Aerojet Offers Insight into the Financial and
Legal Risks of Cybersecurity in DFARS
On April 26, Aerojet Rocketdyne settled the first-of-its-kind
cybersecurity-focused False Claims Act (FCA) case for $9 million
dollars, in addition to other undisclosed payments. As we mentioned
in a previous Cybersecurity Law Snapshot,
United States ex rel. Markus v. Aerojet Rocketdyne Holdings,
Inc. involved the cybersecurity requirements outlined in the
Defense Federal Acquisition Regulations Supplement (DFARS). Aerojet
stood accused of misrepresenting its compliance with the DFARS § 252.204-7012 cybersecurity
requirements through allegedly false claims and insufficiently
partial disclosure of compliance shortfalls. This case was the
first instance in which a court found that a failure to comply with
cybersecurity regulations could serve as the basis for an FCA
suit.
While the settlement cut short a full-fledged holding on this
particular case, the Department of Justice (DOJ) has already hinted
that this will be the first in a new string of FCA crackdowns.
Accordingly, there are a few critical takeaways, particularly from
the DOJ's statement of interest, that clients involved in
government contracts should remain mindful of:
· Non-compliance with the cybersecurity requirements can
be considered a material cause for the government to enter into a
contract;
- Partial disclosure of non-compliance will likely be
insufficient; - Identifying industry compliance problems does not excuse
misrepresentations or partial disclosure; and - The government's existing knowledge of non-compliance will
not excuse misrepresentations.
Companies that contract or are contemplating contracting with
the federal government should review the cybersecurity disclosures,
maintain thorough documentation of their compliance, and consider
whether any contracting procedures should be updated.
Europe: The Cyber-Regulator that Keeps on Giving
Earlier this month, the European Parliament announced that they had reached a provisional
agreement on new cybersecurity regulations for public and private
entities in the European union. The new directives, called NIS2, are designed to expand the existing
rules on network and information system security to cover medium
and large entities across an even wider array of industry sectors.
While we are still awaiting whether the agreement carries any
revisions from the original NIS2 publication, we are likely to see
a range of new cybersecurity requirements for covered entities.
Currently, NIS2 is likely to impact an organization's
cybersecurity policies in the following areas: business continuity
and crisis management, incident handling, testing and auditing,
encryption, and standardization of network and information systems
specifications. Additionally, the directives are poised to
introduce new reporting requirements, including a requirement to
report certain cybersecurity incidents within 24 hours of
being made aware of the incident.
CISA Advisories to Managed Service Providers and Block Chain
Companies
Over the past few weeks, the Cybersecurity and Infrastructure
Security Agency (CISA) has issued cyber awareness warnings
regarding cyberattacks against managed service providers (MSPs) and blockchain companies. CISA, alongside the
cybersecurity authorities in the United Kingdom, Australia, Canada,
and New Zealand, warns MSPs that malicious actors engaging in an
array of exploits aimed at vulnerable devices and internet services
compromise their provider-customer network. Similarly, CISA warns
that North Korean cyber actors are deploying a wide array of
tactics to target vulnerabilities in blockchain technology to
acquire cryptocurrency and intellectual property, as well as
otherwise target financial assets.
To safeguard against these attacks, CISA encourages companies to
take the following steps:
- Identify and disable network accounts that are no longer in
use; - Train employees on social engineering and phishing;
- Enforce application security and utilize file verification
software and procedures; - Implement and enforce multifactor authentication;
- Apply the principle of least privilege through your system;
and - Perform an incidence response and recovery exercise.
The content of this article is intended to provide a general
guide to the subject matter. Specialist advice should be sought
about your specific circumstances.
Gloss