No Result
View All Result
SUBSCRIBE | NO FEES, NO PAYWALLS
MANAGE MY SUBSCRIPTION
NEWSLETTER
Corporate Compliance Insights
  • Home
  • About
    • About CCI
    • Writing for CCI
    • NEW: CCI Press – Book Publishing
    • Advertise With Us
  • Explore Topics
    • See All Articles
    • Compliance
    • Ethics
    • Risk
    • FCPA
    • Governance
    • Fraud
    • Internal Audit
    • HR Compliance
    • Cybersecurity
    • Data Privacy
    • Financial Services
    • Well-Being at Work
    • Leadership and Career
    • Opinion
  • Vendor News
  • Career Connection
  • Events
    • Calendar
    • Submit an Event
  • Library
    • Whitepapers & Reports
    • eBooks
    • CCI Press & Compliance Bookshelf
  • Podcasts
  • Videos
  • Subscribe
  • Home
  • About
    • About CCI
    • Writing for CCI
    • NEW: CCI Press – Book Publishing
    • Advertise With Us
  • Explore Topics
    • See All Articles
    • Compliance
    • Ethics
    • Risk
    • FCPA
    • Governance
    • Fraud
    • Internal Audit
    • HR Compliance
    • Cybersecurity
    • Data Privacy
    • Financial Services
    • Well-Being at Work
    • Leadership and Career
    • Opinion
  • Vendor News
  • Career Connection
  • Events
    • Calendar
    • Submit an Event
  • Library
    • Whitepapers & Reports
    • eBooks
    • CCI Press & Compliance Bookshelf
  • Podcasts
  • Videos
  • Subscribe
No Result
View All Result
Corporate Compliance Insights
Home Compliance

Cybersecurity Whistleblowers Are Different. Here’s How to Deal With Them.

New Incentives From Regulators Might Drive an Increase in Cyber Whistleblowing. Companies Need Specialized Report-Handling Protocols Now to Prevent Misconduct From Making Headlines.

by Kenji Price, Mark Schreiber and Scott Ferber
March 15, 2022
in Compliance, Cybersecurity
an out-of-focus cyber whistleblower obscured behind a screen

Compliance teams could see an uptick in cybersecurity whistleblower complaints as regulators expand protections and incentives for those reporting data breaches, vulnerabilities or other cyber-related misconduct. But cybersecurity incident reports require special handling. Here’s how to prepare for the unique nature of cybersecurity whistleblowing.

Whether increased plans to protect or incentivize whistleblowers in the U.S. or U.K. result in a surge of incident reporting remains to be seen, but compliance and legal teams should take steps now to strengthen response and investigation protocols for cybersecurity complaints.

Several agencies in recent months have taken steps to encourage whistleblowing. The Department of Justice (DOJ) in October of last year announced the launch of its Civil Cyber-Fraud Initiative to “combat new and emerging threats to the security of sensitive information and critical systems” through the use of civil enforcement actions. It emphasized the protections extended to whistleblowers who provide information to government authorities, as well as the opportunity to share in any recovery. 

Next, on January 4, 2022, the Federal Trade Commission (FTC) warned companies to remediate cybersecurity vulnerabilities caused by Log4j exposure, promising to “use its full legal authority to pursue companies that fail to take reasonable steps to protect consumer data from exposure as a result of Log4j[.]” 

Then, in a January 24, 2022 speech, Securities and Exchange Commission (SEC) Chairman Gary Gensler outlined a variety of cyber initiatives that the SEC would be rolling out involving cyber hygiene and preparedness, cyber incident reporting to the government, and disclosure to the public.  Three weeks later, the SEC announced proposed changes to its whistleblower program rules to “help ensure that whistleblowers are both incentivized and appropriately awarded for their efforts in reporting potential violations of the law to the Commission.”

The U.S. is not alone in its focus on this area.  The EU Whistleblower Directive effectively kicked off a new era of cyber whistleblower protection on December 17, 2021 by providing a new whistleblowing reporting category for the “protection of privacy and personal data, and security of networks and information systems,” and prohibiting retaliation against those who report these matters.

In light of these actions protecting and incentivizing cyber whistleblowers, here are actions compliance teams can take today.

Recognize that cybersecurity whistleblower complaints are different and treat them differently from the outset.

