Two topics that consistently appear on the Securities and Exchange Commission’s (SEC) priorities list are (1) an enhanced focus on cybersecurity and (2) the whistleblower program. The past several months have seen increasing crossover between these two priorities. In this article, we discuss a recent example and focus on best practices to avoid getting caught in the SEC’s crosshairs while navigating this sensitive area.
A Recent Case Study
In early March, the DOJ and FBI raided the corporate headquarters of Tiversa, a Pittsburgh-based security firm under investigation for providing the Federal Trade Commission (FTC) with false information about data breaches at companies that declined to purchase Tiversa’s data protection services.
As background, former Tiversa employee, Richard Wallace, testified in a 2015 Federal Trade Commission hearing that Tiversa provided the FTC with doctored evidence purporting to prove that selected organizations had suffered a data breach. According to a report by the House of Representatives Committee on Oversight and Government Reform, information provided by Tiversa “formed the basis for multiple enforcement actions and dozens of warning letters” including the high-profile LabMD enforcement action.
Although Tiversa’s alleged conduct may be an egregious outlier, a company’s conduct need not be malicious – or even culpable – to be subject to a cyber-whistleblower complaint outing the company and creating public relations and regulatory problems. Even companies that diligently seek to detect and prevent cyberattacks can become subject to regulatory scrutiny by virtue of a whistleblower’s tip. And there are significant incentives for whistleblowers. Motivation for whistleblowers can come in many forms, including earning immunity from government prosecution (in an egregious case, perhaps) and capitalizing on the monetary bounty program incentives promulgated by various regulatory agencies. The bounty programs can provide financial incentive to the tune of millions of dollars, depending on the outcome/information provided.
What Can Be Done?
Companies need not live in fear of the unknown cyber whistleblowers in their midst, and should instead take steps to mitigate the risks that a whistleblower will go straight to the SEC or similar agency by encouraging employees to report issues internally without fear of retaliation for doing so. Implementing robust internal reporting and investigation processes can encourage internal reporting of concerns.
- Ensure there are numerous avenues available to make complaints (including anonymous complaints) and that employees are aware of those avenues. Employees should be able to lodge a complaint via managers, Human Resources, Compliance, Legal, a telephone/e-mail hotline, or a website.
- Be sensitive to the potential for real or perceived retaliation against whistleblowers. Involve Legal or Human Resources in any employment decisions involving a potential whistleblower, including performance reviews, before finalizing, to ensure there is no retaliation.
- Resist the urge to identify an anonymous whistleblower; it is very difficult to retaliate against someone whose identity is unknown. Implement a system by which you can follow up with an anonymous whistleblower that safeguards his or her identity (i.e., Ethics Point or Hushmail).
- Train IT managers and other employees on the front lines about what could form the basis for cybersecurity whistleblower complaints and how to properly receive and escalate them.
- Review third-party vendor practices (contractors, consultants, auditors, hotline administrators) to ensure they too provide optimal whistleblower procedures. Make clear in company policies that reports from third parties are also accepted by the company.
- Whistleblowers may have a heightened sensitivity to whether the investigation is biased, so consider extra precautions to ensure the neutrality of the investigation.
- If the complaint involves a manager, HR and legal personnel who support the manager should not be involved in the investigation.
- If the internal audit department is participating in the investigation, make sure that the audit personnel who work for the area of the business under investigation are not participating in the investigation.
- If the complaint involves a C-level employee, independent outside counsel should be retained by the audit committee of the board of directors, as opposed to company’s inside counsel or regular outside counsel conducting the investigation.
With regulators hungry to identify and investigate potential cybersecurity issues, whistleblowers provide a fertile opportunity to get the inside perspective with little to no resource investment. By creating a trusting environment for employees and third parties to report internally, companies can go a long way toward uncovering and remedying violations of law quickly and effectively and without regulatory intervention. Additionally, where an employee develops a concern due to a misunderstanding of events, internal reporting provides a critical opportunity to resolve issues internally in a constructive fashion and hopefully retain a valued employee rather than that employee going first to a government agency with incorrect information. In sum, by creating an environment that in policy and practice encourages internal reporting of concerns, companies can avoid potentially costly and burdensome employee-initiated regulatory investigations and exposure to litigation and can improve their recruitment and retention of their best talent.