Just ahead of the expected April release of the final SEC cybersecurity regulations, the SEC has fined Blackbaud, a donor data management platform used widely by nonprofits, $3 million dollars for "misleading disclosures" in connection with a 2020 ransomware attack that impacted more than 13,000 customers.

Blackbaud told customers the incident did not compromise bank account information and Social Security numbers when, according to the SEC, security and communications personnel knew the information was accessed and did not communicate that information to senior management. Absent the critical information, senior management responsible for disclosure left the full disclosure out of its quarterly report and, according to the SEC, "misleadingly characterized the risk of an attacker obtaining such sensitive donor information as hypothetical."

Not all data breaches -- ransomware attacks or otherwise -- rise to the level of materiality that could trigger a disclosure in SEC reporting. However, disclosure controls and procedures should certainly have pushed the accurate information about the compromise of personal information up the chain for such analysis and could have saved Blackbaud a tidy sum of money.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.