$3 Million Lesson On What To Reveal After A Ransomware Attack

March 29, 2023

Retro drawing of 19th century figures - two men. One observes the other, who is holding a newspaper closely in front of his face, his hair standing on end.
Illustration from 19th century.

The SEC has reached a $3 million settlement with Blackbaud, a client relationship company for non-profits, over allegations that it both dissembled in SEC filings with regard to the fallout from a ransomware attack, and failed to maintain systems that would keep senior management sufficiently apprised regarding the incident. Per the narrative in the SEC Cease and Desist Order, the company’s failure was partly a matter of the right hand not knowing what the left hand was doing, and at least some of what it became liable for would have been avoided with better internal communications.

A posts from law firm Wilmer Hale provides a summary of the settlement and finds that it reflects two recent trends in SEC enforcement. One is to sanction companies for failing to maintain adequate disclosure controls over cyber breaches and other “non-financial matters.” The other is to cite companies that understate the gravity of what has occurred by labeling known risks as “hypothetical.” The Wilmer Hale post provides some key takeaways, with regard to both statements made to the public and statements made in SEC filings. Among them: Keep tabs on the updated findings of the forensic investigators, and make sure your statements remain accurate. -Today’s General Counsel/DR

Critical intelligence for general counsel

Stay on top of the latest news, solutions and best practices by reading Daily Updates from Today's General Counsel.

Daily Updates

Sign up for our free daily newsletter for the latest news and business legal developments.

Scroll to Top