BLACKBAUD INC 10-K Cybersecurity GRC - 2025-02-21

Page last updated on February 21, 2025

BLACKBAUD INC reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2025-02-21 16:12:09 EST.

Filings

10-K filed on 2025-02-21

BLACKBAUD INC filed a 10-K at 2025-02-21 16:12:09 EST
Accession Number: 0001280058-25-000010

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

ITEM 1C. CYBERSECURITY Risk Management and Strategy Overview of Processes for Assessing, Identifying and Managing Material Cyber Risks Because technology, data and information security is a top priority at Blackbaud, we maintain and continuously assess and strengthen our cybersecurity program. Comprehensive cybersecurity risk management, including identification, analysis and response to risks affecting our business and its customers, provides the foundation for our program. Our cybersecurity program has been and will continue to be further enhanced by our compliance with the settlement of governmental investigations relating to the Security Incident. See Note 11 to the consolidated audited financial statements contained in this report for additional information regarding the Security Incident. We utilize a four-prong strategy for assessing, identifying and managing material risks from cybersecurity threats: 1. Operational security: We leverage the industry standard CIA Triad Model in conjunction with comprehensive industry control frameworks, compliance regulations, privacy requirements and best practices, including: the National Institute of Standards and Technology (“NIST”) Cybersecurity Framework, PCI DSS, System and Organization Controls (“SOC”) 1, SOC 2, GDPR, HIPAA, the Trans-Atlantic Data Privacy Framework and Cloud Security Alliance. 2. Product security: Our development teams take part in regular training and use industry best practices to build security into our solutions. 3. Incident response: We monitor the threat landscape 24/7 in coordination with a third-party firm, routinely test our incident response capabilities and preparedness and maintain proactive relationships with law enforcement. 4. Ongoing landscape analysis: We continually evaluate upcoming and changing data privacy regulations and provide thought leadership for our customers on the operational impacts of these regulations and compliance requirements. We believe that information and technology security is a shared responsibility and, therefore, incorporate data and privacy protection education into the customer experience through ongoing resources such as best practices content, one-on-one consultations with customer success managers and bbcon(R) sessions. We also participate in global communities and conference platforms to share information and present on best practices to improve the industry’s security awareness posture. In addition, Blackbaud employees are all engaged in on-going security and privacy awareness training campaigns to ensure they are empowered to protect both Blackbaud’s and our customers’ data. 2024 Form 10-K Blackbaud, Inc. Integration into Overall Risk Management System or Processes Consistent with our prioritization of information and technology protection, cybersecurity risk management has been and remains a key aspect of our overall business strategy, financial planning and capital allocation and a point of ongoing emphasis at all levels of our Company. Our enterprise risk management (“ERM”) framework integrates our information technology and data management systems and related policies and practices into the larger framework to help guide and prioritize our cybersecurity and information technology-related investments, activities and risk management strategy. At least annually, we review cybersecurity risk as part of our ERM processes and integrate those findings into our overall strategy. Additionally, our cybersecurity program is further integrated with our overall risk management program through our Chief Information Security Officer’s (“CISO”) participation in such governance structures as our Risk Steering Committee and our Disclosure Committee, both of which are described in detail below. Engagement of Third Parties We regularly engage outside consultants and experts to assist us regarding our cybersecurity program. Engagements include an annual NIST Cybersecurity Framework assessment to ensure a reasonable cybersecurity program and retained leading external cybersecurity Incident Response (IR) experts. Risks from Third-Party Service Providers and Others Blackbaud also maintains a defined program and dedicated team that provides security oversight of its third-party service providers. This program assesses and manages risk at the onboarding phase of engagement with third-party vendors and partners as well as oversight throughout the lifecycle of the vendor relationship. Risks from Cybersecurity Threats; Actual and Potential Material Impact In addition, we continuously learn from and leverage experience gained from previous cybersecurity incidents that we, like many other companies, have experienced. As previously disclosed, we have been and remain subject to risks and uncertainties as a result of a ransomware attack against us in May 2020 in which a cybercriminal removed a copy of a subset of data from our self-hosted environment. As a result of the Security Incident, we are currently subject to certain legal proceedings and claims and could be the subject of additional legal proceedings, claims, inquiries and investigations in the future that might result in adverse judgments, settlements, fines, penalties or other resolution. See Note 11 to the consolidated audited financial statements contained in this report for additional information regarding the Security Incident and its past and potential impact on the Company. Notwithstanding our strong commitment to cybersecurity, we may not be successful in preventing or mitigating a cybersecurity incident that could have a material adverse effect on us. See Item 1A. “Risk Factors” for a discussion of our cybersecurity risks. Governance Management’s Assessment and Management of Cybersecurity Threats Our multi-level cybersecurity governance and risk management structure begins with our Operational Risk Compliance and Security (“ORCAS”) Committee consisting of cross-functional management representatives throughout our Company. The ORCAS Committee receives detailed cybersecurity information from key security personnel and reports at least quarterly up through our Risk Steering Committee, which is made up of executives and senior management from various Blackbaud departments: Chief Executive Officer, Chief Operating Officer, Chief Financial Officer, Chief Technology Officer, General Counsel, Chief Privacy Officer and CISO, who has extensive information technology and program management experience. Our CISO has served in various roles of increasing responsibility in information technology and information security for more than 25 years, including serving in various cybersecurity leadership roles within public and private companies. He holds two undergraduate degrees-one in business administration and the other in computer information systems, a graduate degree in information systems and maintains two cybersecurity industry recognized certifications: Certified Information Systems Security Professional (CISSP) and Certified Cloud Security Professional (CCSP), both from the International Information System Security Certification Consortium. Cybersecurity leaders reporting to our CISO also have significant information technology and information security experience and industry recognized certifications. 32 2024 Form 10-K Table of Contents Blackbaud, Inc. Additionally, our cybersecurity Incident Response plan timely informs our Cybersecurity Incident Subcommittee on active cybersecurity incidents that are potentially material. The Cybersecurity Subcommittee determines cybersecurity materiality and is made up of our General Counsel, CISO, Chief Accounting Officer and Director of SEC Reporting. Our Cybersecurity Incident Subcommittee is part of our Disclosure Committee, which is appointed by Chief Executive Officer and Chief Financial Officer to assist our executives in their responsibility for oversight of the accuracy and timeliness of the disclosures made by Blackbaud. Board Oversight The Risk Steering Committee reports to the Risk Oversight Committee of our Board of Directors at the regular quarterly meetings, or more frequently as needed. The Risk Oversight Committee’s duties include, among other things, oversight of risks related to information technology security. The Risk Oversight Committee communicates as appropriate with the full Board of Directors, which is ultimately responsible for cybersecurity risk oversight.

Company Information