NOTE TO MSPs – Business owners and executives often resist making the cybersecurity investments they should, and channel pros often struggle to explain why they need to spend the money on the right amount of cybersecurity to protect their reputations and finances. Here’s a proven way to make the case to your customer for investing in security. Use this article to get both current customers and prospects to understand their risks.
If you decide to take federal money, or work with regulated clients, you give up your right to scrimp on cybersecurity. Saving money might cost you a fortune.
Taking federal payments removes your ability to arbitrarily decide what you want to invest in cybersecurity, because there are rules you must follow. You can no longer apply your own risk tolerance and willingness to spend after you decide to work with the government.
Just one disgruntled employee could turn you in for trying to save money, costing you millions of dollars in penalties while earning over a million dollars for themselves.
The federal False Claims Act (FCA) is called "Lincoln's law" because it goes back to when contractors were defrauding the Union Army during the Civil War. Fast forward to today, and it is being weaponized by the U.S. Department of Justice (DOJ) against defense contractors, medical providers, and organizations receiving federal grants (researchers, universities, etc.) that fail to provide adequate cybersecurity as required by the Defense Federal Acquisition Regulation Supplement (DFARS), the Cybersecurity Maturity Model Certification (CMMC), the Health Insurance Portability and Accountability Act (HIPAA), the Medicare Merit-Based Incentive Payment System (MIPS), and other regulations.
When the DOJ announced its Civil Cyber-Fraud Initiative in 2021, Deputy Attorney General Lisa Monaco said, “We are announcing today that we will use our civil enforcement tools to pursue companies, those who are government contractors who receive federal funds, when they fail to follow required cybersecurity standards—because we know that puts all of us at risk. This is a tool that we have to ensure that taxpayer dollars are used appropriately.”
This enforcement initiative will hold accountable entities or individuals that put U.S. information or systems at risk by knowingly providing deficient cybersecurity products or services, knowingly misrepresenting their cybersecurity practices or protocols, or knowingly violating obligations to monitor and report cybersecurity incidents and breaches.
False Claims Act penalties include paying back THREE TIMES what was received from the federal government, PLUS FINES. And, anyone can be a whistleblower and turn you in to earn 15% to 30% of your penalty. (Whistleblowers are protected by federal law against retaliation.)
For instance, if you are a doctor who receives $2 million in Medicare funding, or a defense contractor that receives $2 million in purchases, you would have to pay back $6 million (plus fines) for failing to implement the required cybersecurity. The person turning you in could get $1.8 million.
Just imagine how many people know that you fail to adequately secure data. How many know you decline cybersecurity tools and services recommended by your IT department or managed services provider (MSP)? How many employees might be disgruntled because they were disciplined, failed to get something they wanted, think you are just being cheap, or simply want to cash in? How many former employees have an axe to grind? Remember, anyone can be a whistleblower.
If you are breached or attacked, even more people will know and be likely to turn you in. Not reporting the breach and making the required notification is on the Justice Department’s radar.
“For too long, companies have chosen silence under the mistaken belief that it is less risky to hide a breach than to bring it forward and to report it. Well that changes today,” said Monaco.
Defense contractors are required to implement all 110 cybersecurity requirements in the National Institute of Standards and Technology (NIST) Special Publication 800-171 (NIST 800-171). These requirements are in DFARS and the new CMMC, which you agree to when you sign a defense contract.
Medical providers that receive Medicare and/or Medicaid are required to secure patient data in accordance with HIPAA and MIPS. Failure to invest in proper cybersecurity is a violation of the False Claims Act, requiring the three-times payback, and may be considered Medicare fraud, resulting in you being blacklisted from working for an organization that bills Medicare or Medicaid.
If you are a business working with regulated clients, their regulations flow down to you.
Compare the cost of cybersecurity with the risks of losing your primary funding sources and paying penalties your insurance refuses to cover.