Covington Discusses SEC’s Focus on Cybersecurity Incident Disclosure

On March 9, 2023, the Securities and Exchange Commission (the “SEC”) Enforcement Division’s Crypto Assets and Cyber Unit announced a settlement with Blackbaud, Inc. involving allegations of inadequate disclosure controls and procedures and material misstatements and omissions concerning a 2020 cybersecurity incident. Blackbaud, a South Carolina-based public company that provides donor data management software to non-profit organizations, agreed to pay a $3 million civil penalty to settle charges that it failed to maintain disclosure controls and procedures and misled investors in its quarterly report on Form 10-Q about the 2020 ransomware incident that affected information from over 13,000 of its customers.

The SEC’s Order in the Blackbaud matter highlights the SEC staff’s continuing scrutiny of public companies’ disclosures, and disclosure controls and procedures, regarding material cybersecurity incidents. This focus also is reflected in the SEC’s March 2022 rule proposal that would require public companies to provide real-time disclosures on Form 8-K about material cybersecurity incidents and increased information about their cybersecurity risk management and strategy, among other items. The SEC’s rulemaking agenda indicates that the SEC could consider adopting a final rule as early as April 2023. Please refer to our prior alert for an in-depth discussion of this proposal.

The Blackbaud Order serves as a reminder of the risks of making an inaccurate disclosure, or failing to update a prior disclosure, as an investigation into a cyber incident progresses. Public companies should carefully review their disclosure policies and procedures to ensure that cybersecurity incidents are accurately and quickly reported to management, with appropriate updates as an investigation into an incident unfolds, so that disclosure obligations can be properly considered.

Background

According to the Blackbaud Order, on May 14, 2020, Blackbaud’s technology personnel detected unauthorized access to the company’s systems, as well as a message from an attacker demanding payment in exchange for deleting exfiltrated customer data. The Order alleges that by mid-July 2020, Blackbaud understood that the attacker had exfiltrated at least one million files, and the company had reviewed the file names to determine which products and customers were affected. However, the Order states that the company did not analyze the content of any of the files, which would have revealed the extent of the customer information that had been affected.

On July 16, 2020, Blackbaud publicly announced the incident and contacted affected customers, stating that the attacker did not access bank account information or Social Security numbers. By the end of July 2020, the Order alleges that company personnel learned that the attacker had, in fact, accessed unencrypted bank account information and Social Security numbers. However, the personnel with this information did not communicate it to Blackbaud’s senior management responsible for disclosures.

As a result, on August 4, 2020, Blackbaud filed its Form 10-Q for the second fiscal quarter of 2020, which omitted the fact that a number of customers had unencrypted bank account and Social Security numbers exfiltrated in the attack. Additionally, the Form 10-Q risk factors described as “hypothetical” a risk that customer data could be accessed in a cybersecurity incident. At the end of September 2020, the company publicly disclosed for the first time that the attacker had accessed unencrypted donor bank account information and Social Security numbers for certain impacted customers.

Disclosure Controls and Procedures

Rule 13a-15(a) of the Securities Exchange Act of 1934 (the “Exchange Act”) requires every issuer to maintain disclosure controls and procedures designed to ensure that information required to be disclosed by an issuer in reports it files or furnishes pursuant to the Exchange Act is recorded, processed, summarized, and reported, within the time period specified in the SEC’s rules and forms.

The Order emphasized that while Blackbaud is in the business of providing software that allows its customers to manage sensitive data, the company “did not have disclosure controls and procedures related to the disclosure of cybersecurity risks or incidents, including incidents involving the exposure of sensitive donor information.” Due to the failure to escalate relevant information about the incident, the Order noted that information related to the incident was not assessed from a disclosure perspective and was not timely communicated to the company’s senior management and other disclosure personnel. This lapse in communication was a key component of the finding that the company had inadequate disclosure controls and procedures.

Material Misstatements and Omissions

The SEC also found that Blackbaud’s August 4, 2020 Form 10-Q omitted the material fact that the cyber attacker had exfiltrated customers’ unencrypted bank account and Social Security numbers, in contrast to the company’s unequivocal, and ultimately erroneous, claims in its July 16, 2020 announcement and subsequent customer notices. The Order concluded that this omission rendered the statements about the incident in the Form 10-Q materially misleading because they perpetuated the false impression that the incident did not result in the attacker accessing “highly sensitive donor data”—data which, the Order notes, is at the core of the company’s business—when in fact the company’s personnel learned before August 4, 2020, that such data had been accessed and exfiltrated by the attacker.

The Order also focused on the company’s cybersecurity risk factor, which spoke of the “hypothetical” risk of a cybersecurity incident affecting sensitive customer data, which the Order characterized as “misleading.” The Order noted that the risk factor omitted the material fact that such data had actually been exfiltrated by the attacker, which meant that the risks of such an attack on the company’s business were no longer hypothetical.

Notably, at the time of these misstatements, Blackbaud offered and sold stock to its employees through an equity and incentive compensation plan. As a result of this ongoing offering of securities, the Commission also determined that Blackbaud’s material misstatements and omissions violated the antifraud provisions of Section 17(a) of the Securities Act of 1933, which makes it unlawful to offer or sell securities by means of any untrue statement of a material fact or any omission to state a material fact necessary in order to make the statements made, in light of the circumstances under which they were made, not misleading.

Takeaways

In light of the SEC’s ongoing focus on the adequacy of cybersecurity incident disclosures, public companies should consider:

  • assessing cybersecurity incident response planning and preparedness, including whether they contain clearly defined escalation procedures to senior management and disclosure personnel;
  • the adequacy of disclosure controls and procedures with respect to cybersecurity incidents, including procedures for assessing the need to update prior disclosures;
  • the need to ensure that public statements about cybersecurity incidents, both in periodic reports and in connection with pending and ongoing securities offerings, are accurate, complete, and timely; and
  • developing and executing cross-functional tabletop simulations that include testing escalations, disclosure controls and procedures, and communications.

This post comes to us from Covington & Burling LLP. It is based on the firm’s memorandum, “SEC’s Continued Focus on Cybersecurity Incident Disclosures,” dated March 14, 2023, and available here.