ERMA | Enterprise Risk Management Academy ERMA | Enterprise Risk Management Academy
  • About Us
    What is ERMA
    Region
    ERMA Board
    ERMA Governance
    ERMA Regional Chapters
  • ERMA Pathways
    ERMA for New Professionals
    ERMA for Seasoned Professionals
    ERMA for Organizations
  • ERMA Certifications
    Certified
    in Risk
    Essentials
    What is CRE?
    Requirements for CRE
    CRE Exam
    CRE Renewal
    Get CRE
    ERM
    Associate
    Professional
    What is ERMAP?
    Requirements for ERMAP
    ERMAP Exam
    ERMAP Renewal
    Get ERMAP
    ERM
    Certified
    Professional
    What is ERMCP?
    Requirements for ERMCP
    ERMCP Exam
    ERMCP Renewal
    Get ERMCP
    Certified
    in Enterprise
    Risk Governance
    What is CERG?
    Requirements for CERG
    CERG Portfolio Assessment
    CERG Renewal
    Get CERG
    Certified
    Risk Specialist
    ESG
    What is CRS-ESG?
    Requirements for CRS-ESG
    CRS-ESG Portfolio Assessment
    Get CRS-ESG
    Assessment & Verification
    Competency Standard
    Assessment Appproach
    Verify a Certification
  • Programs & Resources
    Conferences & Seminars
    GRC Summit 2025
    Risk Beyond 2025
    Partner Programs
    Awards
    ASEAN Risk Awards 2025
    Webinars
    Trainings & Master Classes
    Benchmarking & Master Class
    Cyber Risk Governance from DCRO Institute
    Fundamentals of ERM
    Risk Governance Master Class
    CRS-ESG Training Program
    Interactive Courses
    Introduction to ESG
    Reputation Risk in the Digital Era
    Risk Management for Education
    Risk Management for NGO
    RiskView Newsletter
    Subscribe to our monthly newsletter
    RiskView Magazines
    Check the latest edition
    Infographics
    Explore our infographics
    Risk News
    Check the latest news on risk
  • Partnership
    Be an ERMA Partner
    Media Partnership
  • Contact Us
  • Login
    Assessment Login
    Member Login
  • Get Certified
ERMA | Enterprise Risk Management Academy ERMA | Enterprise Risk Management Academy
  • About Us
    What is ERMA
    Region
    ERMA Board
    ERMA Governance
    ERMA Regional Chapters
  • ERMA Pathways
    ERMA for New Professionals
    ERMA for Seasoned Professionals
    ERMA for Organizations
  • ERMA Certifications
    Certified
    in Risk
    Essentials
    What is CRE?
    Requirements for CRE
    CRE Exam
    CRE Renewal
    Get CRE
    ERM
    Associate
    Professional
    What is ERMAP?
    Requirements for ERMAP
    ERMAP Exam
    ERMAP Renewal
    Get ERMAP
    ERM
    Certified
    Professional
    What is ERMCP?
    Requirements for ERMCP
    ERMCP Exam
    ERMCP Renewal
    Get ERMCP
    Certified
    in Enterprise
    Risk Governance
    What is CERG?
    Requirements for CERG
    CERG Portfolio Assessment
    CERG Renewal
    Get CERG
    Certified
    Risk Specialist
    ESG
    What is CRS-ESG?
    Requirements for CRS-ESG
    CRS-ESG Portfolio Assessment
    Get CRS-ESG
    Assessment & Verification
    Competency Standard
    Assessment Appproach
    Verify a Certification
  • Programs & Resources
    Conferences & Seminars
    GRC Summit 2025
    Risk Beyond 2025
    Partner Programs
    Awards
    ASEAN Risk Awards 2025
    Webinars
    Trainings & Master Classes
    Benchmarking & Master Class
    Cyber Risk Governance from DCRO Institute
    Fundamentals of ERM
    Risk Governance Master Class
    CRS-ESG Training Program
    Interactive Courses
    Introduction to ESG
    Reputation Risk in the Digital Era
    Risk Management for Education
    Risk Management for NGO
    RiskView Newsletter
    Subscribe to our monthly newsletter
    RiskView Magazines
    Check the latest edition
    Infographics
    Explore our infographics
    Risk News
    Check the latest news on risk
  • Partnership
    Be an ERMA Partner
    Media Partnership
  • Contact Us
  • Login
    Assessment Login
    Member Login
  • Get Certified
erma erma
Risk Management Article
May 23, 2022

Regulators Move to Combat Cybercrime

In December, news surfaced of cybercriminals exploiting a new network vulnerability in a piece of Java-based, open-source software called Log4j. The widely-used software performs the perfunctory task of logging data to help other programs function. By mid-December, cybersecurity experts estimated that Log4j was the target of over 100 hacking attempts per minute, leading some to call it the most serious network vulnerability they had ever seen.

