{"id":2502,"date":"2023-03-29T07:23:58","date_gmt":"2023-03-29T11:23:58","guid":{"rendered":"https:\/\/seci.wpenginepowered.com\/?p=2502"},"modified":"2023-03-29T07:24:03","modified_gmt":"2023-03-29T11:24:03","slug":"yet-another-cybersecurity-disclosure-enforcement-case","status":"publish","type":"post","link":"https:\/\/seciblog.pli.edu\/index.php\/yet-another-cybersecurity-disclosure-enforcement-case\/","title":{"rendered":"Yet Another Cybersecurity Disclosure Enforcement Case<\/strong>"},"content":{"rendered":"

On March 9, 2023, the SEC announced<\/a> its latest enforcement case involving disclosure controls and procedures over cybersecurity breaches.\u00a0 You can read about earlier cases and find background about the SEC\u2019s cybersecurity guidance in this blog post<\/a>.<\/p>\n

In this latest case, Blackbaud, a software developer for not-for-profit organizations, was the victim in a ransomware attack.\u00a0 According to the SEC\u2019s Press Release<\/a>:<\/p>\n

\u201c\u2026 on July 16, 2020, Blackbaud announced that the ransomware attacker did not access donor bank account information or social security numbers. Within days of these statements, however, the company\u2019s technology and customer relations personnel learned that the attacker had in fact accessed and exfiltrated this sensitive information.\u201d<\/p>\n

Although members of Blackbaud\u2019s staff were aware that bank account information and social security numbers had been stolen, according to the SEC\u2019s Order<\/a>:<\/p>\n

\u201c\u2026 the personnel with this information about the broader scope of the impacted data did not communicate this to Blackbaud\u2019s senior management responsible for disclosures, and the company did not have policies or procedures in place designed to ensure they do so.\u201d<\/p>\n

\u00a0As a result, the company failed to disclose the impact of the attack on a timely basis.\u00a0 The company paid a $3 million fine.<\/p>\n

This is not a new enforcement area.\u00a0 In 2011, CorpFin addressed the need for disclosure controls and procedures over cybersecurity risks in Disclosure Guidance Topic 2<\/a>.\u00a0 The Commission reinforced and expanded this discussion in its 2018 Cybersecurity Release<\/a>.\u00a0 As a reminder, disclosure controls and procedures are defined in Exchange Act Rule 13a-15<\/a>:<\/p>\n

For purposes of this section, the term\u00a0disclosure controls and procedures<\/em>\u00a0means controls and other procedures of an issuer that are designed to ensure that information required to be disclosed by the issuer in the reports that it files or submits under the Act (15 U.S.C. 78a<\/a>\u00a0et seq.<\/em>) is recorded, processed, summarized and reported, within the time periods specified in the Commission’s rules and forms. Disclosure controls and procedures include, without limitation, controls and procedures designed to ensure that information required to be disclosed by an issuer in the reports that it files or submits under the Act is accumulated and communicated to the issuer’s management, including its principal executive and principal financial officers, or persons performing similar functions, as appropriate to allow timely decisions regarding required disclosure.<\/p>\n

As always, your thoughts and comments are welcome!<\/p>\n","protected":false},"excerpt":{"rendered":"

On March 9, 2023, the SEC announced its latest enforcement case involving disclosure controls and procedures over cybersecurity breaches.\u00a0 You can read about earlier cases and find background about the SEC\u2019s cybersecurity guidance in this blog post. In this latest case, Blackbaud, a software developer for not-for-profit organizations, was the victim in a ransomware attack.\u00a0 … Continue reading Yet Another Cybersecurity Disclosure Enforcement Case<\/strong><\/span> →<\/span><\/a><\/p>\n","protected":false},"author":9,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"jetpack_post_was_ever_published":false,"_jetpack_newsletter_access":"","_jetpack_dont_email_post_to_subs":false,"_jetpack_newsletter_tier_id":0,"_jetpack_memberships_contains_paywalled_content":false,"_jetpack_memberships_contains_paid_content":false,"footnotes":"","jetpack_publicize_message":"","jetpack_publicize_feature_enabled":true,"jetpack_social_post_already_shared":true,"jetpack_social_options":{"image_generator_settings":{"template":"highway","default_image_id":0,"font":"","enabled":false},"version":2}},"categories":[143],"tags":[],"coauthors":[154],"class_list":["post-2502","post","type-post","status-publish","format-standard","hentry","category-hot-topic"],"jetpack_publicize_connections":[],"jetpack_featured_media_url":"","jetpack_sharing_enabled":true,"post_mailing_queue_ids":[],"_links":{"self":[{"href":"https:\/\/seciblog.pli.edu\/index.php\/wp-json\/wp\/v2\/posts\/2502","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/seciblog.pli.edu\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/seciblog.pli.edu\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/seciblog.pli.edu\/index.php\/wp-json\/wp\/v2\/users\/9"}],"replies":[{"embeddable":true,"href":"https:\/\/seciblog.pli.edu\/index.php\/wp-json\/wp\/v2\/comments?post=2502"}],"version-history":[{"count":0,"href":"https:\/\/seciblog.pli.edu\/index.php\/wp-json\/wp\/v2\/posts\/2502\/revisions"}],"wp:attachment":[{"href":"https:\/\/seciblog.pli.edu\/index.php\/wp-json\/wp\/v2\/media?parent=2502"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/seciblog.pli.edu\/index.php\/wp-json\/wp\/v2\/categories?post=2502"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/seciblog.pli.edu\/index.php\/wp-json\/wp\/v2\/tags?post=2502"},{"taxonomy":"author","embeddable":true,"href":"https:\/\/seciblog.pli.edu\/index.php\/wp-json\/wp\/v2\/coauthors?post=2502"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}