The SEC & SCOTUS Put Cyber Security Back on Top of the Compliance Priority List
A major American city’s computer network down for days as a result of a cyber-attack. Charges filed against nine Iranians and an Iranian company with attempting to hack into hundreds of universities, companies and even parts of the U.S. government.
Such events, once startling, are becoming more and more common amid increased cyber threats and a steady drumbeat of high-profile data breaches. Meanwhile, a recent order from the Securities and Exchange Commission (SEC) and a ruling by the U.S. Supreme Court could create enhanced liability risk for whistleblower retaliation claims.
Cyber Security in the SEC’s Crosshairs
In February, the SEC issued new guidance prompting organizations to be more forthcoming when disclosing cybersecurity risks, including risks that could lead to a breach or an attack. An expansion of SEC guidance from 2011, the new guidance warned about insider trading occurring before the public becomes aware of cyber security issues.
Not everyone believes the new guidance goes far enough – because it lacks specificity regarding enforcement. SEC Commissioner Kara Stein described the changes as “modest” compared with the 2011 guidance and the New York Times noted that the SEC “has yet to institute any direct measures to compel companies to reveal the nature and scope of a cyber security breach.”
Even if the new guidance doesn’t go as far as some would like, it’s clear that the SEC has increased its scrutiny of cyber threats. In September 2017, the commission announced the creation of a cyber unit. Meanwhile, importantly, the SEC is tasked with overseeing whistleblower matters under the Dodd-Frank Act – and the Supreme Court may have recently made matters on that front more difficult for organizations.
Unintended Consequences for Employers and Internal Whistleblowers
Last fall in Digital Realty Trust, Inc. v. Somers, the Supreme Court found that whistleblower protections under Dodd-Frank are not triggered by an internal complaint to one’s employer and only apply to individuals who report problems directly to the SEC. Some employers likely cheered this decision. But it created a sort of perverse threat when it comes to internal reporting and addressing possible cyber problems.
After Digital Realty Trust, an employee who wants to report a potential cyber issue has more incentive to take a concern to the SEC for the simple reason that if she doesn’t, she won’t get whistleblower protection. To be sure, any lawyer consulted by an employee in such a situation will encourage them to run, not walk, to the SEC.
In other words, robust internal reporting is now harder to achieve – because of a decision that seemed to be a boon to employers.
How to Identify a Cyber Security Whistleblower Report?
Another difficulty is that organizations might figure that an employee flagging a potential cyber threat in not in fact acting as a whistleblower but is, instead, simply doing their job. This ambiguity around internal reporting has been a concern for departments like compliance, in-house counsel and audit, and now for IT as well. Regardless, the impetus to adjust in this new reality is on the managers receiving the complaints – now more than ever.
It’s also another reason why organizations must make sure they’re allocating the proper resources to the compliance ecosystem – particularly, in this instance, a strong reporting system and training. And in this day and age, supervisor training should go beyond the technical; it also must cover the legal/compliance landscape. Consider that an IT supervisor who received cyber training just six months ago couldn’t possibly know about the Supreme Court decision or the SEC guidance.
And while it’s too soon to tell what SEC enforcement will look like as a result of the new guidance, organizations that don’t measure up should expect more than a slap on the wrist.
Learning to Properly Handle Cyber Security Reports
Supervisors must be instructed to go into a different mode when they receive a report about potential cyber weaknesses. It’s important to look into the reported weaknesses and follow up with the employees who reported them to show there was investigated and that action, if necessary, was taken.
The alarm bells should really start ringing if an employee makes more than one report about a perceived weakness and/or complains that the issue they raised has not been remediated. Their next report could very well be made to government regulators – so the employee can get protected whistleblower status. Supervisors should also watch out for signs that the employee is feeling defeated or jaded (body language, comments, etc.).
Finally, supervisors should be careful that any employee who raises internal alarms isn’t retaliated against nor acted against in a way that could be construed as retaliation. This is one reason why it’s important to document employee issues all the time – so a pattern of problems will show up before an employee raises an alarm.
Cyber breaches have been around for a while, but the severity and volume has definitely increased over the past year. And given that SEC has upped the ante, organizations need to be ready – especially when it comes to whistleblowers.
This article prevously appeared on Navex Global's "Ethics & Compliance Matters" blog.