BLACKBAUD INC - (BLKB)

10-K Filing Date: February 21, 2024
ITEM 1C. CYBERSECURITY
Risk Management and Strategy
Because technology, data and information security is a top priority at Blackbaud, we maintain and continuously assess and strengthen our cybersecurity program. Comprehensive cybersecurity risk management, including identification, analysis and response to risks affecting our business and its customers, provides the foundation for our program.
We utilize a four-prong strategy for assessing, identifying and managing material risks from cybersecurity threats:
1.Operational security: We leverage the industry standard CIA Triad Model in conjunction with comprehensive industry control frameworks, compliance regulations, privacy requirements and best practices, including: the National Institute of Standards and Technology ("NIST") Cybersecurity Framework, PCI DSS, System and Organization Controls ("SOC") 1, SOC 2, GDPR, HIPAA, the Trans-Atlantic Data Privacy Framework and Cloud Security Alliance.
2.Product security: Our development teams take part in regular training and use industry best practices to build security into our solutions.
3.Incident response: We monitor the threat landscape 24/7 in coordination with a third-party firm, routinely test our incident response capabilities and preparedness and maintain proactive relationships with law enforcement.
4.Ongoing landscape analysis: We continually evaluate upcoming and changing data privacy regulations and provide thought leadership for our customers on the operational impacts of these regulations and compliance requirements.
We believe that information and technology security is a shared responsibility and, therefore, incorporate data and privacy protection education into the customer experience through ongoing resources such as best practices content, one-on-one consultations with customer success managers and bbcon® sessions. We also participate in global communities and
30
bblogo.jpg
2023 Form 10-K

Blackbaud, Inc.
conference platforms to share information and present on best practices to improve the industry’s security awareness posture. In addition, Blackbaud employees are all engaged in on-going security and privacy awareness training campaigns to ensure they are empowered to protect both Blackbaud’s and our customers’ data.
Blackbaud also maintains a defined program and dedicated team that provides security oversight of its third-party service providers. This program assesses and manages risk at the onboarding phase of engagement with third-party vendors and partners as well as oversight throughout the lifecycle of the vendor relationship.
We regularly engage outside consultants and experts to assist us regarding our cybersecurity program. Engagements include an annual NIST Cybersecurity Framework assessment to ensure a reasonable cybersecurity program and retained leading external cybersecurity Incident Response (IR) experts.
Consistent with our prioritization of information and technology protection, cybersecurity risk management has been and remains a key aspect of our overall business strategy, financial planning and capital allocation and a point of ongoing emphasis at all levels of our Company.
In addition, we continuously learn from and leverage experience gained from previous cybersecurity incidents that we, like many other companies, have experienced. As previously disclosed, we have been and remain subject to risks and uncertainties as a result of a ransomware attack against us in May 2020 in which a cybercriminal removed a copy of a subset of data from our self-hosted environment. As a result of the Security Incident, we are currently subject to certain legal proceedings, claims and investigations and could be the subject of additional legal proceedings, claims, inquiries and investigations in the future that might result in adverse judgments, settlements, fines, penalties or other resolution. See Note 11 to the consolidated audited financial statements contained in this Annual Report on Form 10-K for additional information regarding the Security Incident and its past and potential impact on the Company.
Notwithstanding our strong commitment to cybersecurity, we may not be successful in preventing or mitigating a cybersecurity incident that could have a material adverse effect on us. See Item 1A. "Risk Factors" for a discussion of our cybersecurity risks.
Governance
Our multi-level cybersecurity governance and risk management structure begins with our Operational Risk Compliance and Security (“ORCAS”) Committee consisting of cross-functional management representatives throughout our Company. The ORCAS Committee receives detailed cybersecurity information from key security personnel and reports at least quarterly up through our Risk Steering Committee, which is made up of executives and senior management from various Blackbaud departments: Chief Executive Officer, Chief Operating Officer, Chief Financial Officer, Chief Technology Officer, General Counsel, Chief Privacy Officer and Chief Information Security Officer ("CISO"), who has extensive information technology and program management experience. Our CISO has served in various roles of increasing responsibility in information technology and information security for more than 25 years, including serving in various cybersecurity leadership roles within public and private companies. He holds two undergraduate degrees—one in business administration and the other in computer information systems, a graduate degree in information systems and maintains two cybersecurity industry recognized certifications: Certified Information Systems Security Professional (CISSP) and Certified Cloud Security Professional (CCSP), both from the International Information System Security Certification Consortium. Cybersecurity leaders reporting to our CISO also have significant information technology and information security experience and industry recognized certifications.
The Risk Steering Committee reports to the Risk Oversight Committee of our Board of Directors at the regular quarterly meetings, or more frequently as needed. The Risk Oversight Committee's duties include, among other things, oversight of risks related to information technology security. The Risk Oversight Committee communicates as appropriate with the full Board of Directors, which is ultimately responsible for cybersecurity risk oversight.
Additionally, our cybersecurity Incident Response plan timely informs our Cybersecurity Incident Subcommittee on active cybersecurity incidents that are potentially material. The Cybersecurity Subcommittee determines cybersecurity materiality and is made up of our General Counsel, Chief Information Security Officer, Chief Accounting Officer and Director of SEC Reporting. Our Cybersecurity Incident Subcommittee is part of our Disclosure Committee, which is appointed by Chief Executive Officer and Chief Financial Officer to assist our executives in their responsibility for oversight of the accuracy and timeliness of the disclosures made by Blackbaud.
2023 Form 10-K
bblogo.jpg
31

Blackbaud, Inc.