Avoiding the Whistleblower Pitfall: Updating Agreements Before Regulators — or Plaintiffs — Do It for You

Author: Lenin Lopez

Even before a whistleblower claim is made, some companies have learned that well-intentioned agreements, like employment, separation or commercial agreements, can make them targets of regulator enforcement for discouraging whistleblowing.

Over the years, the US Securities and Exchange Commission (SEC) has been at the forefront of holding companies accountable for maintaining agreements or policies that they view as discouraging whistleblowing. At the same time, a recent expansion by the US Department of Justice (DOJ) of its whistleblower program¹, combined with plaintiffs' firm tactics, is creating a multidimensional risk landscape.

This article will explain why companies would be wise to review their agreements, policies and templates to avoid falling into this whistleblower pitfall. Waiting for a regulator or a demand letter to surface the issue can be costly, as well as an unnecessary distraction.

Federal whistleblower program pitfalls

Federal whistleblower programs are generally focused on encouraging individuals to report specific, timely and credible information about possible abuse and violations of certain laws. In exchange, these individuals can receive financial rewards if their information leads to successful enforcement actions.

Agencies, like the SEC,² DOJ,³ Internal Revenue Service (IRS)⁴ and the Commodities Futures Trading Commission⁵ each have their own flavor of whistleblower program. An underlying theme is that these agencies generally view the ability of individuals to report misconduct as vital to their enforcement missions and will take companies to task if they're determined to have discouraged reporting.

In that spirit, and since the SEC has been the most active agency in imposing fines on companies for problematic language that could or has discouraged whistleblowing, we'll discuss the SEC's whistleblower program and lessons learned from recent enforcement actions.

The SEC's whistleblower program: One program to rule them all?

While the SEC's whistleblower program wasn't the first federal whistleblower program, it's been at center of most whistleblower-related headlines since it came on the scene as part of the 2010 Dodd-Frank Act. (For trivia buffs, the honor of first US whistleblower program generally goes to the False Claims Act.⁶)

The SEC views the ability of insiders, such as employees, to report misconduct as vital to its enforcement mission. One of the rules that the SEC relies on to enforce its authority is found under Rule 21F-17 of the Securities Exchange Act, which reads:⁷

"No person may take any action to impede an individual from communicating directly with the Commission staff about a possible securities law violation, including enforcing, or threatening to enforce, a confidentiality agreement (other than [certain specified] agreements … related to the legal representation of a client) with respect to such communications."

This rule has evolved into a strict liability framework. That is, the SEC doesn't need evidence that an employee was deterred from communicating with the SEC as a function of restrictive language in a particular agreement. The restrictive language alone can constitute a violation.

SEC enforcement trends and language that triggers enforcement

In recent years, the SEC has expanded its focus on ferreting out violations of whistleblower protections beyond public companies.⁸ The SEC's focus now includes private companies⁹ and funds¹⁰ whose agreements could chill reporting. And it isn't just employment and severance agreements that have gotten companies into hot water: consulting agreements¹¹ and customer agreements¹² have been a part of these enforcement actions.

In 2023¹³ and 2024¹² alone, the SEC imposed several notable penalties for whistleblower-impeding language — sometimes drawn from contracts that had never been enforced and were already revised by the time of settlement. The combined penalties for these types of matters from 2023 to 2024 were notable: $90 million. (Note, however, that the SEC's 2025 fiscal year only included one settlement related to a violation of whistleblower protections.¹⁰ under Rule 21F-17.)

It isn't just civil penalties. As part of these types of settlements, companies have been required to:

• Cease and desist from using agreements and/or policies that violate Rule 21F-17.
• Make reasonable efforts to contact former employees who signed offending agreements.
• Provide former employees with an internet link to the SEC order.
• Advise former employees that they aren't prohibited from speaking with or seeking and obtaining a whistleblower award from the SEC.

Across recent settlements, the SEC has highlighted several recurring provisions that can violate — or risk violating — Rule 21F-17:

• Confidentiality clauses that prohibit disclosure of "company information" without a clear carve-out for reporting to the SEC or other regulators
• Non-disparagement clauses that could be interpreted as discouraging reports of potential misconduct
• Waivers of monetary recovery, common in severance or settlement agreements
• Internal reporting requirements, compelling employees to notify the company before speaking with regulators

The SEC's reasoning is straightforward: even if unenforced by a company, the mere existence of these provisions can discourage an employee's willingness to communicate with the agency. It's also important to remember that the SEC isn't just focused on current agreements. Rather, the agency has taken a particular interest in legacy documents. So even if a company has revised its templates, unamended historical agreements and contracts may still expose it to liability.

What's clear from these enforcement actions is that companies should view this risk holistically. Whistleblower protection provisions shouldn't just find their way into employment-related agreements, but also into customer and commercial agreements where confidentiality obligations are routine.

Plaintiff litigation risk: A secondary wave of exposure?

The plaintiff litigation risk associated with companies infringing on whistleblower protections is a tale as old as time.

Plaintiffs' firms know how to review public company filings and filed agreements to identify provisions they believe could discourage whistleblowing. When they have, it's led by some of those firms to issue demand letters on behalf of shareholders. The letters effectively urge these companies to amend the offending provisions. For their troubles, and in exchange for safeguarding shareholder rights, these plaintiffs' firms request attorneys' fees.

Takeaway here: The plaintiffs' bar is vigilant, and enforcement risk isn't limited to regulators alone.

Directors and Officers insurance: Will it respond?

When the SEC — or opportunistic plaintiffs — scrutinizes the confidentiality or employment language in your agreements, it's worth engaging your Directors and Officers (D&O) insurance broker early to assess how potential inquiries might be treated under your policies.

Coverage will generally turn on the source and nature of the action. For instance, investigations directed at the corporate entity itself are often not covered under many D&O policies — but there are an increasing number of exceptions (and in some cases, companies may have arranged a standalone investigation coverage policy). Contrast that to most well-structured public company D&O insurance programs, where coverage is extended to individual directors or officers responding to SEC inquiries.

Understanding those distinctions in advance can make a significant difference in managing the financial and operational fallout from a whistleblower-related enforcement issue.

Reviewing agreements: What companies should be doing now

To mitigate risk, companies would be wise to implement a structured contract review that incorporates the following elements:

1. Identify all templates that include confidentiality, cooperation, or disclosure restrictions — such as employment, consulting, vendor and separation agreements.
2. Add explicit whistleblower carve-outs, confirming that nothing restricts an individual from communicating with any regulator or receiving a whistleblower award.
3. Standardize language across all templates to avoid inconsistencies.
4. Educate internal teams, especially human resources, commercial and procurement, about the prohibition of restrictive language.
5. Document the process to helps ensure that the company is taking a holistic view in its efforts.

On the last point, documentation is critical. When regulators or investors assess a company's compliance culture, a record of ongoing review and remediation demonstrates intent, structure and accountability — the key elements of effective governance.

This review effort may not be a one-time affair. Additional inflection points may warrant another review, such as part of the diligence process of acquiring another company.

Parting thoughts

For companies, boilerplate contract provisions shouldn't be treated as throwaway administrative details. The SEC enforcement actions focused on whistleblower protections discussed above are proof of that. Another thing to keep in mind is that the enforcement actions issue isn't just about protecting whistleblowers, it's about whether a company's agreements, policies and templates support a culture of transparency consistent with SEC and other federal agency expectations.

Published November 2025