The U.S. Department of Justice is looking to encourage more organizations to beef up their cybersecurity by extending the scope of an existing False Claims Act (FCA) to pursue cases against government contractors that hide a security breach rather than report it.
In addition, any company that knowingly provides deficient cybersecurity products or services, or knowingly misrepresents their cybersecurity practices or protocols, or knowingly violates obligations to monitor and report cybersecurity incidents and breaches, will be subject to civil action. The DOJ is also encouraging whistleblowers and others to report cybersecurity “failures” as potentially fraudulent conduct.
Potential financial implications of the False Claims Act
FCA provides civil penalties of between approximately $12,000 and $24,000 for each false claim and up to three times the amount of damages any government entity my incur.
Not every MSP does business with the Federal government, but the act applies to any entity that receives Federal funding, which means it could apply to MSPs that provide IT support to another entity that is providing a service to a government agency. In effect, the MSP could be considered a subcontractor in that instance.
Overall, the level of cybersecurity scrutiny being applied to MSPs is only going to continue to increase in the wake of a series of high-profile security breaches. Many MSPs have, at the very least, reevaluated their security practices if not outright upgraded or replaced the IT service management (ITSM) platform they employ.
Given the level of scrutiny being applied to Federal contracts some MSPs may also decide to forgo bidding on Federal contracts. Other MSPs that have invested in cybersecurity best practices may even welcome this interpretation of FCA as a means to winnow out competitors that use low-ball pricing to win a contract. The government, after all, is generally required to accept the lowest contract bid. Naturally, that approach doesn’t always result in the best products and services being acquired.
How effective will the FCA be?
This interpretation of FCA is likely to wind up being tested in court whenever the first case is brought forth, so it remains to be seen how much bite this decree from the DOJ will have. However, one way or another, MSPs should assume that whether it’s a government agency or an end customer, the amount of auditing activity that will be required on their part is about to increase. As such, so will the cost of delivering managed services.
MSPs would be well-advised to automate as much of that process as possible. The best way to lower the cost of any audit is to be able to produce a report as much ahead of time as possible to reduce the amount of time any auditor might be inclined to spend asking tougher questions.
Most MSPs are not necessarily big fans of regulations that impact them. However, governments have a long history of creating regulations that often benefit MSPs by creating demand for their services. Like it or not, that sometimes means taking the bad with the good when those rules apply to MSPs themselves.
Photo: Orhan Cam / Shutterstock
