What You Should Do First with Anonymous Reports

There has recently been a rash of similar anonymous whistleblower tips to public companies, each claiming that an unnamed company supervisor boasted about reaping profits from insider trading. The number of public companies receiving very similarly worded anonymous reports leads to the conclusion that they may be hoaxes. While the apparent scheme’s ultimate goals are unclear, companies should be very cautious about engaging with sources of such anonymous complaints, especially given the risk of ransomware and other forms of cyberattack. One theory is that these reports may be the first step in a sophisticated campaign to inject ransomware or facilitate other forms of cyberattack.

These complaints present a challenging development for ethics and compliance reporting systems, since they require companies to quickly assess whether a whistleblower report is bona fide and address issues at the intersection of ethics policies and cybersecurity controls.

Several things should be considered by a company that receives a confidential whistleblower report alleging insider trading that does not name the employee involved:

  • The most immediate concern is determining whether the report appears to be authentic and legitimate (regardless of merit), and not a hoax or some form of cyberattack. Anonymous submissions should be handled in accordance with the company’s data and cybersecurity policies and procedures, since files and links are potentially dangerous vectors for cyberattacks. A senior IT employee should review the submission (without seeking to identify the purported whistleblower) and consulted in connection with any engagement with the whistleblower determined to be appropriate in order to minimize cybersecurity risks.
  • If the anonymous whistleblower ultimately discloses their identity and/or the identity of the company supervisor, additional investigative steps should promptly be taken, such as conducting an in-person or video interview of each individual. Again, with the objective of gathering as much relevant information as quickly as possible.
  • If it is determined that the company supervisor has likely engaged in insider trading, termination of employment should promptly occur. Further, the public company may want to consider reporting the matter to the appropriate SEC Regional Office. This step should be considered not only as a part of good corporate citizenry, but also as a risk management measure; should the SEC take some action against the employee, damage to the public company’s reputation may be mitigated if the matter was self-reported to the SEC and the supervisor was promptly terminated.
  • Conversely, if insufficient information is obtained to identify basic underlying facts (i.e., the anonymous supervisor and whistleblower’s identities, and/or the trading at issue), the public company should fully document the investigative steps that it took, and why it is closing the matter without further action. Such documentation may be helpful (if not necessary) in the event that the SEC (or a private litigant) learns of the complaint and questions why the public company took no further action.
  • The public company’s internal investigation should be conducted at the direction of counsel (inside or outside), to maximize the ability to protect findings and information discovered during the investigation. The company can weigh, at the appropriate juncture in the investigation, how best to disclose information internally or to a third party without fully waiving the privilege. One method may be to simply “sanitize” the findings and any conclusions, in the form of a report or summary, without identifying all of the underlying sources. Of course, such an approach should be carefully and thoughtfully undertaken, given potential privilege waiver issues.