Aerojet Offers Insight into the Financial and
Legal Risks of Cybersecurity in DFARS
On April 26, Aerojet Rocketdyne settled the first-of-its-kind cybersecurity-focused False Claims Act (FCA) case for $9 million dollars, in addition to other undisclosed payments. As we mentioned in a previous Cybersecurity Law Snapshot, United States ex rel. Markus v. Aerojet Rocketdyne Holdings, Inc. involved the cybersecurity requirements outlined in the Defense Federal Acquisition Regulations Supplement (DFARS). Aerojet stood accused of misrepresenting its compliance with the DFARS § 252.204-7012 cybersecurity requirements through allegedly false claims and insufficiently partial disclosure of compliance shortfalls. This case was the first instance in which a court found that a failure to comply with cybersecurity regulations could serve as the basis for an FCA suit.
While the settlement cut short a full-fledged holding on this particular case, the Department of Justice (DOJ) has already hinted that this will be the first in a new string of FCA crackdowns. Accordingly, there are a few critical takeaways, particularly from the DOJ's statement of interest, that clients involved in government contracts should remain mindful of:
· Non-compliance with the cybersecurity requirements can be considered a material cause for the government to enter into a contract;
- Partial disclosure of non-compliance will likely be insufficient;
- Identifying industry compliance problems does not excuse misrepresentations or partial disclosure; and
- The government's existing knowledge of non-compliance will not excuse misrepresentations.
Companies that contract or are contemplating contracting with the federal government should review the cybersecurity disclosures, maintain thorough documentation of their compliance, and consider whether any contracting procedures should be updated.
Europe: The Cyber-Regulator that Keeps on Giving
Earlier this month, the European Parliament announced that they had reached a provisional agreement on new cybersecurity regulations for public and private entities in the European union. The new directives, called NIS2, are designed to expand the existing rules on network and information system security to cover medium and large entities across an even wider array of industry sectors. While we are still awaiting whether the agreement carries any revisions from the original NIS2 publication, we are likely to see a range of new cybersecurity requirements for covered entities. Currently, NIS2 is likely to impact an organization's cybersecurity policies in the following areas: business continuity and crisis management, incident handling, testing and auditing, encryption, and standardization of network and information systems specifications. Additionally, the directives are poised to introduce new reporting requirements, including a requirement to report certain cybersecurity incidents within 24 hours of being made aware of the incident.
CISA Advisories to Managed Service Providers and Block Chain Companies
Over the past few weeks, the Cybersecurity and Infrastructure Security Agency (CISA) has issued cyber awareness warnings regarding cyberattacks against managed service providers (MSPs) and blockchain companies. CISA, alongside the cybersecurity authorities in the United Kingdom, Australia, Canada, and New Zealand, warns MSPs that malicious actors engaging in an array of exploits aimed at vulnerable devices and internet services compromise their provider-customer network. Similarly, CISA warns that North Korean cyber actors are deploying a wide array of tactics to target vulnerabilities in blockchain technology to acquire cryptocurrency and intellectual property, as well as otherwise target financial assets.
To safeguard against these attacks, CISA encourages companies to take the following steps:
- Identify and disable network accounts that are no longer in use;
- Train employees on social engineering and phishing;
- Enforce application security and utilize file verification software and procedures;
- Implement and enforce multifactor authentication;
- Apply the principle of least privilege through your system; and
- Perform an incidence response and recovery exercise.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.