Blackbaud to pay $3 million settlement to SEC over ‘misleading’ ransomware disclosure

The Securities and Exchange Commission has reached a $3 million settlement with data management company Blackbaud over charges that it misled investors about a 2020 ransomware attack that affected more than 13,000 of the company’s customers.

On July 16, 2020, Blackbaud announced that ransomware attackers had not gained access to donor bank account information or Social Security numbers. This proved to be false.

When the company’s IT staff realized the error days after the first statement was released, they did not inform senior management. The company also did not disclose this information in its quarterly report to the SEC the following month.

The SEC said the company not only left out information about the attack but also “misleadingly characterized the risk of an attacker obtaining such sensitive donor information as hypothetical.”

David Hirsch, chief of the SEC Enforcement Division’s Crypto Assets and Cyber Unit, reminded public companies they have an obligation to provide their investors with accurate and timely material information.

“As the order finds, Blackbaud failed to disclose the full impact of a ransomware attack despite its personnel learning that its earlier public statements about the attack were erroneous,” he said.

The move is a significant step towards holding companies who fail to properly disclose cyberattacks to account.

“This is the first time I can recall the SEC taking action in relation to a ransomware disclosure, and it’s an important step,” said Emsisoft threat analyst Brett Callow.

“Too many organizations make wooly or misleading disclosures — or no disclosure at all — and that hampers counter-ransomware efforts.”

While this is the first known action by the agency related to ransomware attacks, it has issued fines following cyberattacks. Educational publishing company Pearson paid a $1 million fine in 2021 after knowingly misleading investors about a 2018 cyberattack.

Pearson did not disclose the cyberattack until contacted by news outlets and tried to downplay it in public comments.

Two months before the Pearson fine, real estate settlement service provider First American Financial Corporation paid a penalty of about a half-million dollars in 2021 for similarly failing to notify customers of a wide ranging breach.

Recorded Future ransomware expert Allan Liska noted that the SEC changed its rules in 2021, saying it would investigate companies that failed to accurately report cyberattacks involving customer information.

Liska said he expects more fines like this in the future, explaining that “as long the government continues to signal that they are taking cybercrime reporting seriously, the SEC will follow suit.”

He added that companies typically use legal jargon to get out of fully reporting the facts about a cyberattack or ransomware incident.

But outright lying — as what was alleged in Blackbaud’s case — is rarely done, he said.

“Not just because of SEC concerns, but if you lie in your SEC filings you open yourself up to a lay up of a class action lawsuit from investors,” he said.

The SEC’s order found that Blackbaud violated several sections of the Securities Act of 1933 and the Securities Exchange Act of 1934, but allowed Blackbaud to settle the claims without admitting or denying the allegations.

In addition to the $3 million fine, Blackbaud agreed to “cease and desist from committing violations of these provisions.”