$3 Million Lesson On What To Reveal After A Ransomware Attack

The SEC has reached a $3 million settlement with Blackbaud, a client relationship company for non-profits, over allegations that it both dissembled in SEC filings with regard to the fallout from a ransomware attack, and failed to maintain systems that would keep senior management sufficiently apprised regarding the incident. Per the narrative in the SEC Cease and Desist Order, the company’s failure was partly a matter of the right hand not knowing what the left hand was doing, and at least some of what it became liable for would have been avoided with better internal communications.

A posts from law firm Wilmer Hale provides a summary of the settlement and finds that it reflects two recent trends in SEC enforcement. One is to sanction companies for failing to maintain adequate disclosure controls over cyber breaches and other “non-financial matters.” The other is to cite companies that understate the gravity of what has occurred by labeling known risks as “hypothetical.” The Wilmer Hale post provides some key takeaways, with regard to both statements made to the public and statements made in SEC filings. Among them: Keep tabs on the updated findings of the forensic investigators, and make sure your statements remain accurate. -Today’s General Counsel/DR