Since 2015, the SEC has brought nearly two dozen enforcement actions for violations of the whistleblower protection rules under Rule 21F-17(a) against employers for actions taken to impede reporting to the SEC. The bulk of these actions have focused on language in employee-facing agreements that allegedly discouraged such reporting. The SEC shows no sign of slowing down; indeed, the Commission has brought five enforcement actions in this past fiscal year alone, and the penalties imposed for these violations appear to be increasing. The settlements – and the risk they represent – serve as a reminder for companies to review their existing employment documents and internal policies, including confidentiality policies, to ensure that restrictive language is removed and that appropriate whistleblower carveout language is included. Conducting this review, and making any appropriate changes, will help ensure compliance with Rule 21F-17(a).

With more people working remotely than ever before in light of COVID-19, firms in the private equity and hedge fund space should review their Regulation S-P privacy and information-safeguarding policies to ensure they are compliant and ready for a prolonged period of remote work. In particular, in view of SEC guidance, firms should focus on several key areas including personal devices and personally identifiable information.