As serious as the Log4j vulnerability is, it will likely be eclipsed soon by a new one, and then another. The risk of cybercrime is steadily growing at a disturbing rate, both in terms of the sophistication of the attacks and the potential damage they can do. In response, the U.S. government has been reappraising cybersecurity risk. This will have important implications for private businesses, particularly contractors and subcontractors to the federal government.

A New Regulatory Focus

Cybercrime is difficult to address with the tools available to the federal government. After all, it crosses borders, it involves obscure methods and technology, and it is carried out by a shadowy network of state-sponsored and non-state actors whose nexus of collaboration is difficult to identify. Given the challenges of stopping cybercrime at the source—i.e., the criminals themselves—the government is focusing on the lax or negligent cybersecurity protocols that facilitate cybercrime or increase the resulting damage.

In October 2021, the U.S. Department of Justice (DOJ) announced the Civil Cyber-Fraud Initiative, which sets out to view cybersecurity through the lens of corporate fraud. The initiative uses the False Claims Act (FCA), a piece of Civil War-era legislation meant to prosecute fraud against the federal government, “to identify, pursue and deter cyber vulnerabilities and incidents that arise with government contracts and grants and that put sensitive information and critical government systems at risk,” according to Acting Assistant Attorney General Brian M. Boynton. Under the FCA, any person or entity that knowingly submits false claims to the government can be sued for up to three times the damages, plus a penalty for each false claim.

Applying FCA to cybersecurity is notable, but not surprising when viewed through the context of recent government activity. In public remarks made late last year, Deputy Attorney General Lisa O. Monaco highlighted the DOJ’s newly invigorated response to corporate crime, commenting that “corporate crime has an increasing national security dimension—from the new role of sanctions and export control cases to cyber vulnerabilities that open companies up to foreign attacks.” She also emphasized the importance of preventative compliance programs and strong compliance culture, warning that “a corporate culture that fails to hold individuals accountable, or fails to invest in compliance—or worse, that thumbs its nose at compliance—leads to bad results.”

The Civil Cyber-Fraud Initiative is therefore consistent with the current regulatory focus, but it does introduce new risks for federal contractors generally and information technology professionals in particular. Using FCA to fight cybercrime changes the risk profile for private business and increases the importance of greater vigilance and proactive compliance, as failures risk greater civil liability. Additionally, parallel criminal investigations and proceedings are often pursued alongside of FCA cases, and many criminal cases begin after civil investigations uncover facts or circumstances that provide predication for criminal investigators. In short, the Civil Cyber-Fraud Initiative will likely have wider implications than initially expected.

Broader Application of the FCA

The FCA is taking on an expanded relevance. For instance, there have been several recent so-called “reverse false claims actions” involving money owed to the government rather than money that was wrongly paid out by the government. Many of these reverse claims have involved failure to pay duties of various kinds, including antidumping and countervailing duties.

As part of the Civil Cyber-Fraud Initiative, the DOJ has identified three common cybersecurity failures that are “prime candidates” for FCA enforcement: 1) failures to comply with cybersecurity standards; 2) knowing misrepresentations of security controls and practices; and 3) failures to promptly report suspected breaches. Boynton has remarked that the Civil Cyber-Fraud Initiative will “build on the department’s already extensive work pursuing fraud and abuse relating to the government’s procurement of information technology products and services.”

Notably, Boynton specifically recognized the role whistleblowers play in these actions. Given the volume and sophistication of state-sponsored cybercrime, as well as other cyberthreats, investigators and whistleblowers should be able to easily identify weaknesses in government contractors’ and subcontractors’ cybersecurity regimes or inconsistencies in poorly drafted contract language.

Additionally, no industry is immune from attack by cybercriminals—health care, education, aerospace, finance, retail, and general goods and services all potentially handle sensitive data. Moreover, the new enforcement regime is likely to impact companies that have employees, vendors, subsidiaries or subcontractors based overseas.

What Should Risk Professionals Do?

