(Reuters) — Software company Blackbaud Inc. has agreed to pay $3 million to settle allegations it made misleading disclosures about a 2020 ransomware attack that affected more than 13,000 customers, the U.S. Securities and Exchange Commission said on Thursday.
In July 2020, the South Carolina-based provider of donor data management software exposed a ransomware attacker and said the attacker did not have access to bank account information or social security numbers for donors, the SEC said.
“Within days” of those disclosures, some company employees learned that the attacker had accessed and taken that information, but the employees did not tell senior managers responsible for disclosure because the company failed to maintain controls and procedures for disclosure, said SEC.
In August 2020, the SEC said, Blackbaud filed a quarterly report with the agency that omitted material information about the scope of the attack.
Representatives for Blackbaud, which did not acknowledge or deny the SEC̵7;s findings, did not immediately respond to a request for comment.
The regulator has pushed public companies and registered entities to make more timely and specific disclosures about cyber attacks.
The SEC will unveil an effort next week to scrutinize how broker-dealers and others manage the risk of hacking and respond to the theft of customer data, continuing a regulatory push for cybersecurity in the financial sector.