Cybercrime has surged, particularly since the pandemic, targeting the sensitive information of consumers, businesses and governments. The FBI’s 2022 cybercrime report tallied nearly 801,000 complaints, adding up to nearly $10.3 billion in losses. While the number of complaints has held fairly steady since 2020, the breaches have gotten much more lucrative for bad actors: reported losses were $4.2 billion in 2020 and $6.9 billion in 2021. 

These figures show why companies that aren’t enacting strict cybersecurity measures are at risk of costly attacks. The federal government has enacted a two-pronged strategy to push more companies to take these threats seriously, and face liability and fines for failing to do so.

Recognizing that these breaches are material to investors’ evaluations of whether to buy or sell a company stock, the Securities and Exchange Commission adopted new disclosure rules about cybersecurity breaches. If there’s a “material” breach, a publicly traded company must file the appropriate form within four business days. Alongside that requirement are various other rules about regularly disclosing risk management strategies and other cybersecurity measures. 

“Whether a company loses a factory in a fire — or millions of files in a cybersecurity incident — it may be material to investors,” SEC Chairman Gary Gensler said in the announcement. “Currently, many public companies provide cybersecurity disclosure to investors. I think companies and investors alike, however, would benefit if this disclosure were made in a more consistent, comparable, and decision-useful way. Through helping to ensure that companies disclose material cybersecurity information, today’s rules will benefit investors, companies, and the markets connecting them.”

There is one exception to public reporting: If the U.S. Attorney General considers immediate disclosure to pose a substantial risk to national security or public safety and informs the SEC in writing.

Failure to make a disclosure under these new rules will be a violation of the securities laws. The SEC Whistleblower Office is authorized by Congress to provide monetary awards to eligible whistleblowers who come forward with information about violations of the securities laws that lead to an enforcement action in which over $1 million in sanctions is ordered. The range for awards is between 10% and 30% of the money collected.

In addition to the SEC rules, the federal government has cybersecurity requirements for all its contractors and grantees; the Department of Justice started the Civil Cyber-Fraud Initiative in October 2021 to enforce those requirements under the False Claims Act. Whistleblowers can file qui tam lawsuits if they have information that government contractors or grantees aren’t meeting those requirements, and if successful, receive a percentage of the recovered funds.

Today, government vendors and publicly traded companies (and indeed, some companies fall into both categories) must demonstrate heightened compliance with cybersecurity requirements. Potential violations can include:

• Companies contracting with the federal government that knowingly lack adequate cybersecurity measures.
• Publicly traded companies that don’t notify the SEC/investors of a material cybersecurity breach within four business days (apart from recognized exceptions).
• Government contractors and grant recipients that don’t make timely reports of a cybersecurity breach.

While the incidence of these breaches may be on the rise, whistleblowers are going to play a critical role in reporting to the government when companies fail to comply with these tighter requirements. For those who want to report such wrongdoing, it’s critical to engage a whistleblower attorney early in the process. With more than 30 years of combined experience litigating fraud and employment cases — and billions in recoveries for its clients — Keller Grover is uniquely positioned to represent whistleblowers. 

If you want to report cybersecurity fraud in your organization, we are here to help. For advice about how to handle suspected fraud, contact Keller Grover for a free and confidential consultation.