Can a whistleblower disclosure to the SEC about cybersecurity qualify for a SEC whistleblower award?

Yes, a disclosure about cybersecurity that leads to an enforcement action in which the SEC collects one million dollars or more in penalties will qualify for a SEC whistleblower award.

Our experienced cybersecurity whistleblower lawyers have represented Chief Information Security Officers, CIOs, compliance officers, internal and external auditors, and other cybersecurity professionals in cybersecurity whistleblower rewards and protections matters.

To find out more about whistleblower rewards and protections for cybersecurity whistleblowers, call us at 202-262-8959 for a free, confidential consultation.

The SEC’s recently filed complaint against SolarWinds Corporation and its CIO for fraud and internal control failures relating to allegedly known cybersecurity risks and vulnerabilities describes the types of cybersecurity-related violations that can lead to an SEC enforcement action. According to the complaint, SolarWinds defrauded investors by overstating its cybersecurity practices and understating or failing to disclose known risks. The SEC’s complaint signifies robust SEC enforcement of cybersecurity-related securities violations, including failure to disclose known material cybersecurity risks and failure to maintain adequate cybersecurity controls. In a press release announcing the charges, Gurbir S. Grewal, Director of the SEC’s Division of Enforcement, states: “Today’s enforcement action not only charges SolarWinds and Brown for misleading the investing public and failing to protect the company’s ‘crown jewel’ assets, but also underscores our message to issuers: implement strong controls calibrated to your risk environments and level with investors about known concerns.”

In light of the elevated cybersecurity risk environment and the SEC prioritizing enforcement of cybersecurity violations, cybersecurity whistleblowers have a strong incentive to report cybersecurity violations to potentially qualify for an SEC whistleblower award and can play a vital role in protecting against cyber breaches and attacks.

Information security and data privacy whistleblowers are often in a position to identify and remedy vulnerabilities—and therefore prevent breaches—if only decision makers would act on their concerns. In our practice representing cybersecurity whistleblowers, we find that all too often, chief information security officers and other information security professionals encounter indifference or retaliation when they raise concerns about vulnerabilities. The SEC whistleblower program offers a powerful incentive for cybersecurity whistleblowers to report violations to the SEC and assist the SEC in taking decisive enforcement actions that will encourage registrants to provide accurate disclosures about cybersecurity and maintain appropriate cybersecurity controls.

The complaint alleges what appears to be a blatant failure to remedy significant cybersecurity vulnerabilities and concealment from shareholders of the risks stemming from those vulnerabilities:

SolarWinds allegedly misled investors by disclosing only generic and hypothetical risks at a time when the company and its CIO knew of specific deficiencies in SolarWinds’ cybersecurity practices.
SolarWinds’ public statements about its cybersecurity practices and risks were at odds with its internal assessments, including internal emails and presentations revealing that SolarWinds was aware that the “current state of security leaves [it] in a very vulnerable state for [its] critical assets,” “[a]ccess and privilege to critical systems/data is inappropriate,” “backends are not that resilient,” “the volume of security issues being identified . . . outstripped the capacity of Engineering teams to resolve,” and “[t]he products are riddled and obviously have been for many years.”
SolarWinds concealed from the public its known poor cybersecurity practices, including its (a) failure to consistently maintain a secure development lifecycle for software it developed and provided to thousands of customers, (b) failure to enforce the use of strong passwords on all systems, and (c) failure to remedy access control problems that persisted for years.
SolarWinds knew about a “security gap” relating to its VPN, which allowed access from devices not managed by SolarWinds. A network engineer warned that someone exploiting the vulnerability “can basically do whatever without us detecting it until it’s too late.”
SolarWinds’ Security Statement contained multiple materially false and misleading statements. It contained positive information about the state of the Company’s cybersecurity practices while failing to include information such as the fact that SolarWinds failed to meet more than half of NIST standards.
When SolarWinds filed a Form 8-K first announcing that its Orion network monitoring software contained malicious code that had been inserted by threat actors as part of a supply-chain attack, it failed to disclose that the vulnerability at issue had been actively exploited against SolarWinds’ customers multiple times over at least a six-month period.

The complaint reveals how the SEC applies anti-fraud and internal control rules to cybersecurity violations, including two key issues:

The SEC is willing to take enforcement action for failure to disclose cybersecurity vulnerabilities in the absence of a breach or attack. The complaint states: “To be clear, SolarWinds’ poor controls, Defendants’ false and misleading statements and omissions, and the other misconduct described in this Complaint, would have violated the federal securities laws even if SolarWinds had not experienced a major, targeted cybersecurity attack.”
Generic rusk disclosures about hypothetical cybersecurity risks will not suffice when a company is aware of elevated risks and omits those risks from its disclosures. Here, SolarWinds documented internally that “current state of security leaves [it] in a very vulnerable state for [its] critical assets,” but it did not disclose those risks to shareholders. The complaint states: “SolarWinds’ disclosures failed to convey the known risks discussed above, or even that known risks of this type had been identified. Even if some of the individual risks and incidents discussed in this Complaint did not rise to the level of requiring disclosure on their own, at least collectively they created such an increased risk to SolarWinds that the failure to disclose their collective impact on SolarWinds’ cybersecurity posture rendered the risk disclosures that SolarWinds made materially misleading.”

