Early in July, Aerojet Rocketdyne agreed to a $9M settlement in a whistleblower lawsuit. The aerospace and defense company was sued on behalf of the state of California by Brian Markus, a former senior director of cybersecurity, compliance, and controls hired in 2014.
Markus alleged that the company promised a $10-$15M budget, a staff of up to 10 employees, and up to 25 contractors to improve the company’s security system. However, they only allocated a $3.8M budget, a staff of two, and seven contractors.
Aerojet Rocketdyne worked with U.S. federal government agencies, including the Department of Defense and NASA. According to Markus, the company wasn’t compliant with government cybersecurity regulations and shared misleading information about its cybersecurity practices.
In 2015, one year after being hired, Markus refused to verify that the company’s program complied with government regulations. He reported the incident to Aerojet Rocketdyne’s ethics hotline, and his employment was terminated within the year.
In the complaint that was filed with the court, Markus claimed the defendants were “understaffed and under budgeted to provide the level of cyber security that was required by the federal acquisition regulations for contractors granted access to UCTI [unclassified controlled technical information] or SBU [sensitive but unclassified information] belonging to the federal government.”
Under the False Claims Act, Markus was able to file the lawsuit on behalf of the U.S. government and received $2.6M in the settlement. Aerojet Rocketdyne settled the case without admitting guilt.
A Cybersecurity First
This case is believed to be the first in which the False Claims Act was used to hold an enterprise responsible for fraudulent cybersecurity claims. The U.S. Department of Justice seized the opportunity to encourage other whistleblowers to come forward.
“The qui tam (whistleblower) action brought by Mr. Markus is an example of how whistleblowers can contribute to civil enforcement of cybersecurity requirements through the False Claims Act,” said Phillip Talbert, U.S. Attorney for the Eastern District of California.
We hope this action will have long-reaching ramifications for cybersecurity in the years ahead. By turning in his company, Markus took a stand and put other companies on notice – if they aren’t compliant, they could be held accountable.
Doing the Right Thing
The whistleblower’s actions, in this case, were brought on by a situation of an embattled CISO acting professionally and doing the right thing. Most CISOs we have worked with are women and men of integrity and ethics who care deeply about compliance and security. They are tasked with securing their organizations’ operations, systems, assets, and data and take those responsibilities seriously.
By and large, the corporations that engage with us also take their cyber-responsibilities seriously. Our clients in industries such as utilities, health care, and finance place great emphasis on cybersecurity. They recognize that compliance is only the beginning in securing their data and assets and put additional security measures in place to defend their companies.
Unfortunately, some organizations overlook cybersecurity. Whether they feel invulnerable to attack or think the risks of cyberattacks don’t justify the cost and effort required to defend their assets properly, they open the door to significant damages that can extend far beyond their virtual perimeters.
For businesses working with military partners, these risks could impact national security. Other organizations storing personal data are putting their customers’ data at risk and exposing them to identity theft and criminal activity.
CISOs and other cyber security officers are the last lines of defense in those circumstances. When their advice, recommendations, or guidance is ignored, or if they are forced to sign off on security measures that are less than adequate or below-accepted standards, they will have no recourse within their organization.
Government oversight and enforcement are in place to discourage organizations from cutting corners, reducing the budget, and exposing their networks to attacks.
When All Else Fails
The False Claim Act, including the civil cyber-fraud initiative, is intended to improve the United States’ overall cybersecurity posture by adding a new channel for CISOs to turn to. When management isn’t willing to listen or actively acts in ways that are counter to best cybersecurity practices, security professionals can turn to the courts for recourse. According to the FCA, they can sue companies on behalf of the government and receive percentages from fines if they win.
The size of a potential claim in a False Claim Act lawsuit can be triple the value of the contract. The onerous penalty should incentivize businesses to comply with regulatory requirements rather than risk exposure from employees who are actively encouraged and compensated by the Department of Justice to come forward and report on their employers.
Maximizing the Cybersecurity Budget While Achieving Better Results
There is a lot that can and should be done to help companies grow and thrive while at the same time enhancing their cybersecurity posture. Organizations that wish to maximize their budget while bolstering their security should focus not only on the basic requirements to meet compliance standards in their industry, but on mitigating the risks that form the greatest danger to their operations, assets, and data.
To achieve this, our consultants typically perform risk assessments to help companies pinpoint where to invest and focus more effort so that security teams and budgets are not spread too thin. Once the risk assessment has identified the focus areas, we provide cybersecurity strategies to optimize the team’s time, elevate the company’s security posture, and optimize the budget. We base our approach on the company’s risk tolerance, business impact analysis, budget, and regulatory requirements.
Where Do We Go from Here
It is hard to imagine becoming a whistleblower someday when one has just started a new job to protect a company. However, when the circumstances demand it, the FCA has created a pathway for employees to ensure future compliance.
We don’t think CISOs will be rushing to be whistleblowers to get a big payday; however, if CISOs’ advice is blatantly ignored or they are forced to sign off on something that goes against their professionalism, not to mention doing the ethical act; it will not be surprising to hear of other incidents like this.
We encourage all organizations to not only comply with cybersecurity regulations in their industry and state but to create a “cyber-smart” culture in which cyber security is made a priority, is spoken about in board meetings, and is taken seriously by leadership and c-level executives. At the same time, lean strategies should be applied to adhere to each organization’s budget and risk tolerance. Conflicts such as the one described here could thus be avoided.
To learn more about how to maximize your company’s cybersecurity budget while raising security posture, please get in touch today.
*** This is a Security Bloggers Network syndicated blog from HolistiCyber authored by Leora Pudell. Read the original post at: https://holisticyber.com/blog/blowing-the-whistle-for-cybersecurity-compliance/