Revisiting Whistleblower Response Procedures

Over the years, we have repeatedly underscored that effective implementation of well-designed procedures for responding to corporate crises, including for properly addressing whistleblower reports, is critically important in light of increased governmental enforcement activity and the value of securing credit for cooperation and remediation efforts. In yet another reminder of why such preparation is so vital, the SEC announced last week that, with its most recent awards, it has paid more than $1 billion to whistleblowers since the inception of its formal whistleblower program in 2012, and that the pace of such awards in 2021 is at record levels. SEC Chair Gary Gensler used this milestone to remind public companies that the Commission’s whistleblower program remains one of the most significant sources of information triggering Staff investigations and to urge potential whistleblowers to continue to come forward with credible information about potential violations of the securities laws.

In our experience, the proper handling of whistleblower reports is a critical skill that all well-managed companies must possess. Conversely, the mishandling of such matters frequently is a cause of serious regulatory and litigation consequences. With this momentous SEC milestone in mind, compliance, legal and risk-management teams should take stock of whether their level of preparedness is appropriate and take steps to ensure that their internal systems are in line with the following best practices:

• establish a robust internal mechanism for reporting, so that employees have a clear, easy-to-follow path for bringing concerns to management’s attention, affording management an opportunity to address concerns in the first instance;
• maintain similarly robust and well-publicized methods for employees to communicate concerns to the Audit Committee or other appropriate committee of the board (with an option to report anonymously), so that employees who are not comfortable reporting to management have another place to go internally (and so that employees do not conclude that the only way to escalate a concern is by contacting the SEC);
• review periodically internal hotlines and other reporting channels to ensure they are up-to-date and, likewise, periodically circulate reminders to all personnel encouraging them to make use of these channels when they have a concern and underscoring that management will take all reports seriously;
• ensure that when internal reports are made, all requests for confidentiality by the employee are scrupulously respected to the extent consistent with applicable law and the requirements of any follow-up investigation, and, in cases where employees are willing to disclose their identity, that they are fully protected against retaliation and discrimination;
• launch promptly an appropriately designed review aimed at getting quickly to the bottom of the reported concerns—again, in our experience, delay when dealing with such matters can prove to be extremely hazardous;
• make sure the internal reporting system allows investigators to communicate confidentially to any employee who reports a concern, so they can be advised that an inquiry is underway, and so that investigators can seek additional information from the whistleblower;
• whenever a report appears serious, immediately begin to put in place remedial steps to correct the issue, including through enhanced internal controls, improved and/or expanded training, personnel changes and related measures; and
• at an appropriate point in the process, consider whether making a voluntary report to the government would be warranted and whether disclosure may be required and/or prudent.