The cloud computing company Blackbaud has been fined by the US Securities and Exchange Commission (SEC) for failing to properly disclose a ransomware attack experienced by the company in 2020.
The attack caused an estimated loss of $190 million, but the company failed to inform investors of the incident’s financial impacts, in addition to the risks associated with the attack. As a result of its misconduct, Blackbaud has been forced to pay a fine of $3 million to the SEC.
On May 16 2020, Blackbaud, which provides cloud computing services to nonprofits, educational institutions, healthcare organizations, and companies, suffered a ransomware attack. The company was forced to pay a ransom to the attackers in order to stop them from accessing the sensitive data they had stolen.
However, despite the substantial financial impact of the attack, Blackbaud failed to inform its investors of the incident until August 6 2020. This lack of disclosure meant that investors were not informed of the risks associated with the attack, nor the financial losses incurred by the company.
The US SEC launched an investigation into the company’s behavior, revealing that Blackbaud had not complied with its obligations to provide timely, accurate and complete disclosure of its security risks and cyber-incidents on its securities filings.
As a result of its violation of disclosure rules, the SEC has ordered Blackbaud to pay a $3 million penalty, and to cease and desist from further violations of the law.
In a statement, the SEC said that “companies must not mislead investors by implying that their disclosures are complete when they are not. We will continue to hold companies accountable for their misrepresentations and omissions in their public disclosures, including in disclosures related to cybersecurity incidents.”
The Underlying Risk
The Blackbaud case serves as an important reminder of the severity of the cyber-security threat and the risks posed by ransomware attacks. The incident highlighted the need for companies to ensure they have thorough security measures in place to protect their data and systems, and to make sure they are adequately prepared to respond to a breach.
At a bare minimum, companies need to make sure that their businesses are following the necessary security controls to protect themselves from cyber-attack, including robust access control, encryption of data, regular patching of systems, and employee security training.
Companies must also be prepared to respond quickly and effectively in the event of a breach, by having a plan in place to notify customers, and to protect any confidential data that has been exposed.
Call to Action
It is essential for companies to take security measures seriously, and to ensure that all stakeholders understand the risks posed by cyber-attacks. Share this article to help raise awareness of the need for all companies to protect themselves against cyber-threats.