Since the FCA-related aspects of cybersecurity compliance will trace back to contract language, risk professionals will need to pay more attention to what the actual contracts say. Many government contracts already contain strict data and cybersecurity requirements, including protocols for protection, response, reporting and mitigation. Adhering to these protocols is key. Internal and additional reviews can also help alleviate the risk of something going wrong. To best mitigate risk, pay careful attention to the following:

Review and update cybersecurity procedures. Do not wait for new risks to update or conduct reviews of your cybersecurity procedures. Conducting regular reviews of internal systems and programs that protect data allows your company to keep up with the ever-changing world of cybersecurity. Standards that were applicable when the program was instituted may no longer be applicable or even appropriate.

Communicate with your contracting parties. The often-complex web of subcontractors and vendors can present unique challenges. Communication and transparency about cybersecurity are critical between vertical contracting entities.

Do not overpromise and underdeliver. As Boynton stated in announcing the Civil Cyber-Fraud Initiative, companies that do business with the government and that knowingly make misrepresentations about their own cybersecurity practices or abilities will face consequences. These misrepresentations could be seen as depriving the government of the deal it agreed to. For a successful contractual relationship with the government, it is critical to know exactly what your company can accomplish, what products it can offer, and what assurances it can accurately make.

Conduct compliance program training. Workforce training is essential to develop a robust cybersecurity culture within an organization. Requiring cybersecurity training for new employees and annual training for existing employees demonstrates corporate commitment to implement and maintain the security requirements enumerated in contracts with the Department of Defense and General Services Administration.

Establish an in-house hotline. Across many industries, it is now common practice to have hotlines or other reporting mechanisms for employees to report misconduct or wrongdoing. To run an effective system, it is essential to develop a culture of confidential reporting, follow up on complaints, and document investigations. These systems and protocols allow companies to learn about and address problems before they attract the attention of regulators and investigators or mature into full-blown crises.

Given the breadth of the threat, every company is likely to experience a cyberattack of some kind in the future. Making a good-faith effort to comply with the law and other contractual obligations can help mitigate the fallout. When incidents occur, it is equally important to maintain transparency with the U.S. government. Failing to report a data breach or other cybersecurity incident is almost always a critical mistake, and one the government clearly intends to go after. Prompt reporting allows the appropriate parties to react and limit any risk resulting from the breach.

Reprinted with permission from Risk Management Magazine. Copyright Risk and Insurance Management Society, Inc. All rights reserved.
Written by
Gregg N. Sofer, 2022
Source: https://www.rmmagazine.com/articles/article//2022/02/01/regulators-move-to-combat-cybercrime

Explore ERMA Professional Pathways

Explore ERMA Professional Pathways

Explore Now

Latest News on Risk

  • Celebrating ASEAN Synergy, ERMA Announces ASEAN Risk Awards 2025 Winners
  • The ROI of Risk: Turning Risk Maturity Into Market Advantage
  • Integrating ERM into Financial Forecasting: A Smarter Way to Plan
  • The Unforeseen Risks of IoT in Business Operations
  • AI and Automation: Reducing Risk or Creating New Ones?
Stay Updated

Get the latest news on Enterprise Risk Management by subscribing to our RiskView Newsletter.

    Continue Reading

    Previous post

    Poisoned AI: A Threat to Cyber Security

    Next post

    Identifying and Addressing the Latest Ecommerce Fraud Trends

    Image link

    ERMA is a leading global provider of comprehensive risk
    management education, offering a wide array of
    certifications from basic to advanced levels.

    Our platform serves as a pivotal resource for professionals
    seeking to enhance their skills and navigate the
    complexities of risk with confidence.

    With a commitment to excellence and a global network
    of experts, ERMA empowers individuals and
    organizations to achieve their risk management goals.

    PROGRAMS

    Conferences & SeminarsTrainings & Master ClassesRisk Governance Master ClassFundamentals of ERMFundamentals of AIWebinars

    RISK CERTIFICATIONS

    Certified in Risk EssentialsERM Associate ProfessionalERM Certified ProfessionalCertified in Enterprise Risk Governance

    REACH US

    16 Raffles Quay #33-03
    Hong Leong Building
    Singapore 048581

    WA: +65 8627 1934E: info@erm-academy.org

    CONTACT US

    © 2009 – 2025 | ERMA Pte Ltd | Enterprise Risk Management Academy – All Rights Reserved

    All content of this website is owned by ERMA. You may not copy, redistribute, or use any
    part of the content without the expressed written permission of ERMA Pte Ltd.

    Terms of Use   |   Privacy Policy   |   Complaints Handling Policy