The complaint against SolarWinds alleges violations of the following provisions of federal securities laws:

the antifraud provisions of the Securities Act of 1933 (Section 17(a) of the Securities Act,15 U.S.C. § 77q(a));
the antifraud provisions of the Securities Exchange Act of 1934 (Section 10(b) of the Exchange Act, 15 U.S.C. § 78j(b), and Rule 10b-5(b), 17 C.F.R. § 240.10b-5);
the reporting and internal controls provisions of the Exchange Act (Section 13(a) of the Exchange Act, 15 U.S.C. § 78m(a)] and Rules 13a-1, 13a-11, and 13a-13 thereunder, 17 C.F.R. §§ 240.13a-1, 240.13a-11, and 240.13a-13), which require issuers to file accurate reports on Forms 10-K, 10-Q, and Form 8-K;
Section 13(b)(2)(B) of the Exchange Act, 15 U.S.C. § 78m(b)(2)(B), which requires registrants to devise and maintain a system of internal accounting controls sufficient to provide reasonable assurances that access to assets is permitted only in accordance with management’s general or specific authorization; and
Exchange Act Rule 13a-15(a) which requires publicly traded companies to maintain disclosure controls and procedures to ensure that information required to be disclosed by an issuer is accumulated and communicated to the issuer’s management to allow timely decisions regarding required disclosure.

Cybersecurity Enforcement Action Against Broker-Dealer for Violating Safeguards Rule and Red Flags Rule

And an enforcement action against Voya Financial Advisors Inc. (VFA), a broker-dealer and investment adviser, demonstrates the SEC’s increased commitment to enforcing rules requiring brokers and advisers to safeguard customer information. In particular, VFA is paying $1 million to settle charges that it failed to protect brokerage customer and advisory client information.

VFA’s practice was to give its independent contractor representatives, the majority of its workforce, access to customer information through a proprietary web portal that could be accessed remotely from the contractors’ personal devices. During a six-day period in April of 2016, unknown persons accessed the web portal by impersonating VFA contractors and calling the technical support line to request password resets. The passwords were reset, and the imposters were given temporary passwords over the phone, giving them access to 5,600 VFA customers’ personally identifiable information (PII).

After the breach, VFA failed to address deficiencies in its cybersecurity program, including aspects of the design, implementation, and employee training. And even after one of the advisers alerted VFA that he had not requested a new password, two more advisers were impersonated.

The Safeguards Rule (Rule 30(a) of Regulation S-P codified at 17 C.F.R. § 248.30(a)) requires broker-dealers and investment advisers to have written policies and procedures that address the protection of customer records and information. The policies “must be reasonably designed to: (1) insure the security and confidentiality of customer records and information; (2) protect against any anticipated threats or hazards to the security or integrity of customer records and information; and (3) protect against unauthorized access to or use of customer records or information that could result in substantial harm or inconvenience to any customer.”

The Identity Theft Red Flags Rule (Rule 201 of Regulation S-ID (17 C.F.R § 248.201)) requires certain financial institutions and creditors registered with the SEC to create and implement a written Identity Theft Prevention program. “An Identity Theft Prevention Program must include reasonable policies and procedures to: identify relevant red flags for the covered accounts and incorporate them into the Identity Theft Prevention Program; detect the red flags that have been incorporated into the Identity Theft Prevention Program; respond appropriately to any red flags that are detected pursuant to the Identity Theft Prevention Program; and ensure that the Identity Theft Prevention Program is updated periodically to reflect changes in risks to customers from identity theft.”

According to the SEC’s order, VFA violated the Safeguards Rule because its policies and procedures to protect customer information and to prevent and respond to cybersecurity incidents were not reasonably designed to meet these objectives. And VFA violated the Identity Theft Red Flags Rule because it did not review and update the Identity Theft Prevention Program in response to changes in risks to its customers or provide adequate training to its employees.

SEC Whistleblower Incentives for Cybersecurity Whistleblowers

Zuckerman Law has represented cybersecurity whistleblowers in whistleblower retaliation and whistleblower rewards claims, including in Sarbanes-Oxley whistleblower actions. We have written extensively about protections for cybersecurity whistleblowers, including the following publications: