Risks of cyber fraud allegations remain high for companies subject to government requirements

Risks of cyber fraud allegations remain high for companies subject to government requirements

Briefly

"Investigations into alleged violations of cybersecurity requirements under the federal civil False Claims Act (FCA) and its state analogues are increasingly an area of focus for the U.S. Department of Justice (DOJ), state attorneys general and whistleblowers (known as qui tam plaintiffs or relators under the FCA). We expect a continued uptick in enforcement activity, leading to elevated risk and additional potential financial exposure for companies subject to government cybersecurity requirements."

"For example, when the Pentagon's new Cybersecurity Maturity Model Certification (CMMC) regulations go into effect on November 10, 2025, they will remove certain flexibility currently afforded to contractors that handle controlled unclassified information (CUI); contractors will be required to fully implement required cybersecurity controls, undergo additional assessments - including third party assessments in some instances - to validate implementation of these controls and periodically self-attest to the government that they have implemented and will continue to maintain compliance with all applicable requirements for CMMC status."

"More generally, the U.S. government has been working for many years on a rule that would impose rigorous cybersecurity controls for CUI on contractors to most federal agencies. Although some agencies already impose cybersecurity requirements, if implemented this rule will apply across the government and will likely increase the number of companies that must comply with these types of rigorous cybersecurity obligations."