Tag Archives: Alexander Sisto

SEC Delays Proposed Cybersecurity Rules

by Michael T. Borgia, Alexander Sisto, and Patrick J. Austin

Photos of the authors

From left to right: Michael T. Borgia, Alexander Sisto, and Patrick J. Austin (Photos courtesy of Davis Wright Tremaine LLP)

Proposed rules for public companies, investment advisors, and funds are now expected to be finalized in October 2023 at the earliest

According to its Spring 2023 rulemaking agenda, the U.S. Securities and Exchange Commission (SEC) has delayed issuance of two sets of cybersecurity requirements that previously were expected to be finalized in April 2023. The SEC’s proposed Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure rule for public companies and its proposed rule on Cyber Risk Management for Investment Advisers, Registered Investment Companies and Business Development Companies now are scheduled to be finalized by October 2023 at the earliest. 

Three other sets of proposed requirements—amendments to Reg S-P on safeguarding customer information, amendments to Reg SCI on cybersecurity and IT resilience (among other things) for “SCI entities,” and a new Cybersecurity Risk Management Rule for broker-dealers, clearing agencies and other SEC-regulated entities—now are slated for April 2024.

Continue reading

SEC Settles Ransomware Disclosure Charges for $3 Million

by Michael T. Borgia, Alexander Sisto, and Robertson Park

From left to right: Michael T. Borgia, Robertson Park, and Alexander Sisto. (Photos courtesy of Davis Wright Tremaine LLP)

The U.S. Securities and Exchange Commission (“SEC” or the “Commission”) has ordered Blackbaud, Inc. (“Blackbaud”) to pay $3 million to resolve claims that it made materially misleading statements about a 2020 ransomware attack and failed to maintain adequate disclosure controls related to cybersecurity. The SEC’s March 9, 2023 order and accompanying press release focuses on three allegedly material misstatements: Blackbaud’s failure to correct a statement on its website that the attack did not compromise bank account information or Social Security numbers—even after Blackbaud personnel investigating the attack found clear information to the contrary; the company’s failure to disclose the compromise of that sensitive data in a Form 10-K; and the company’s cybersecurity risk statement in its Form 10-Q characterizing the risk of sensitive data exfiltration as merely hypothetical, despite knowing that exfiltration of unencrypted bank account information, Social Security numbers, and usernames and/or passwords had occurred as a result of the ransomware attack.

Continue reading