Five months after the U.S. Department of Justice announced its Cyber Fraud Initiative, the DOJ announced its first settlement. Pursuant to the terms of its agreement with the DOJ, Comprehensive Health Services LLC will pay $930,000 to resolve, among other things, its violation of the False Claims Act.
There are compliance lessons to be drawn from this milestone settlement, and compliance officers would be wise to think proactively about any changes they must make in the wake of this development:
Accountability is key for the DOJ. The DOJ is serious about cyber fraud. This settlement demonstrates the DOJ’s commitment to using civil enforcement tools to hold government contractors accountable for failure to follow cybersecurity standards. Given the upward trend in cyber threats and ransomware uses, this is likely to remain a top priority for the DOJ. With more DOJ scrutiny, contractors should look carefully at cybersecurity programs, assess risks, and bolster their security efforts.
Identify your risks. This indicates a need to identify and respond to risks in contractors’ cyber uses. Contractors should assess and ensure any representations made to the government on the security of information are current and correct. Reviewing cybersecurity requirements that apply to each government contract is a key first step to ensuring your company is taking proper precautions.
A check the box mentality is no longer acceptable in cybersecurity. Cybersecurity is an ongoing endeavor that should be treated as such by contractors. Notably, this settlement occurred without evidence of a cyber incident, meaning liability can exist based solely on substandard data protection practices. As cyber threats and ransomware attacks become more sophisticated, it is the responsibility of contractors to evolve and create data protection programs built to anticipate the next threat.
The best defense is a good offense. A contractor’s cybersecurity controls should be evolving to match the landscape of cyber threats. This involves bolstering and investing in cybersecurity early on to thwart threats. But cybersecurity can have simple solutions too. The simplest way for contractors to protect themselves is through cyber controls. This includes passwords, encryptions, auditing capabilities, administrative controls, training personnel, documenting policies and procedures, phishing, and spear phishing, to name a few. Tools to bolster cybersecurity are everywhere. Contractors should accept that most problems are caused by individuals and train accordingly.
If you’re in a hole, stop digging. Contractors should plan for the inevitability that they may have a cybersecurity issue — plan for the worst and hope for the best. If a contractor finds itself under DOJ scrutiny for a cyber-related incident, full cooperation with the DOJ may be critical. Contractors should face issues head-on and in good faith. Put your best foot forward by showcasing cybersecurity efforts and compliance programs. If the contractor is in a regulated industry, demonstrating compliance with a relevant agency’s standards can be helpful.
In the event of a cyber or ransomware attack, contractors become a victim too and it should be viewed as such. Make that case to the DOJ early on and strongly consider cooperating with law enforcement, including the FBI Cyber Division. Big picture, contractors should consider how they would move forward in the event of a ransomware attack and if they can get back on their feet without paying a ransom.
As current events make clear, no company is immune from cyber risks. Being proactive and aggressive to prevent and mitigate these risks will be critical in the wake of these ongoing challenges.