Avoiding the Whistleblower Pitfall: Updating Agreements Before Regulators—or Plaintiffs—Do It for You

Even before a whistleblower claim is made, some companies have learned that well-intentioned agreements, like employment, separation, or commercial agreements, can make them targets of regulator enforcement for discouraging whistleblowing.

Over the years, the US Securities and Exchange Commission (SEC) has been at the forefront of holding companies accountable for maintaining agreements or policies that they view as discouraging whistleblowing. At the same time, a recent expansion by the US Department of Justice (DOJ) of its whistleblower program, combined with plaintiffs’ firm tactics, is creating a multidimensional risk landscape.

This article will explain why companies would be wise to review their agreements, policies, and templates to avoid falling into this whistleblower pitfall. Waiting for a regulator or a demand letter to surface the issue can be costly, as well as an unnecessary distraction.

Federal Whistleblower Program Pitfalls

Federal whistleblower programs are generally focused on encouraging individuals to report specific, timely, and credible information about possible abuse and violations of certain laws. In exchange, these individuals can receive financial rewards if their information leads to successful enforcement actions.

Agencies, like the SEC, DOJ, Internal Revenue Service, and the Commodities Futures Trading Commission, each have their own flavor of whistleblower program. An underlying theme is that these agencies generally view the ability of individuals to report misconduct as vital to their enforcement missions and will take companies to task if they are determined to have discouraged reporting.

In that spirit, and since the SEC has been the most active agency in imposing fines on companies for problematic language that could or has discouraged whistleblowing, we’ll discuss the SEC’s whistleblower program and lessons learned from recent enforcement actions.

The SEC’s Whistleblower Program: One [Program] to Rule Them All?

While the SEC’s whistleblower program wasn’t the first federal whistleblower program, it has been at center of most whistleblower-related headlines since it came on the scene as part of the 2010 Dodd-Frank Act. For those trivia buffs, the honor of first US whistleblower program generally goes to the False Claims Act.

This rule has evolved into a strict liability framework. That is, the SEC doesn’t need evidence that an employee was deterred from communicating with the SEC as a function of restrictive language in a particular agreement. The restrictive language alone can constitute a violation.

SEC Enforcement Trends and Language That Triggers Enforcement

In recent years, the SEC has expanded its focus on ferreting out violations of whistleblower protections beyond public companies. The SEC’s focus now includes private companies and funds whose agreements could chill reporting. And it isn’t just employment and severance agreements that have gotten companies into hot water: consulting agreements and customer agreements have been a part of these enforcement actions.

In 2023 and 2024 alone, the SEC imposed several notable penalties for whistleblower-impeding language—sometimes drawn from contracts that had never been enforced and were already revised by the time of settlement. The combined penalties for these types of matters from 2023 to 2024 were notable: $90 million. (Note, however, that the SEC’s 2025 fiscal year only included one settlement related to a violation of whistleblower protections under Rule 21F-17.)

It isn’t just civil penalties. As part of these types of settlements, companies have been required to:

• Cease and desist from using agreements and/or policies that violate Rule 21F-17
• Make reasonable efforts to contact former employees who signed offending agreements
• Provide former employees with an internet link to the SEC order
• Advise former employees that they aren’t prohibited from speaking with or seeking and obtaining a whistleblower award from the SEC

Across recent settlements, the SEC has highlighted several recurring provisions that can violate—or risk violating—Rule 21F-17:

• Confidentiality clauses that prohibit disclosure of “company information” without a clear carve-out for reporting to the SEC or other regulators
• Non-disparagement clauses that could be interpreted as discouraging reports of potential misconduct
• Waivers of monetary recovery, common in severance or settlement agreements
• Internal reporting requirements, compelling employees to notify the company before speaking with regulators

The SEC’s reasoning is straightforward: even if unenforced by a company, the mere existence of these provisions can discourage an employee’s willingness to communicate with the agency. It’s also important to remember that the SEC isn’t just focused on current agreements. Rather, the agency has taken a particular interest in legacy documents. So even if a company has revised its templates, unamended historical agreements and contracts may still expose it to liability.

What’s clear from these enforcement actions is that companies should view this risk holistically. Whistleblower protection provisions shouldn’t just find their way into employment-related agreements, but also into customer and commercial agreements where confidentiality obligations are routine.

Plaintiff Litigation Risk: A Secondary Wave of Exposure?

The plaintiff litigation risk associated with companies infringing on whistleblower protections is a tale as old as time—or at least since 2017, when we last highlighted the risk.

Plaintiffs’ firms know how to review public company filings and filed agreements to identify provisions they believe could discourage whistleblowing. When they have, it’s led some of those firms to issue demand letters on behalf of shareholders. The letters effectively urge these companies to amend the offending provisions. For their troubles, and in exchange for safeguarding shareholder rights, these plaintiffs’ firms request attorneys’ fees.

Takeaway here: the plaintiffs’ bar is vigilant, and enforcement risk isn’t limited to regulators alone.

D&O Insurance: Will it Respond?

When the SEC—or opportunistic plaintiffs—scrutinizes the confidentiality or employment language in your agreements, it’s worth engaging your D&O insurance broker early to assess how potential inquiries might be treated under your policies.

Coverage will generally turn on the source and nature of the action. For instance, investigations directed at the corporate entity itself are often not covered under many D&O policies—but there are an increasing number of exceptions (and in some cases, companies may have arranged a standalone investigation coverage policy). Contrast that to most well-structured public company D&O insurance programs, where coverage is extended to individual directors or officers responding to SEC inquiries. Understanding those distinctions in advance can make a significant difference in managing the financial and operational fallout from a whistleblower-related enforcement issue.

Reviewing Agreements: What Companies Should Be Doing Now

To mitigate risk, companies would be wise to implement a structured contract review that incorporates the following elements:

1. Identify all templates that include confidentiality, cooperation, or disclosure restrictions—such as employment, consulting, vendor, and separation agreements.
2. Add explicit whistleblower carve-outs, confirming that nothing restricts an individual from communicating with any regulator or receiving a whistleblower award.
3. Standardize language across all templates to avoid inconsistencies.
4. Educate internal teams, especially human resources, commercial, and procurement, about the prohibition of restrictive language.
5. Document the process—this helps ensure that the company is taking a holistic view in its efforts.

On the last point, documentation is critical. When regulators or investors assess a company’s compliance culture, a record of ongoing review and remediation demonstrates intent, structure, and accountability—the key elements of effective governance.

This review effort may not be a one-time affair. Additional inflection points may warrant another review, such as part of the diligence process of acquiring another company.

Parting Thoughts

For companies, boilerplate contract provisions shouldn’t be treated as throwaway administrative details. The SEC enforcement actions focused on whistleblower protections discussed above are proof of that. Another thing to keep in mind is that the enforcement actions issue isn’t just about protecting whistleblowers—it’s about whether a company’s agreements, policies, and templates support a culture of transparency consistent with SEC and other federal agency expectations.

Disclaimer: The views expressed in this publication are solely those of the author; they do not necessarily reflect the views of AJG. Further, the information contained herein is offered as general industry guidance regarding current market risks, available coverages, and provisions of current federal and state laws and regulations. It is intended for informational and discussion purposes only. This publication is not intended to offer financial, tax, legal or client-specific insurance or risk management advice. No attorney-client or broker-client relationship is or may be created by your receipt or use of this material or the information contained herein. We are not obligated to provide updates on the information contained herein, and we shall have no liability to you arising out of this publication. Woodruff Sawyer, a Gallagher Company, CA Lic. #0329598