SEC fines company $3 million for cybersecurity disclosure failures
Failing to fully disclose cybersecurity breaches can cost companies big.
Yuichiro Chino/Getty Images
· less than 3 min read
News built for finance pros
CFO Brew helps finance pros navigate their roles with insights into risk management, compliance, and strategy through our newsletter, virtual events, and digital guides.
The SEC has fined a South Carolina tech company $3 million for making “misleading disclosures” about a 2020 ransomware attack.
When Blackbaud announced in July 2020 that it had suffered a ransomware attack, the public company, which offers donor management software to nonprofits, said that it had paid a ransom, and that the breach did not include users’ sensitive financial data, according to the SEC.
However, several days after the announcement, the SEC said, some Blackbaud staff discovered that the attacker had “accessed and exfiltrated” sensitive information, including donor bank account information and Social Security numbers, affecting more than 13,000 accounts but did not tell senior management in charge of public disclosures “because the company failed to maintain disclosure controls and procedures.”
As a result, the company then failed to include “this material information about the scope of the attack and misleadingly characterized the risk of an attacker obtaining such sensitive donor information as hypothetical,” in its August 2020 quarterly report, according to the SEC.
“Blackbaud failed to disclose the full impact of a ransomware attack despite its personnel learning that its earlier public statements about the attack were erroneous,” said David Hirsch, chief of the SEC Enforcement Division’s Crypto Assets and Cyber Unit, in a press release. “Public companies have an obligation to provide their investors with accurate and timely material information; Blackbaud failed to do so.”
Blackbaud has not admitted or denied the SEC’s findings, but agreed to pay the $3 million fine and “cease and desist from committing violations” of the same kind.
Public companies will most likely have to prioritize cybersecurity even further in new ways soon. Blackbaud’s fine comes amid an SEC push for public companies to ramp up their cybersecurity preparedness and disclosure efforts. New cybersecurity disclosure rules are expected to be finalized next month.—DA
News built for finance pros
CFO Brew helps finance pros navigate their roles with insights into risk management, compliance, and strategy through our newsletter, virtual events, and digital guides.