Ice Miller Cybersecurity Law Snapshot: Settlement in Cybersecurity-Related False Claims Act Case, Europe Releases Hardened Directives, and CISA Warns of Looming Cyberattacks

Ice Miller Cybersecurity Law Snapshot: Settlement in Cybersecurity-Related False Claims Act Case, Europe Releases Hardened Directives, and CISA Warns of Looming Cyberattacks


Aerojet Provides information on the financial and legal risks of cybersecurity to DFARS

On April 26, Aerojet Rocketdyne settled the first case of the $ 9 million-focused Cybersecurity False Claims Act (FCA), in addition to other undisclosed payments. As we mentioned in a previous snapshot of the cybersecurity law, United States ex rel. Markus v. Aerojet Rocketdyne Holdings, Inc. involved the cybersecurity requirements described in the Federal Defense Procurement Regulations Supplement (DFARS). Aerojet was accused of distorting its compliance with the cybersecurity requirements of DFARS § 252.204-7012 by allegedly false claims and insufficient disclosure of non-compliance. This case was the first instance in which a court ruled that non-compliance with cybersecurity regulations could serve as a basis for an FCA lawsuit.

Although the agreement cut off full participation in this particular case, the Department of Justice (DOJ) has already hinted that this will be the first in a new round of FCA crackdowns. Accordingly, there are some critical points, especially from the DOJ’s Declaration of Interest, that clients involved in government contracts should consider:

· Failure to comply with cybersecurity requirements can be considered a material cause for the government to enter into a contract;

  • Partial disclosure of the breach is likely to be insufficient;
  • Identifying industry compliance issues does not exclude misrepresentation or partial disclosure; i
  • The government’s current knowledge of non-compliance will not excuse misrepresentations.

Businesses that contract or are considering contracting with the federal government should review cybersecurity disclosures, maintain comprehensive compliance documentation, and consider whether to update procurement procedures.

Europe: the cyber regulator that continues to give

Earlier this month, the European Parliament announced that it had reached an interim agreement on new cybersecurity regulations for public and private entities in the European Union. The new directives, called NIS2, are designed to extend existing rules on network and information systems security to cover medium and large entities in an even wider range of industries. While we’re still waiting to see if the agreement includes any revisions to the original NIS2 release, we’re likely to see a number of new cybersecurity requirements for covered entities. NIS2 is currently likely to affect an organization’s cybersecurity policies in the following areas: business continuity and crisis management, incident handling, testing and auditing, encryption and standardization of network and information system specifications. . In addition, the guidelines are ready to introduce new notification requirements, including a requirement to report certain cybersecurity incidents. in 24 hours to be informed of the incident.

CISA advice to managed service providers and blockchain companies

In recent weeks, the Agency for Cybersecurity and Infrastructure Security (CISA) has issued cyber-awareness warnings about cyberattacks against managed service providers (MSPs) and blockchain companies. CISA, together with the cybersecurity authorities of the United Kingdom, Australia, Canada and New Zealand, warns MSPs that malicious actors involved in a series of exploits targeting vulnerable devices and Internet services are compromising their network of providers. customer. Similarly, CISA warns that North Korean cyberactors are deploying a wide range of tactics to target blockchain technology vulnerabilities in acquiring cryptocurrency and intellectual property, as well as otherwise targeting financial assets.

To protect against these attacks, CISA encourages companies to take the following steps:

  • Identify and disable network accounts that are no longer in use;
  • Train employees in social engineering and fishing;
  • Apply application security and use file verification software and procedures;
  • Implement and enforce multifactor authentication;
  • Apply the principle of minimum privilege through your system; i
  • Perform a recovery and response exercise.



Source link

Related post

Q&A: Bold Schools Can Use Technology to Serve Pedagogy

Q&A: Bold Schools Can Use Technology to Serve Pedagogy

The word “bold,” as I use it, is just a mash-up of the words “mixed” and “old,” as a reminder that…
HCL Group acquires majority stake in vernacular edtech platform GUVI

HCL Group acquires majority stake in vernacular edtech platform…

IT firm HCL Group has acquired a majority stake in vernacular edtech platform GUVI that offers technical courses, the company said…
NIT Srinagar’s Torus club organises model quiz

NIT Srinagar’s Torus club organises model quiz

Torus club of NIT Srinagar is organizing a modeling competition Posted on Friday, January 7, 2022 Srinagar, January 06: Torus-design thinking…

Leave a Reply

Your email address will not be published.