Avoiding Emerging Cybersecurity Whistleblower Pitfalls
Securities law violations are a major focus of regulatory compliance programs across the industry. Yet not all organizations realize the threat cybersecurity breaches pose to company viability. A new breed of corporate whistleblower is cropping up among marketplace professionals – the cybersecurity whistleblower.
Compliance professionals and executives should familiarize themselves with potential violations and implement a functional internal reporting program before a trusted insider detects and chooses to report misconduct.
SEC Cybersecurity Whistleblowers Pose a Unique Threat
An increasing number of securities professionals are reporting knowledge of breaches or cybersecurity weaknesses to the U.S. Securities and Exchange Commission (SEC). A recent article posted by Corporate Counsel highlights the emerging importance of cybersecurity compliance and how companies can proactively prevent a breach from becoming a securities law violation.
Potential cybersecurity whistleblowers are dissimilar from traditional whistleblowers in a number of ways. Even organizations with strong internal reporting programs are vulnerable. Unlike most corporate whistleblowers, cyber whistleblowers may go unnoticed until after the whistleblower reports suspicions to the SEC.
While many employees are familiar with the SEC whistleblower program, many IT managers are not. The SEC whistleblower program pays whistleblowers whose original information leads to over $1 million in penalties between 10% and 30% of the monetary sanctions collected.
Employees whose concerns are ignored internally can report their concerns confidentially to the SEC and are encouraged by the large cash awards, inciting a snowball of potential investigations and charges.
Safeguards Rule Requires Data Protection and Customer Awareness
Securities regulations are constantly upping their data protection requirements. The Federal Trade Commission’s Gramm-Leach-Bliley Act Safeguards Rule requires that financial institutions – companies that offer consumers financial products or services including loans, financial or investment advice, or insurance – to explain their information-sharing practices to their customers and to safeguard sensitive data.
The Safeguards Rule requires companies to develop a written information security plan that describes their program to protect customer information. The program must be “appropriate to the company’s size and complexity, the nature and scope of its activities, and the sensitivity of the customer information it handles.”
As part of its plan, each company must:
- Designate one or more employees to coordinate an information security program
- Identify and assess risks to customer information in each relevant area of the company’s operation
- Evaluate the effectiveness of the current safeguards for controlling those risks
- Design and implement a regularly monitored and tested safeguards program
- Select service providers that can maintain appropriate safeguards, make sure contracts require them to maintain safeguards, and oversee their handling of customer information
- Evaluate and adjust the program in light of relevant circumstances, including changes in operations and results of security testing and monitoring
Failure to implement the appropriate cybersecurity measures that leads to exposure of vulnerable company or customer information is in violation of the Safeguards Rule and constitutes a securities law violation.
The SEC is not holding back in enforcing cybersecurity regulations. Last year, the SEC fined R.T. Jones Capital Equities Management Inc. $75,000 for cybersecurity failures, including failure to implement data encryption and firewalls that resulted in the exposure of over 100,000 customers’ personal information.
Alleged cybersecurity deficiencies at Morgan Stanley Smith Barney LLC led to a $1 million settlement after the release of personal information for approximately 730,000 customer accounts. The SEC charged the firm with violating the Safeguards Rule.
Failure to Report Breaches Violates Securities Law
The SEC’s Regulation Systems Compliance and Integrity rule requires organizations to incorporate computer networking systems with security levels “adequate to maintain operational capacity and fair and orderly markets,” and to “take corrective action” and report incidents following system breaches. In addition, the Dodd-Frank Act commands the SEC and CFTC to require financial institutions to design and implement identity theft prevention programs.
Essential Steps: Anonymous Internal Reporting, Retaliation Prevention, Third-Party Inclusion
A few simple practices can save organizations from employees reporting cybersecurity issues to the SEC. One big reason for the surge in SEC cybersecurity whistleblowers is the lack of response from supervisors around employee concerns. Encourage internal reporting. Don’t take even casual employee concerns about cybersecurity lightly. Allow employees to make anonymous reports to supervisors and compliance officers. Post reporting procedures in highly visible locations and employee handbooks. Discuss reporting procedures at staff meetings.
Refrain from exposing a whistleblower’s identity. Anti-retaliation provisions impose harsh fines on companies whose managers, executives, agents or officers threaten, harass, demote or otherwise discriminate against an employee for reporting a potential securities law violation.
Anonymity is the easiest way to avoid the potential for retaliation by coworkers or supervisory staff. Ensure that all staff are aware of anti-retaliation provisions and that the organization will not tolerate misconduct regarding reports of concern.
Make sure all cybersecurity measures are up to date and functional within the organization. Schedule regular monitoring and testing events and re-analyze potential areas of weakness whenever possible. Ensure that all third-party contractors understand your organizations policies and procedures around cybersecurity and encourage third-party internal reports.
With today’s nearly complete assimilation of banking and investment relations in data systems and computer networking, the potential for cybersecurity whistleblower lawsuits is substantial. Boosting internal reporting policies, enforcing anti-retaliation policies and implementing strong cybersecurity measures will help employees with concerns about cybersecurity feel comfortable and safe reporting internally.