If you decide to take federal money, or work with regulated clients, you give up your right to scrimp on cybersecurity. Saving money might cost you a fortune.
Taking federal payments removes your ability to arbitrarily decide what you want to invest in cybersecurity, because there are rules you must follow. You can no longer apply your own risk tolerance and willingness to spend after you decide to work with the government.
Just one disgruntled employee could turn you in for trying to save money, costing you millions of dollars in penalties while earning over a million dollars for themselves.
The federal False Claims Act (FCA) is called “Lincoln’s law” because it goes back to when contractors were defrauding the Union Army during the Civil War. Fast forward to today, and it is being weaponized by the U.S. Department of Justice (DOJ) against defense contractors, medical providers, and organizations receiving federal grants (researchers, universities, etc.) that fail to provide adequate cybersecurity as required by the Defense Federal Acquisition Regulation Supplement (DFARS), the Cybersecurity Maturity Model Certification (CMMC), the Health Insurance Portability and Accountability Act (HIPAA), the Medicare Merit-Based Incentive Payment System (MIPS), and other regulations.
When the DOJ announced its Civil Cyber-Fraud Initiative in 2021, Deputy Attorney General Lisa Monaco said, “We are announcing today that we will use our civil enforcement tools to pursue companies, those who are government contractors who receive federal funds, when they fail to follow required cybersecurity standards—because we know that puts all of us at risk. This is a tool that we have to ensure that taxpayer dollars are used appropriately.”
This enforcement initiative will hold accountable entities or individuals that put U.S. information or systems at risk by knowingly providing deficient cybersecurity products or services, knowingly misrepresenting their cybersecurity practices or protocols, or knowingly violating obligations to monitor and report cybersecurity incidents and breaches.
False Claims Act penalties include paying back THREE TIMES what was received from the federal government, PLUS FINES. And, anyone can be a whistleblower and turn you in to earn 15% to 30% of your penalty. (Whistleblowers are protected by federal law against retaliation.)
For instance, if you are a doctor who receives $2 million in Medicare funding, or a defense contractor that receives $2 million in purchases, you would have to pay back $6 million (plus fines) for failing to implement the required cybersecurity. The person turning you in could get $1.8 million.
Just imagine how many people know that you fail to adequately secure data. How many know you decline cybersecurity tools and services recommended by your IT department or managed services provider (MSP)? How many employees might be disgruntled because they were disciplined, failed to get something they wanted, think you are just being cheap, or simply want to cash in? How many former employees have an axe to grind? Remember, anyone can be a whistleblower.
If you are breached or attacked, even more people will know and be likely to turn you in. Not reporting the breach and making the required notification is on the Justice Department’s radar.
“For too long, companies have chosen silence under the mistaken belief that it is less risky to hide a breach than to bring it forward and to report it. Well that changes today,” said Monaco.
Defense contractors are required to implement all 110 cybersecurity requirements in the National Institute of Standards and Technology (NIST) Special Publication 800-171 (NIST 800-171). These requirements are in DFARS and the new CMMC, which you agree to when you sign a defense contract.
Medical providers that receive Medicare and/or Medicaid are required to secure patient data in accordance with HIPAA and MIPS. Failure to invest in proper cybersecurity is a violation of the False Claims Act, requiring the three-times payback, and may be considered Medicare fraud, resulting in you being blacklisted from working for an organization that bills Medicare or Medicaid.
If you are a business working with regulated clients, their regulations flow down to you.
Compare the cost of cybersecurity with the risks of losing your primary funding sources and paying penalties your insurance refuses to cover.
Contracts with funding sources beyond the federal government often include general requirements like, “Parties agree to comply with all applicable laws and regulations …” or specific references, sometimes across multiple pages, detailing a wide range of cybersecurity and compliance requirements.
You may have signed and filed away contracts without sharing the details with your IT department, MSP, or compliance team.
You may have signed HIPAA Business Associate Agreements but failed to keep up with new requirements for working with healthcare clients.
You may have answered cybersecurity questionnaires hoping that your customers and funding sources never audit you.
Time is running out.
You need to protect yourself now from the death sentence of losing your funding sources and insurance coverage by taking these steps:
- Identify ALL your cybersecurity and compliance requirements, including all applicable federal and state laws, industry requirements, contracts, and insurance policies.
- Find and review your current contracts and insurance policies. Defense contracts, HIPAA, Medicare, and state laws require data protection. Other funding sources may have different cybersecurity and compliance requirements. Note any language in contracts related to cybersecurity, compliance, and breach notifications.
- Compare your requirements to what you are doing. This may take special tools and an independent consultant to validate what your IT staff or MSP is telling you.
- Contracts and insurance policies are legal documents. If audited or enforced, you will be required to provide documented evidence of compliance. Doing the right things but not having written reports to show consistency over time will cause you to fail an audit. This level of documentation requires special tools and additional effort beyond basic IT services. More often than ever, customers are sensitive to the cybersecurity risks in their supply chain. Answering questionnaires opens you up to site visits and audits.
- Don’t fall for gimmicks. Self-questionnaire-based risk assessments don’t see what is going on in your network. Phony website shields of compliance can get you in trouble with the Federal Trade Commission. Engage a qualified expert to use specialized tools to get under the skin of your network to see what is really going on.
Finally, change the way you view cybersecurity costs. Look at cybersecurity and compliance as an investment in protecting your revenue, the people you serve, the people who work for your organization, and your long-term hopes and dreams.
Healthcare providers and defense contractors can pay $20,000 to expert advisers to identify their current situation, determine gaps, and create a roadmap for success. Then it can cost another $100,000 to overcome years of neglect and implement the required cybersecurity tools and services.
So, if $120,000 in additional cybersecurity seems expensive, just compare it to the $6 million in False Claims Act penalties you could pay by not doing the right things, and the $1,800,000 reward your disgruntled employee (or the last person you fired) could earn for turning you in.
You can always choose to turn down the money. If you only have one client that requires you to invest in complying with regulations or expensive contract terms, you can decide whether or not it is worth the investment.
But if you decide to take the money, you have no choice.
MIKE SEMEL is a former MSP and founder of Semel Consulting, which provides advisory services to MSPs and end users for compliance, cybersecurity, and business continuity planning. He worked with CompTIA to develop its Security Trustmark Plus, and with RapidFire Tools to create Compliance Manager GRC.