Companies should acknowledge from the outset that cybersecurity complaints present unique challenges to existing whistleblower compliance programs and manage them differently than more traditional reports of alleged corporate misbehavior.  Treating cybersecurity complaints differently is critical, because the initial designation and routing of a whistleblower complaint may determine the adequacy of the steps a company will ultimately take (or fail to take) to address it. 

Game out how to intake and route a cyber whistleblowing report.

New sections of the company’s code of conduct or whistleblowing guidelines will need to be developed to address recognition and routing of cyber complaints.  A cyber whistleblowing complaint may come in through any number of reporting channels, such as a hotline or web portal, the IT helpdesk, a supervisor, or even the HR director. 

Because cyber complaints can emerge from a variety of conduits, a company’s code of conduct or whistleblowing guidelines must address a series of critical, threshold questions, the answers to which will guide the behavior of employees serving in both IT and non-IT functions.  Such questions include, for example, “how are bona fide cyber whistleblower complaints to be recognized, and distinguished from more routine complaints that a system is not operating appropriately?” and “who within the company should escalate cyber complaints?” 

For many companies, answering these questions will require a conversation with their third-party hotline vendor and examination of whether the vendor’s menu-driven intake has been updated to separately include a new category for cybersecurity complaints.  Whistleblower compliance programs managed without the use of third-party reporting channels and software will require a different approach and further discussions. 

Determine who will consistently manage the company’s response to a cybersecurity whistleblower complaint.

After a cybersecurity whistleblower complaint is segregated from the other categories, an appropriate person should be designated as primarily responsible for managing the company’s response from start to finish.  There is no one-size-fits all solution for who a company should choose to serve in this vital function.  Ideal candidates may include someone in the Chief Legal Office (CLO), the Ethics or Compliance Officer (CCO), the Chief Privacy Officer (CPO) or even the Chief Information Security Officer (CISO).

The individual selected should have a general understanding of the company’s information security policies, practices and overall information technology infrastructure, and not be the subject of, or represent the unit or person purportedly responsible for, the reported cybersecurity issue.  Importantly, the whistleblower complaint manager should be able to recognize the difference between a routine security issue and failure to address a more serious or ongoing cybersecurity concern, or one about which there have been prior warnings, potentially unheeded. 

Put another way, the person should be able to separate the wheat from the chaff, identifying cyber complaints which, due to their nature or scope pose significant litigation risk and require remediation—a task that understandably may not be easy.

Start the investigation and ascertain the nature and scope of the cybersecurity concern or vulnerability at issue.

The company will need to ascertain the nature and scope of the reported cybersecurity issue, event, or vulnerability.  Cybersecurity concerns may fall into one of several categories: (a) less technical or less serious matters manageable by in-house IT or security personnel; (b) serious matters requiring the expertise of a third-party security consultant; or (c) matters that, due to the unique circumstances under which they arise, warrant the use of an outside forensics company, engaged under privilege, and who may also be willing to act as expert witness later, if needed.  Company IT personnel are generally a great first option for addressing reported vulnerabilities that fall into the first category, due to their deep knowledge of the company’s information technology architecture and, of course, cost efficiencies achieved by using their services, instead of third-party vendors.  

There may be circumstances under which in-house personnel are ill-equipped to diagnose the extent or severity of a reported cybersecurity problem, or who should not play a lead role due to their alleged or suspected involvement in it.  Under these circumstances, the company may want to engage third party forensic or other experts to assess the nature and scope of the reported cybersecurity problem.

Take appropriate steps to preserve the attorney-client privilege, especially if forensic or expert assistance is brought in to assist.

If, as is often the case, the company obtains legal advice during its response to a serious cybersecurity whistleblower complaint, it should employ the practices it uses in the ordinary course to preserve the attorney-client privilege, and evaluate whether other measures are necessary.  The question of privilege commonly arises when regulators or plaintiffs attempt to compel discovery of forensic reports generated in the wake of a cybersecurity incident.  Companies generally oppose such disclosure, on the grounds that, among other things, such reports are prepared by experts to aid in the provision of legal advice.  

As a general matter, courts tasked with deciding whether such reports are privileged tend to differentiate between those generated for the purpose of helping the company make a business decision and those developed to help counsel provide legal advice.  As a result, companies and their legal advisors should decide the purpose of forensic expert advice and reports early on, and intentionally structure their practices and the terms of their engagement with a forensic company to preserve the attorney-client privilege.

