Growing Cybersecurity Risks

Cyber risk is consistently ranked as a top risk facing higher education. Moody's recently recently echoed this sentiment, rating the sector as "high risk." However, an area of cyber risk that may be less well known is the correlation between cyber security requirements in government contracts and the financial impact of compliance associated with federal statutes.

𝗙𝗮𝗹𝘀𝗲 𝗖𝗹𝗮𝗶𝗺𝘀 𝗔𝗰𝘁: The False Claims Act (FCA), 31 U.S.C. §§ 3729 - 3733, is a federal statute that has existed since 1863. It was created in response to defense contractor fraud during the American Civil War. Per the Civil Division of the US Department of Justice, "The FCA provides that any person who knowingly submits, or causes to submit, false claims to the government is liable for three times the government's damages plus a penalty that is linked to inflation." So, what does this Civil War statute have to do with higher education?

𝗣𝗲𝗻𝗻 𝗦𝘁𝗮𝘁𝗲 𝗦𝗲𝘁𝘁𝗹𝗲𝗺𝗲𝗻𝘁: The federal government questioned Penn State's cybersecurity controls after a whistleblower alleged that the University failed to adhere to the cybersecurity requirements required by a Department of Defense (DoD) contract. The allegations also included that the University lied to the government about its cybersecurity program. This misrepresentation was costly for Penn State, which agreed to pay $𝟭.𝟮𝟱 𝗺𝗶𝗹𝗹𝗶𝗼𝗻 to settle the allegations.

𝗪𝗵𝗮𝘁 𝗰𝗮𝗻 𝗯𝗲 𝗱𝗼𝗻𝗲? This article by Carlton Fields provides valuable insights and risk mitigations to help your institution avoid costly fines and penalties associated with the False Claims Act.

𝗞𝗲𝘆 𝘁𝗮𝗸𝗲𝗮𝘄𝗮𝘆𝘀

1. Boards and fiduciaries must understand that contractual compliance with the US government is strictly scrutinized.

2. Boards and fiduciaries need to support investment in strong institutional cybersecurity policies and the risk management tools required to implement cyber controls.

3. Be mindful of how your institution represents itself to the federal government. Misrepresentations are costly.

4. Carlton Fields suggests that Universities should add a "False Claims Act-compliant whistleblower policy and include a procedure for routing and resolving employee complaints related to cybersecurity."

Failing to comply with contractual requirements and misrepresenting your institution's cyber security program can result in headlines and fines. Be proactive and support solid cyber risk management practices to avoid loss of reputation with the federal government, which can impact future contracts and the trust of the campus community.

Have something to add? Share your thoughts on LinkedIn.