The SEC Whistleblower Program and Non-Disclosure Agreements (NDAs)

Non-disclosure agreements (NDAs) are commonly found in employment, severance, and settlement contracts. However, under a SEC Whistleblower Program rule, NDAs may not obstruct an individual’s right to report potential securities violations to the Commission.

NDAs which restrict the rights of individuals to blow the whistle to the SEC are not only unenforceable, they are also illegal. The SEC has made cracking down on restrictive NDAs an enforcement priority.

“Whether it’s in your employment contracts, settlement agreements or elsewhere, you simply cannot include provisions that prevent individuals from contacting the SEC with evidence of wrongdoing,” said Gurbir S. Grewal, Director of the SEC’s Division of Enforcement.

The SEC’s Rule 21F-17(a) was enacted following the passage of the Dodd-Frank Act and the creation of the SEC Whistleblower Program in 2010.

The rule prohibits any person from “tak[ing] any action to impede an individual from communicating directly with the Commission staff about a possible securities law violation, including enforcing, or threatening to enforce, a confidentiality agreement.”

In practice this means that NDAs cannot prohibit individuals from blowing the whistle on possible securities law violations to the SEC.

For example, an employee of a broker-dealer may have to sign a contract which stipulates they cannot share information about the company with regulators with first consulting with the company’s legal department. However, if this employee has information on a possibles securities law violation they have the right to contact the SEC directly with their concerns, the company cannot impose any restrictions on this right.

§ 240.21F-17 Staff communications with individuals reporting possible securities law violations.

(a) No person may take any action to impede an individual from communicating directly with the Commission staff about a possible securities law violation, including enforcing, or threatening to enforce, a confidentiality agreement (other than agreements dealing with information covered by § 240.21F-4(b)(4)(i) and § 240.21F-4(b)(4)(ii) of this chapter related to the legal representation of a client) with respect to such communications.

(b) If you are a director, officer, member, agent, or employee of an entity that has counsel, and you have initiated communication with the Commission relating to a possible securities law violation, the staff is authorized to communicate directly with you regarding the possible securities law violation without seeking the consent of the entity’s counsel.

In enforcing Rule 21F-17(a), the SEC has found illegal language in:

• Severance or separation agreements
• Employee contracts
• Settlement agreements
• Compliance manuals

Language in the various types of contracts found to violate Rule 21F-17(a) has included:

• Requiring the prior consent of the company before disclosing confidential information to regulators (
• Preventing the employee from initiating contact with regulators
• Requiring the employee to waive their right to awards from whistleblowing award programs
• Including a “non-disparagement clause” that specifically included the SEC as a party the employee could not “disparage” the company to
• Requiring the employee to inform the company soon after reporting information to the SEC

On behalf of whistleblower Harry Barko, Kohn, Kohn & Colapinto filed a complaint with the SEC alleging that Kellogg Brown & Root (KBR) was forcing employees to sign restrictive NDAs as part of the company’s alleged “compliance” program. Kohn, Kohn & Colapinto requested that the SEC take action in the matter.

On April 1, 2015 the SEC announced an enforcement action against KBR, the first action taken against a company for language in NDAs that restricted whistleblowing. KBR was forced to pay a $130,000 penalty and agreed to cease this practice.

A landmark decision, the SEC’s KBR decision set the precedent that has been widely followed thereafter. The SEC has sanctioned numerous other companies based on the principles found in Barko-initiated enforcement action.

While the SEC took its first enforcement action for a Rule 21F-17(a) violation in 2015, beginning in 2023, the Commission has increased its enforcement efforts around the issue.

In September 2023, the SEC fined Monolith Resources LLC, a privately held energy and technology company, $225,000 for Rule 21F-17(a) violations. The SEC alleged that twenty-two former employees of Monolith signed separation agreements which required former employees to waive their right to claim monetary awards from government whistleblower programs. Notably, this was the first Rule 21F-17(a) action taken against a privately held company.

Also in September 2023, the SEC fined the investment advisor D. E. Shaw $10 million for Rule 21F-17(a) violations. According to the SEC, D.E. Shaw required “new employees to sign agreements that prohibited them from disclosing confidential information to anyone outside the company unless authorized by D.E. Shaw or required by law or court order” and requiring “approximately 400 of its departing employees to sign releases affirming that they had not filed any complaints with any governmental agency, department, or official in order for them to receive deferred compensation and other benefits sometimes worth millions of dollars.”

In January 2024, JP Morgan agreed to pay the SEC $18 million to settle allegations of Rule 21F-17(a) violations. According to the SEC, “from March 2020 through July 2023, JPMS regularly asked retail clients to sign confidential release agreements if they had been issued a credit or settlement from the firm of more than $1,000. The agreements required the clients to keep confidential the settlement, all underlying facts relating to the settlement, and all information relating to the account at issue. In addition, even though the agreements permitted clients to respond to SEC inquiries, they did not permit clients to voluntarily contact the SEC.’