0n 9th March 2023, the SEC issued a statement announcing that it had come to an agreement with software company Blackbaud to settle charges for making misleading disclosures about a ransomware attack in 2020 in which criminals stole files on 13,000 of the company’s customers. So what? I hear you say – not a shipping company, different risks. Not really – and here’s why.
1. This is just the start: SEC now, class actions tomorrow. Although the SEC settlement was $3m, the company has set aside in 2022 $23m ‘in aggregate liabilities for loss contingencies relating to the ‘Security Incident’. Additionally the company discloses that they incurred pre-tax expense of $32.7m (net cash outlay of $20.9m) on legal fees in 2022 and estimate a further $30m in 2023. The company posted a loss of $45m in 2022. There are 19 class action lawsuits pending in the US and Canada. There is no mention of the quantum of the ransom the company paid, although it did confirm it had paid a ransom.
2. This stuff takes a long time to deal with: The BlackBaud breach was 3 years ago, and the repercussions, particularly legal, will continue to reverberate for months (if not years) yet. Breaches are a very effective thief of management time. Although revenue has increased, the company posted a loss in 2022; its share price has remained depressed.
3. Prompt disclosure is vital: the SEC are tightening up the rules for listed companies – plans need to be drawn up, tested and operational to deal with breaches, including notifying regulators within 96 hours. You can no longer cover this up, or pretend it has not happened.
4. Breaches are incredibly expensive compared to the cost of prevention. While the detail of the exploit that undid the company remains unclear, it is unlikely that the remediation measures that would have prevented the breach would have cost the company as much as the massive effort in place since (including dealing with the vulnerability that the breach exploited).
For our clients, particularly the listed ones, there are some important lessons here.
– The cost of ransom is dwarfed by the costs of the rear-guard post-breach reputational repair work, legal and technical.
– The cost of patching / upgrading systems pre-breach will almost always be less than unplanned emergency upgrades post-breach.
– Contingency plans need to be tested, and leadership involved in the planning and exercising of plans firm-wide.
– You can’t protect something you cannot see – make sure your asset inventories are up to date and that you can feel the pulse of your network in ‘normal times’.
– It’s not just about being made to sit in the corner with a dunce’s hat on. This is about respecting your business, your shareholders and bond-holders, your customers, staff and regulators that you take this stuff seriously.
As with any cyber issue, please feel free to contact us.