BCLP – US Securities and Corporate Governance – Bryan Cave Leighton Paisner

US Securities and Corporate Governance

Other Posts

Main Content

Beware of Insider Trading Whistleblower Scams

What You Should Do First with Anonymous Reports

There has recently been a rash of similar anonymous whistleblower tips to public companies, each claiming that an unnamed company supervisor boasted about reaping profits from insider trading. The number of public companies receiving very similarly worded anonymous reports leads to the conclusion that they may be hoaxes. While the apparent scheme’s ultimate goals are unclear, companies should be very cautious about engaging with sources of such anonymous complaints, especially given the risk of ransomware and other forms of cyberattack. One theory is that these reports may be the first step in a sophisticated campaign to inject ransomware or facilitate other forms of cyberattack.

These complaints present a challenging development for ethics and compliance reporting systems, since they require companies to quickly assess whether a whistleblower report is bona fide and address issues at the intersection of ethics policies and cybersecurity controls.

Several things should be considered by a company that receives a confidential whistleblower report alleging insider trading that does not name the employee involved:

  • The most immediate concern is determining whether the report appears to be authentic and legitimate (regardless of merit), and not a hoax or some form of cyberattack. Anonymous submissions should be handled in accordance with the company’s data and cybersecurity policies and procedures, since files and links are potentially dangerous vectors for cyberattacks. A senior IT employee should review the submission (without seeking to identify the purported whistleblower) and consulted in connection with any engagement

Anti-Money Laundering Continues to be Among the Highest Regulatory Priorities, As Evidenced by Recent Enforcement Cases and Releases

For the past decade, anti-money laundering (“AML”) has been at the forefront of securities regulators’ priorities. Indeed, AML enforcement cases have resulted in some of the highest fines imposed by securities regulators, and even the most cursory review of SEC and FINRA annual examination priorities letters reveals AML-related concerns in virtually each of them in the past 10 years. Based on recent enforcement actions and regulatory pronouncements, this focus will continue to be top of mind for regulators and, given the relationship between AML and other headline topics, such as cybersecurity and fraud, broker-dealers should anticipate that future examinations and other regulatory inquiries will heavily focus on AML-related issues. Securities regulators continue to emphasize that any reasonable AML program must be risk-based, and firms should consider periodically conducting a 360º assessment of their AML risks (beyond the annual independent AML testing pursuant to FINRA Rule 3310(c)). At bottom, broker-dealers should be aware of, and be nimble in responding to, cybersecurity and other types of fraud-related developments, and be prepared to modify their AML program in light of their own risk assessments and material developments in the regulatory landscape.

Click here to read the Alert in full.

SEC alerts public companies of increase in sophisticated ransomware attacks

The SEC’s Office of Compliance and Examinations (OCIE) issued a risk alert on July 10 about its observation of an apparent increase in sophistication of ransomware attacks on SEC registrants, including broker-dealers, investment advisers,  investment companies, and impacting service providers to public financial institutions.

Recognizing the SEC’s alert and other recent cyber incidents, we encourage all public companies, financial institutions and their service providers to consider their cybersecurity preparedness and operational resiliency to address hacking and, in particular ransomware attacks, consistent with the advice of the OCIE and the Department of Homeland Security.  This is particularly important given that OCIE once again advised financial institutions, in its 2020 Examination Priorities release, that Information Security was one of its top priorities.

In its risk alert, OCIE cited recent reports of one or more threat actors orchestrating phishing and other campaigns designed to penetrate financial institution networks, primarily to access internal resources and deploy ransomware, a type of malware designed to provide unauthorized access to institutions’ systems and deny the institution use of its system until a ransom is paid.  OCIE also noted ransomware attacks impacting service providers to public companies.

OCIE encouraged public companies and their service providers to monitor cybersecurity alerts published by the Department of Homeland Security Cybersecurity and Infrastructure Security Agency (CISA), including the alert published on June 30, 2020, relating to a particular malware focused on financial institutions and their customers.

The OCIE alert noted that information security is a key risk area on

The attorneys of Bryan Cave Leighton Paisner make this site available to you only for the educational purposes of imparting general information and a general understanding of the law. This site does not offer specific legal advice. Your use of this site does not create an attorney-client relationship between you and Bryan Cave LLP or any of its attorneys. Do not use this site as a substitute for specific legal advice from a licensed attorney. Much of the information on this site is based upon preliminary discussions in the absence of definitive advice or policy statements and therefore may change as soon as more definitive advice is available. Please review our full disclaimer.