Global Crisis Management Series:  This post is part 9 in a series concerning topics further elaborated on in Cleary Gottlieb’s Global Crisis Management Handbook—a desk reference for spotting issues and avoiding common mistakes when faced with a crisis.  The current version is available here.

The Dodd-Frank Wall Street Reform and Consumer Protection Act (“ Dodd-Frank”) goes further than other statutes in providing protection to whistleblowers.  In addition to broadening prohibitions against retaliation, the Securities and Exchange Commission (“SEC”) promulgated Rule 21F-17 to ensure companies could not interfere with an individual’s efforts to raise concerns and communicate directly with the SEC.[1]

SEC Rule 21F–17(a) prohibits any person from “imped[ing] an individual from communicating directly with the [SEC] about a possible securities law violation, including enforcing, or threatening to enforce, a confidentiality agreement.”[2]  Following a series of enforcement actions in 2015 and 2016, the Office of Compliance Inspections and Examinations (“OCIE”) issued a Risk Alert urging companies to evaluate whether their confidentiality and non-disclosure agreements, among other internal documentation, contained provisions that were inconsistent with Rule 21F–17.[3]  Companies can implement a few simple best practices to ensure compliance with Rule 21F–17.

Enforcement of Rule 21F17 (In re KBR, Inc.)

In April 2015, the SEC initiated its first enforcement action arising from a company’s alleged violation of Rule 21F–17.[4]  KBR, Inc., a global defense contractor, was charged with violating Rule 21F–17 for its use of a confidentiality agreement that could have the effect of preventing employees from disclosing concerns directly to the SEC.

As part of its compliance program, KBR internally reviewed complaints regarding potential illegal conduct by its employees.[5]  When conducting interviews for the investigation, KBR would at times require witnesses to sign confidentiality agreements that precluded them from disclosing the facts underlying the investigation to anyone, absent consent from KBR’s legal department.  Any unauthorized disclosure, according to the agreement, could result in disciplinary action, including termination of employment.  Similarly prohibitive language was included in the company’s Code of Business Conduct Investigation Procedures manual.

Even though there was no specific instance in which KBR actually discouraged employees from communicating with the SEC, the SEC determined that the blanket prohibition “has a potential chilling effect on whistleblowers’ willingness to report illegal conduct to the SEC.”[6]  Moreover, the language “undermines the purpose of Section 21F and Rule 21F–17(a), which is to ‘encourag[e] individuals to report to the Commission.’”[7]

Under the terms of the settlement, KBR agreed to, among other things, amend its standard form confidentiality agreement to make explicit that the agreement did not prevent individuals from reporting possible violations of federal law to governmental agencies or entities.

SEC Guidance and Best Practices for Drafting Confidentiality and Non-Disclosure Agreements

Following several additional settled enforcement actions related to Rule 21F–17, many of which took similarly aggressive readings of 21F–17, OCIE issued a Risk Alert notifying companies that it would conduct a review of “compliance manuals, codes of ethics, employment agreements, and severance agreements to determine whether provisions in those documents pertaining to confidentiality of information and reporting of possible securities law violations may raise concerns under Rule 21F-17.”[8]

Specifically, OCIE identified provisions within confidentiality and other agreements that “contained language that, by itself or under the circumstances in which the agreements were used, impeded employees and former employees from communicating with the Commission concerning possible securities law violations.” [9]  In light of OCIE’s renewed focus on Rule 21F–17, companies should review their confidentiality and non-disclosure agreements—as well as compliance manuals—to remove language that the SEC identified as problematic and should incorporate other lessons from the SEC’s guidance.

Companies should explicitly state in policies and agreements that employees are not precluded from reporting potential violations of law to governmental regulators or providing information regarding the same.  Nor should companies attempt to set limits on the types of information that can be shared with the SEC.  The SEC warned against provisions that permit disclosures only insofar as required by law “without any exception for voluntary communications” with the SEC.[10]

Companies should also make clear that employees need not seek permission to communicate with the SEC before doing so.  As the SEC stated in In re KBR, it takes the position that pre-notification requirements before contacting the SEC “potentially discourage[] employees from reporting securities violations.”[11]

Finally, companies should not limit an employee’s right to receive monetary awards from government agencies as a result of making disclosures, such as through Dodd-Frank’s award program.  In two enforcement matters following KBR, the SEC found provisions in severance agreements that required employees to waive their right to whistleblower awards to violate Rule 21F–17.[12]  Such provisions had a chilling effect on employees’ willingness or interest to report concerns to the SEC.


Companies should review their compliance manuals, codes of ethics, employment agreements, severance agreements, and other documents to ensure that they do not contain language that could be viewed as inconsistent with Rule 21F–17.  Keeping in mind OCIE’s recent guidance could help avoid costly and burdensome regulatory inquiries.

[1] 15 U.S.C. § 78u-6(j).

[2] 17 C.F.R. § 240.21F–17(a).

[3] Office of Compliance Inspections and Examinations, Examining Whistleblower Rule Compliance (Oct. 24, 2016) (“OCIE Guidance”).

[4] SEC, Companies Cannot Stifle Whistleblowers in Confidentiality Agreements (Apr. 1, 2015),

[5] KBR, Inc., Exchange Act Release No. 74619, 2015 WL 1456619 (Apr. 1, 2015).

[6] SEC, Companies Cannot Stifle Whistleblowers in Confidentiality Agreements (Apr. 1, 2015),

[7] KBR, Inc., Exchange Act Release No. 74619, 2015 WL 1456619 (Apr. 1, 2015).

[8] OCIE Guidance at 1.

[9] Id. at 1-2.

[10] Id. at 3.

[11] SEC, Companies Cannot Stifle Whistleblowers in Confidentiality Agreements (Apr. 1, 2015),

[12] Health Net, Inc., Exchange Act Release No. 78590, 2016 WL 4474755 (Aug. 16, 2016); BlueLinx Holdings Inc., Exchange Act Release No. 78528, 2016 WL 4363864 (Aug. 10, 2016).