The murky world of cybersecurity remains fraught with worries for those trying to prevent hacks, but it has gotten somewhat clearer of late for employees who see their companies ignoring risks.

For one thing, federal regulators are taking the issue seriously, despite its relative newness on the securities law stage. For another, some rules have been clarified regarding protections for cybersecurity whistleblowers.

From a federal perspective, cyber intrusions are an obvious problem that can cause big risks to the markets and to market participants, as well as widespread financial costs.

In September, the U.S. Securities and Exchange Commission said it “is focused on identifying and managing cybersecurity risks and ensuring that market participants … are actively and effectively engaged in this effort and are appropriately informing investors and other market participants of these risks.”

Indeed, the SEC now will unleash penalties when it deems a publicly traded company’s response as lacking. For example, in late April, the SEC announced a $35 million penalty against the former Yahoo! Inc.— now Altaba Inc. — to settle charges that the company “misled investors” by keeping a lid on a massive data breach that happened in December 2014.

All of this points to a regulatory zeal to make sure publicly traded companies take seriously their cybersecurity and their duties regarding any breaches. But what about employees who observe problems or deception in their companies’ handling of cybersecurity problems?

In the case of Yahoo!, senior management and the legal department were told about the breach, but investors didn’t find out until more than two years later during an acquisition.

Many whistleblowers fear retaliation if they report concerns. Legally, there are protections, but it’s important to understand the situations to which they apply. A February opinion by the U.S. Supreme Court determined that protections against retaliation only cover those who have reported reasonable concerns to the SEC — not those who only report concerns within a company.

Anti-retaliation protections allow employees who believe they have been victimized to sue an employer in federal court, seeking double back pay with interest, reinstatement, reasonable attorneys’ fees, and reimbursement for certain costs tied to the litigation.

The SEC keeps whistleblower identities confidential. However, if a person wants to report internally as well, the SEC’s Office of the Whistleblower suggests reporting the information to the SEC prior to or simultaneously with the internal report. This way, the anti-retaliation protections would apply.

There are further protections if a company tries to prevent someone from reporting a potential violation to the SEC.

Separately, the SEC provides financial rewards to voluntary whistleblowers whose original reports yield monetary sanctions of more than $1 million. Awards can amount to 10 percent to 30 percent of the money collected.

Since the first award in 2012, the SEC’s whistleblower program has awarded more than $266 million to 55 people. Almost $90 million of those awards were in March and April of this year.

If you suspect problems at your company and want advice about what to do, contact Keller Grover for a free consultation. Our lawyers have more than 25 years of experience litigating both fraud and employment matters – and this rare combination makes us uniquely qualified to represent whistleblowers.