to the SEC's order, Blackbaud's violations included:
- Failing to undertake a timely and fulsome investigation of a cybersecurity incident consisting of the unauthorized access and exfiltration of sensitive customer information;
- Failing to maintain appropriate controls and procedures to ensure that company employees who did finally learn the full extent of the incident would timely communicate that information to senior management responsible for making public disclosures; and
- As a result of these deficiencies, issuing misleading public filings.
The enforcement action came shortly before a proposed new SEC rule to enhance disclosures regarding cybersecurity risk management, strategy, governance and incident reporting by public companies is set to take effect.
The key takeaways from the SEC's action against Blackbaud, as well as the proposed new disclosure rule, are that public companies must, upon learning of a cybersecurity incident, quickly conduct a comprehensive investigation to determine the full scope and impact of the incident and have in place robust controls and procedures to ensure that information regarding the incident is timely communicated to management as necessary to ensure that the issuer's disclosures are truthful and complete.
The Facts of Blackbaud
On July 16, 2020, Blackbaud announced on its website and in notices to customers that it had experienced a cybersecurity incident.
The company had first discovered the cyberattack months earlier, in May, at which time it engaged a third-party cybersecurity vendor to help it investigate the attack.
But neither the company nor the vendor analyzed the content of the files affected by the cyberattack to determine what personal information, if any, had been accessed or exfiltrated.
Nonetheless, both the website post and the customer notices definitively stated that the "cybercriminal did not access ... bank account information, or social security numbers."
During the days following the July 16 public notice of the cyberattack, Blackbaud received numerous communications from customers raising concerns that they had uploaded to Blackbaud sensitive donor data — including Social Security numbers and bank account information — in unencrypted form.
As a result of these customer inquiries, Blackbaud personnel then conducted further analysis of the cyberattack and, by late July 2020, determined that — contrary to the July 16 website posting and notices — donor bank account information and Social Security numbers had, in fact, been accessed and exfiltrated by the cyberattacker.
Public news sources reported that over 100 Blackbaud customers were affected, including at least 20 universities and charities worldwide.
Critically, however, the company personnel who learned of this information in late July 2020 failed to communicate it to Blackbaud's senior management responsible for ensuring the accuracy of the company's SEC filings, and the company did not have policies or procedures in place to ensure that they did so.
As a result, Blackbaud's second quarter Form 10-Q, which was filed on Aug. 4, 2020 — just days after Blackbaud personnel learned that the sensitive data had in fact been accessed and exfiltrated — omitted these material facts.
Moreover, the Form 10-Q went further in framing the possibility that the data had been stolen as a mere hypothetical:
A compromise of our data security that results in customer or donor personal or payment card data being obtained by unauthorized persons could adversely affect our reputation with our customers and others as well as our operations, results of operations, financial condition.
The implication was that the risks of an attack resulting in the exfiltration of customer or donor personal data was just theoretical and not, as was indeed the case, an established fact.
The Alleged Securities Law Violations
Based upon these facts, the SEC alleged multiple violations of the securities laws by Blackbaud, including:
- Sections 17(a)(2) and (3) of the Securities Act, the general anti-fraud provision of the Securities Act, which does not require unlawful intent, but may rather rest on a finding of mere negligence;
- Section 13(a) of the Securities Exchange Act and Rules 13a-13 and 12b-20, which require registered issuers to file accurate quarterly reports and include in those reports any material information necessary to make the required statements in the filing not misleading; and
- Exchange Act Rule 13a-15(a), which requires issuers such as Blackbaud to maintain "disclosure controls and procedures" designed to ensure that information required to be disclosed by an issuer in reports it files or submits under the Exchange Act is recorded, processed, summarized and reported within the time periods specified in the SEC's rules and forms.
SEC Means Business on Cybersecurity Incident Reporting
The SEC's action against Blackbaud reflects the commission's increased attention to the need for timely disclosure to investors of the scope and impact of cybersecurity incidents.
Blackbaud is clearly what the SEC's proposed new rule regarding cybersecurity incident reporting was meant to prevent.
The proposed rule — which is set to be finalized in April — would require, among other things, registrants to disclose on a Form 8-K information about any material cybersecurity incident within four business days after the registrant determines that it has experienced a material cybersecurity incident.
Per the proposed rule, to the extent known, the disclosure should include:
- When the incident was discovered and whether it is ongoing;
- A brief description of the nature and scope of the incident;
- Whether any data was stolen, altered, accessed or used for any other unauthorized purpose;
- The effect of the incident on the registrant's operations; and
- Whether the registrant has remediated or is currently remediating the incident.
The trigger for this disclosure would be the date when a registrant determines that the cybersecurity incident is material, rather than the date of discovery of the incident.
These requirements, had they been observed by Blackbaud, would have prevented the materially false or misleading statements described in the order.
The fairly modest civil money penalty imposed upon Blackbaud — $3 million for a company with over $1 billion in fiscal year 2022 revenues — likely reflects the unintentional nature of the conduct and the lack of finalized definitive rules governing the reporting of cybersecurity incidents.
Public companies must have policies and procedures in place to ensure that information concerning cybersecurity incidents is not only collected, but also quickly communicated to senior management with the responsibility for making accurate disclosures.
In Blackbaud, the SEC determined that the company was at fault for not making appropriate disclosures in its Aug. 4 Form 10-Q, even though the company had learned only days earlier, in late July, that the sensitive data had been accessed and exfiltrated.
In other words, the disclosure controls and procedures must be such that material information concerning cyberattacks is speedily communicated to senior management. The SEC's new proposed reporting rule will require material cybersecurity incidents to be reported within four business days.
Issuers must exercise particular care in framing statements as definitive versus hypothetical.
In this case, the company was inaccurately definitive in its July 16 public notice, stating that the cybercriminal did not access bank account information or Social Security numbers when it had not investigated whether that was truly the case, and then compounded the inaccuracy by stating tentatively in the Form 10-Q that such access merely "could" adversely affect the company's operations and financial condition.
Although obvious, it is worth a reminder that definitive statements should be reserved for confirmed facts while hypotheticals — e.g., "could" — should only be used when management has no factual basis to believe the hypothetical has already occurred.
Finally, cybersecurity incidents should be thoroughly investigated as quickly as possible once discovered.
In this case, Blackbaud first became aware of the incident in May 2020, two months before making its disclosure, but it did not, upon discovery, conduct a thorough investigation into what data had been accessed and exfiltrated.
As a result, it was only months later, after receiving customer inquiries following the July announcement, that Blackbaud took steps to determine the nature of the data compromised in the cyberattack.
Had Blackbaud undertaken a more fulsome investigation immediately upon discovering the incident — as implicit in the reporting requirements set forth in the SEC's proposed rule — it likely would have been positioned to provide full and accurate information about the incident from the outset.
Republished with permission. This article, "Blackbaud Shows SEC Is Serious On Cyber Incident Reporting," was published by Law360 on March 24, 2023.
Link to article