This is normally done with critical language in the MSA, SOW and/or attorney engagement letter of the forensic company conveying the precise purpose for which the forensic company’s services are obtained.  Most forensic companies already have model language to this effect prepared or that can be negotiated.  A company may also want to consider retaining expert vendors with no prior relationship with the company, or executing new engagement letters with existing experts, which make clear that they are separately retained to assist counsel in providing legal advice in connection with a whistleblower complaint and will perform duties distinguishable from those set forth in existing contracts/agreements.

Document and monitor resolutions of a cyber whistleblowing matter.

While some aspects of cyber investigations will be similar to other types of whistleblowing inquiries, there are unique technical and other features that will play into the findings and remediation, if any.  However such matters are to be resolved, it is critical that the documentation be adequate and supportable.  Because of the potential system, infrastructure, logging, access control, vulnerability identification and remediation practices that will likely be involved, those drafting a report may have to draw on internal reports, back-ups, forensic findings, nuances and language, and perhaps even address witness credibility issues in some cases.  This will be a challenge for many companies, necessitating a process – such as the one described herein – capable of yielding a well-founded conclusion.  Obviously, this process must also observe the usual non-retaliation prohibitions against whistleblower employees and others.  Once completed, ongoing monitoring will also be necessary, to avoid a repeat problem that triggers a government enforcement action or private lawsuit.

In addition, the company must determine whether it has any disclosure obligations to the board, a regulator or government agency, investors, partners, affiliates, or contracting parties.  Sometimes the company code of conduct or whistleblowing guidelines will identify these obligations, and, in other instances, regulatory regimes may dictate them.  In advising the company, counsel should be mindful that the federal regulatory environment is a very fluid one, as agencies evaluate how to use their existing authorities to respond to cybersecurity threats and police the adequacy of company cyber security practices. 

Facilitate an ongoing dialogue between the Chief Legal, Compliance and Information Security Functions.

Finally, representatives of the chief legal, compliance and information security offices should have an ongoing dialogue regarding the organization’s cyber resiliency, resource allocation, vulnerability identification and management, cybersecurity incidents, and the expanding enforcement landscape.  Doing so provides a helpful forum for identifying and addressing, in advance, issues that could otherwise mature into a whistleblowing report.  If there ever is oversight, this interdisciplinary dialogue would help demonstrate to a reviewing body that the organization is taking cybersecurity and whistleblowing complaints seriously.

Conclusion

There is no such thing as perfect cybersecurity or limitless cyber budgets.  Every organization must make challenging decisions about resource allocation to information technology and information security.  With that said, a rejected request for funding combined with a data security incident is a recipe for a whistleblower complaint, particularly where the reporting employee or function may be under scrutiny for the breach in question.  Through strong cyber hygiene and a well-crafted, appropriately resourced whistleblower compliance program, companies are better positioned to reduce the risk of a data security incident, as well as preemptively identify and address potential concerns before they become full-blown whistleblower complaints, which can then take on a life of their own.


Tags: Cyber RiskWhistleblowing
Previous Post

Corporate Digital Responsibility: Shaping the Future of Digitalization

Next Post

Are You a Prepared Acquirer?

Kenji Price, Mark Schreiber and Scott Ferber

Kenji Price, Mark Schreiber and Scott Ferber

PriceKenji M. Price, partner at McDermott Will & Emery and former US Attorney for the District of Hawaii, focuses his practice on white-collar government investigations, internal investigations and compliance counseling.  
SchreiberMark E. Schreiber, senior counsel at McDermott, focuses his practice on cybersecurity, data breach response and global privacy coordination, including whistleblowing programs. He has handled a number of internal investigations of whistleblowing and helped manage whistleblowing program construction in several dozen countries.
FerberScott Ferber, a partner at McDermott, leverages his extensive experience as a former federal cybercrime prosecutor and in senior leadership at the US Department of Justice to advise clients on the full range of privacy and security issues created by global data collection, protection, and usage.

Related Posts

castle pixel art

Building a Defense-in-Depth Culture to Combat Phishing

by Perry Carpenter
March 22, 2023

Phishing attempts are only growing more sophisticated by the day, and effective cybersecurity means defending all the vectors of attack,...

risk tunnel

From Regulation to Volume, There Is No Light at the End of the Data Privacy Tunnel

by Jim DeLoach
March 15, 2023

Data proliferation and data privacy regulatory activity across the globe have created the need for focused boardroom discussions. An underpinning...

call of duty activision

Activision Settlement Highlights Where Companies Often Go Wrong With Whistleblowers

by Katherine Krems
March 8, 2023

The SEC has long relied on whistleblowers to enforce securities law, often making it worth their while to the tune...

