A recent significant enforcement action brought by the U.S. Securities and Exchange Commission against Blackbaud Inc. highlights the importance of public companies maintaining disclosure controls and procedures relating to cybersecurity incidents.
Blackbaud is a South Carolina-based publicly traded company that provides donor relationship management software to various nonprofit organizations, including charities, higher education institutions, and religious and cultural organizations.
As a provider of donor relationship software, Blackbaud maintains highly sensitive personal donor information on its computer systems.
On March 9, the SEC issued an administrative order finding that Blackbaud violated the anti-fraud provisions of the Securities Act and other provisions of the securities laws requiring public companies to maintain adequate controls and procedures to ensure timely and accurate reporting of cybersecurity incidents. The commission also imposed a $3 million civil monetary penalty.
According to the SEC’s order, Blackbaud’s violations included:
- Failing to undertake a timely and fulsome investigation of a cybersecurity incident consisting of the…