On March 9, 2023, the SEC announced its latest enforcement case involving disclosure controls and procedures over cybersecurity breaches. You can read about earlier cases and find background about the SEC’s cybersecurity guidance in this blog post.
In this latest case, Blackbaud, a software developer for not-for-profit organizations, was the victim in a ransomware attack. According to the SEC’s Press Release:
“… on July 16, 2020, Blackbaud announced that the ransomware attacker did not access donor bank account information or social security numbers. Within days of these statements, however, the company’s technology and customer relations personnel learned that the attacker had in fact accessed and exfiltrated this sensitive information.”
Although members of Blackbaud’s staff were aware that bank account information and social security numbers had been stolen, according to the SEC’s Order:
“… the personnel with this information about the broader scope of the impacted data did not communicate this to Blackbaud’s senior management responsible for disclosures, and the company did not have policies or procedures in place designed to ensure they do so.”
As a result, the company failed to disclose the impact of the attack on a timely basis. The company paid a $3 million fine.
This is not a new enforcement area. In 2011, CorpFin addressed the need for disclosure controls and procedures over cybersecurity risks in Disclosure Guidance Topic 2. The Commission reinforced and expanded this discussion in its 2018 Cybersecurity Release. As a reminder, disclosure controls and procedures are defined in Exchange Act Rule 13a-15:
For purposes of this section, the term disclosure controls and procedures means controls and other procedures of an issuer that are designed to ensure that information required to be disclosed by the issuer in the reports that it files or submits under the Act (15 U.S.C. 78a et seq.) is recorded, processed, summarized and reported, within the time periods specified in the Commission’s rules and forms. Disclosure controls and procedures include, without limitation, controls and procedures designed to ensure that information required to be disclosed by an issuer in the reports that it files or submits under the Act is accumulated and communicated to the issuer’s management, including its principal executive and principal financial officers, or persons performing similar functions, as appropriate to allow timely decisions regarding required disclosure.
As always, your thoughts and comments are welcome!