Public companies increasingly are confronted with whistleblower complaints regarding data breaches, cybersecurity vulnerabilities, and related internal control deficiencies.
If those complaints go unheeded — or, worse, prompt retaliation — companies could be exposed to civil liability in addition to reputational damage. The Securities and Exchange Commission has made no secret of the fact that cybersecurity is a top enforcement priority and that its whistleblower program is here to stay.
This article discusses the application of existing whistleblower protections for those making allegations regarding data breaches and cybersecurity deficiencies. We also recommend practical steps that public companies can take to tailor their compliance and internal investigations procedures to prepare for the intersection of these issues and assure a consistent approach when addressing cybersecurity whistleblower issues.
Under the Dodd-Frank Act, if a whistleblower provides the SEC with information about violations of securities laws, and that information leads to an over-$1 million enforcement action against the company, the SEC may reward the whistleblower with 10-30% of the amount of the sanction imposed.
At the same time, the Sarbanes-Oxley Act protects whistleblowers from retaliation by their employers for having reported conduct they “reasonably believe[d]” constituted mail, wire, bank, or securities fraud, or a violation of SEC rules or regulations. SOX protections apply to employees who report either to the government or to supervisory authorities within their company.
Whistleblower provisions are increasingly relevant in the context of cybersecurity, as the SEC has signaled a renewed focus on cyber-based threats.
Last fall, the commission announced the creation of a dedicated Cyber Unit, and Chairman Jay Clayton released a lengthy statement in which he pledged the SEC would continue to prioritize its efforts to promote effective cybersecurity practices.
On Feb. 20 of this year, the SEC issued interpretive guidance on cybersecurity. It stated that in light of “the frequency, magnitude and cost of cybersecurity incidents,” it “believes that it is critical that public companies take all required actions to inform investors about material cybersecurity risks and incidents in a timely fashion, including those companies that are subject to material cybersecurity risks but may not yet have been the target of a cyber-attack.”
The SEC’s focus on issuers’ cyber vulnerabilities, coupled with the robust protections and incentives provided to whistleblowers, raise the specter of employees bringing cyber-related concerns to the government.
The most obvious context in which this could arise is a data breach that is not appropriately disclosed. Although it has not happened to date, it seems clear that if a company fails to timely disclose information about a major data breach, thus rendering its existing disclosures misleading, then it could be subject to a significant SEC enforcement action.
Companies must also be prepared for employees who report — either internally or to the SEC — as-yet-unexploited vulnerabilities in a company’s cybersecurity, to the extent those weaknesses render the company’s disclosures inaccurate or incomplete.
That scenario presents unique challenges for public companies. The first line of defense with respect to these issues — i.e., the IT department — may not be well integrated with senior leaders tasked with deciding whether such vulnerabilities would require changes to the company’s disclosures.
In its February guidance, the SEC counseled that “companies should assess whether they have sufficient disclosure controls and procedures in place to ensure that relevant information about cybersecurity risks and incidents is processed and reported to the appropriate personnel, including up the corporate ladder.”
That, the SEC said, would “enable senior management to make disclosure decisions and certifications and to facilitate policies and procedures designed to prohibit directors, officers and other corporate insiders from trading on the basis of material nonpublic information about cybersecurity risks and incidents.”
Companies can take the following are steps to ensure that cybersecurity vulnerabilities are addressed when they arise, investigated and remediated appropriately when reported, and integrated into the public disclosure evaluation process in accordance with SEC guidelines.
Evaluate internal whistleblowing and investigation procedures to ensure they are appropriately tailored to potential cybersecurity whistleblowers.
Certain established practices are essential to the success of any company’s internal whistleblower policies and are particularly important in the context of cybersecurity issues. An internal whistleblower hotline allows employees to anonymously or confidentially report suspected violations of law.
In the cyber context, those employees most knowledgeable about cybersecurity vulnerabilities are likely to have little awareness of how those problems might affect the accuracy of the company’s disclosures. It is therefore important to give them reassurances that they can flag potential problems, which will be investigated appropriately, without fearing reprisal.
Similarly, employees steeped in the company’s IT systems and cybersecurity must have the opportunity to voice concerns outside usual supervisory channels.
If a serious flaw in a company’s cybersecurity is reported to the chief information security officer or head of IT by one of his or her subordinates, there may be an incentive to fix the problem quietly and avoid informing others in the company. That is, the very existence of the vulnerability might reflect poorly on the company’s cyber hygiene.
To avoid this potential conflict, companies should allow cybersecurity-related complaints to be communicated directly to the legal department, the audit committee, or another independent body within the company.
Lastly, the audit committee or another board-level committee should have direct oversight of the company’s IT systems and cybersecurity to ensure that the company’s disclosures on those subjects are not misleading.
At a minimum, companies should consider requiring a certification from the CISO or the head of IT that there have not been any data breaches or other recently discovered vulnerabilities in the company’s systems that would affect its representations to the market.
Strengthen anti-retaliation procedures.
Given that SOX whistleblower protections apply to internal reporting as well as reporting to the government, companies must be especially careful to prevent retaliatory action against employees who raise concerns about their security protocols.
Companies should have written policies explicitly stating that in compliance with SOX, they will not “discharge, demote, suspend, threaten, harass, or in any other manner discriminate against” a whistleblower who reports what he or she reasonably and in good faith believes to be related to a violation of securities or other laws.
Train affected employee groups regarding the intersection of whistleblower and cybersecurity issues.
Employees who work in the cybersecurity sphere, as well as those tasked with ensuring compliance with federal securities laws, must have adequate training in both areas.
A company’s cybersecurity experts should be aware of past and planned cybersecurity disclosures made by the company, so they can assess their accuracy and provide appropriate feedback. Likewise, those tasked with broader legal compliance responsibilities must have enough familiarity with the nuances of cybersecurity to recognize genuine problems when they are reported.
With proper training in place, cybersecurity vulnerabilities can be escalated efficiently within the company and appropriately integrated into the securities disclosure process.
Training employees on the protections that SOX and Dodd-Frank provide to whistleblowers also will help avoid the danger that genuine concerns go unreported, for fear of retaliation, only to later be divulged externally to the SEC or another government enforcement agency.
William Barry and Brian Fleming are members of Washington, D.C.-based law firm Miller & Chevalier.