On October 6, 2021, the U.S. Department of Justice ("DOJ") announced a new Civil Cyber-Fraud Initiative ("Initiative") that will use the False Claims Act ("FCA") to target cybersecurity-related fraud by government contractors and grant recipients. The Initiative follows a recent trend of enforcement actions concerning failure to comply with cybersecurity requirements in government procurements, and it signals that the U.S. government likely will take the position that cybersecurity requirements in federal contracts and grants are requirements "material" to payment. It also is the latest in a spate of recent Biden administration actions focused on increasing cybersecurity defenses in the face of the continuing proliferation of ransomware and other cyberattacks. 

DOJ intends to use the FCA against contractors and grantees that "fail to follow required cybersecurity standards." The Initiative will use the FCA to specifically target entities "knowingly providing deficient cybersecurity products or services, knowingly misrepresenting their cybersecurity practices or protocols, or knowingly violating obligations to monitor and report cybersecurity incidents and breaches."  

The FCA is the primary tool for combatting fraud against the government. In 2020 alone, DOJ recovered $2.2 billion from civil FCA settlements and judgments. This is due, in large part, to the FCA's unique qui tam provisions, which incentivize private parties, called qui tam relators, to share in any recovery. To date, there have been several FCA cases involving cybersecurity filed by whistleblowers. The Initiative indicates the government will also be bringing cases in its own name. 

Cybersecurity compliance has become a growing focus of FCA enforcement. In recent years, qui tam relators have brought allegations related to security vulnerabilities without allegations that the vulnerabilities had been exploited. Even if a contractor or grantee avoids FCA liability, a successful defense of such allegations may come at significant expense. 

DOJ indicated that it will partner with other federal agencies and law enforcement on the Initiative—an important reminder of the potential for criminal liability or debarment. To reduce the risk of FCA liability, government contractors and grantees should consider: (i) reviewing any cybersecurity-related representations and certifications to understand what is required; (ii) assessing their current cybersecurity posture and capabilities; (iii) implementing or refreshing procedures to identify, assess, and promptly remediate cybersecurity vulnerabilities and to contemporaneously document these security decisions; and (iv) educating executives and board members regarding these emerging risks. They should also consider their mandatory reporting obligations relating to the FCA, as we recently discussed.