Risks of cyber fraud allegations remain high for companies subject to government requirements

COMMENTARY | Stricter government cybersecurity requirements present elevated risk to companies due to increased enforcement pressure and additional bases for allegations of cybersecurity fraud.

Investigations into alleged violations of cybersecurity requirements under the federal civil False Claims Act (FCA) and its state analogues are increasingly an area of focus for the U.S. Department of Justice (DOJ), state attorneys general and whistleblowers (known as qui tam plaintiffs or relators under the FCA). We expect a continued uptick in enforcement activity, leading to elevated risk and additional potential financial exposure for companies subject to government cybersecurity requirements.

First, federal agencies and state and local governments are imposing progressively stricter cybersecurity requirements in their contracts that will ultimately apply to a broader set of contractors than before.

For example, when the Pentagon's new Cybersecurity Maturity Model Certification (CMMC) regulations go into effect on November 10, 2025, they will remove certain flexibility currently ...