Syncing your ESG programme across the business: five tips for building ESG into your organisation

Syncing your ESG programme across the business: five tips for building ESG into your organisation

by Aarti Maharaj
February 9, 2023

In today's business landscape, there's a growing awareness of how ESG issues affect the bottom line. While companies are adopting...

Next Post
M&A concept

Are You a Prepared Acquirer?

Compliance Job Interview Q&A

Jump to a Topic

AML Anti-Bribery Anti-Corruption Artificial Intelligence (AI) Automation Banking Board of Directors Board Risk Oversight Business Continuity Planning California Consumer Privacy Act (CCPA) Code of Conduct Communications Management Corporate Culture COVID-19 Cryptocurrency Culture of Ethics Cybercrime Cyber Risk Data Analytics Data Breach Data Governance DOJ Download Due Diligence Enterprise Risk Management (ERM) ESG FCPA Enforcement Actions Financial Crime Financial Crimes Enforcement Network (FinCEN) GDPR HIPAA Know Your Customer (KYC) Machine Learning Monitoring RegTech Reputation Risk Risk Assessment SEC Social Media Risk Supply Chain Technology Third Party Risk Management Tone at the Top Training Whistleblowing
No Result
View All Result

Privacy Policy

Founded in 2010, CCI is the web’s premier global independent news source for compliance, ethics, risk and information security. 

Got a news tip? Get in touch. Want a weekly round-up in your inbox? Sign up for free. No subscription fees, no paywalls. 

Follow Us

Browse Topics:

  • CCI Press
  • Compliance
  • Compliance Podcasts
  • Cybersecurity
  • Data Privacy
  • eBooks Published by CCI
  • Ethics
  • FCPA
  • Featured
  • Financial Services
  • Fraud
  • Governance
  • GRC Vendor News
  • HR Compliance
  • Internal Audit
  • Leadership and Career
  • On Demand Webinars
  • Opinion
  • Resource Library
  • Risk
  • Uncategorized
  • Videos
  • Webinars
  • Well-Being
  • Whitepapers

© 2022 Corporate Compliance Insights

No Result
View All Result
  • Home
  • About
    • About CCI
    • Writing for CCI
    • NEW: CCI Press – Book Publishing
    • Advertise With Us
  • Explore Topics
    • See All Articles
    • Compliance
    • Ethics
    • Risk
    • FCPA
    • Governance
    • Fraud
    • Internal Audit
    • HR Compliance
    • Cybersecurity
    • Data Privacy
    • Financial Services
    • Well-Being at Work
    • Leadership and Career
    • Opinion
  • Vendor News
  • Career Connection
  • Events
    • Calendar
    • Submit an Event
  • Library
    • Whitepapers & Reports
    • eBooks
    • CCI Press & Compliance Bookshelf
  • Podcasts
  • Videos
  • Subscribe

© 2022 Corporate Compliance Insights

Welcome to CCI. This site uses cookies. Please click OK to accept. Privacy Policy
Cookie settingsACCEPT
Manage consent

Privacy Overview

This website uses cookies to improve your experience while you navigate through the website. Out of these, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities of the website. We also use third-party cookies that help us analyze and understand how you use this website. These cookies will be stored in your browser only with your consent. You also have the option to opt-out of these cookies. But opting out of some of these cookies may affect your browsing experience.
Necessary
Always Enabled
Necessary cookies are absolutely essential for the website to function properly. These cookies ensure basic functionalities and security features of the website, anonymously.
CookieDurationDescription
cookielawinfo-checbox-analytics11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checbox-functional11 monthsThe cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checbox-others11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-necessary11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-performance11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy11 monthsThe cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.
Functional
Functional cookies help to perform certain functionalities like sharing the content of the website on social media platforms, collect feedbacks, and other third-party features.
Performance
Performance cookies are used to understand and analyze the key performance indexes of the website which helps in delivering a better user experience for the visitors.
Analytics
Analytical cookies are used to understand how visitors interact with the website. These cookies help provide information on metrics the number of visitors, bounce rate, traffic source, etc.
Advertisement
Advertisement cookies are used to provide visitors with relevant ads and marketing campaigns. These cookies track visitors across websites and collect information to provide customized ads.
Others
Other uncategorized cookies are those that are being analyzed and have not been classified into a category as yet.
SAVE & ACCEPT