Focus on the Handling of Internal Reports of Cybersecurity
Recent SEC activity around cybersecurity, including the April announcement of its $35 million settlement with Yahoo! and its February release of interpretive guidance, has led to increased focus on internal reports of cybersecurity breaches and vulnerabilities and the attendant internal control deficiencies.
Under the Dodd-Frank Act and the Sarbanes-Oxley Act, whistleblowers who report securities law violations and meet certain additional criteria are protected from retaliation and may be entitled to compensation. With the SEC’s focus on cybersecurity matters, reports of public company cybersecurity breaches or vulnerabilities that have not been publicly disclosed may reasonably be classed as reports of securities law violations.
A recent CFO.com article cautions that reports of unexploited cybersecurity vulnerabilities are likely to be reported to business groups outside of the legal and financial reporting structure, such as the IT department, that are not trained in addressing potential whistleblowing. Public companies reviewing their cybersecurity and whistleblowing policies should ensure that these potential reporting issues are addressed to avoid adding whistleblower claims to potential cybersecurity issues.