Brooklyn Journal of Corporate, Financial & Commercial Law


In today’s technologically dependent world, concerns about cybersecurity, data breaches, and compromised personal information infiltrate the news almost daily. The Securities and Exchange Commission (SEC) has recently emerged as a regulator that is keenly focused on cybersecurity, specifically with respect to encouraging disclosures in this arena by regulated entities. Although the SEC has issued non-binding “guidance” to help companies navigate their reporting obligations in this sector, the agency lacks binding cybersecurity disclosure regulations as they pertain generally to public companies. Given that the SEC has already relied on such guidance in threatening enforcement actions, reporting companies are increasingly pressured for compliance in this arena. This Article addresses the importance of establishing effective internal reporting channels and other internal compliance mechanisms in meeting the SEC’s expectations and highlights the role of “cybersecurity whistleblowers,” specifically those reporting internally, in building the type of improved corporate culture necessary to discover and remediate cybersecurity risks. Cybersecurity whistleblowers, like all whistleblowers, commonly experience retaliation for their efforts. Despite the SEC’s commitment to providing whistleblowers retaliation protections through statutes like the Sarbanes-Oxley and Dodd-Frank Acts, the absence of binding cybersecurity regulations translates into a direct problem for cybersecurity whistleblowers, because their reports are likely to fall outside the scope of “protected activity” enumerated under these statutes. This Article discusses this gap in protections in light of the SEC’s heightened cybersecurity focus, the feasibility of SEC adoption of binding cybersecurity disclosure regulations, and the broad contributions of whistleblowers to compliance systems generally.