$3 Million Lesson On What To Reveal After A Ransomware Attack
March 29, 2023

The SEC has reached a $3 million settlement with Blackbaud, a client relationship company for non-profits, over allegations that it both dissembled in SEC filings with regard to the fallout from a ransomware attack, and failed to maintain systems that would keep senior management sufficiently apprised regarding the incident. Per the narrative in the SEC Cease and Desist Order, the company’s failure was partly a matter of the right hand not knowing what the left hand was doing, and at least some of what it became liable for would have been avoided with better internal communications.
A posts from law firm Wilmer Hale provides a summary of the settlement and finds that it reflects two recent trends in SEC enforcement. One is to sanction companies for failing to maintain adequate disclosure controls over cyber breaches and other “non-financial matters.” The other is to cite companies that understate the gravity of what has occurred by labeling known risks as “hypothetical.” The Wilmer Hale post provides some key takeaways, with regard to both statements made to the public and statements made in SEC filings. Among them: Keep tabs on the updated findings of the forensic investigators, and make sure your statements remain accurate. -Today’s General Counsel/DR
Get our free daily newsletter
Subscribe for the latest news and business legal developments.
Read this next
Top 100 Litigator Sues Blue Cross Over His Cancer Treatment
In 2018, Robert Salim, 67, realized he was seriously ill. After numerous […]
Financial Industry Suing to Foil New Regulations
New rules aimed at lenders, investment funds, and other financial entities would […]
GC Must Warn Boards Of AI Risks
There are companies investing hundreds of millions of dollars or more into […]