Specialty Podcast: Cybersecurity Requirements for Federal Contractors
By Alliant Specialty
A federal court in California recently rejected a motion for summary judgment in a False Claims Act (FCA) case involving a contractor accused of failing to disclose deficiencies in their cybersecurity. David Finz, Matt Walsh and Steve Pierce, Alliant, discuss the important lessons for government contractors in the emerging area of FCA liability.
You're listening to the Alliant Specialty Podcast, dedicated to insurance and risk management solutions and trends shaping the market today.
David Finz (00:09):
Hey, everyone. And welcome back to another Alliant podcast. I'm David Finz in the cyber practice, and with me here today, we have Matt Walsh and Steve Pierce from the construction practice. Matt, Steve, welcome to the program.
Steven Pierce (00:24):
Good afternoon, David. It's great to join you.
Matt Walsh (0:27):
David, Steve. Great to be here. Thank you.
David Finz (00:29):
We're here to talk about a recent case decision that's come down in California, but also the broader implications for our construction clients around contracting. So specifically, what happened here was that in early February, a federal district court denied a defendant's motion for summary judgment, with respect to a false claims act allegation. That was part of a broader lawsuit. Now the case was based on an action filed under the FCA by the company's former director of cybersecurity. He alleged that the company had failed to comply with its duties, under contracts with the Department of Defense and NASA. And in fact, the former director says he was fired for refusing to sign faulty compliance certifications, and also for reporting the issue. Now, the court did dismiss two of the claims around his employment termination, but they allowed two claims around the FCA to go forward, having to do with promissory fraud and fraudulent statement of record. And that's what we're really here to talk about today. Let me start off with you, Matt. When you're reading this decision in terms of what the company had apparently failed to disclose, or the extent of it, what strikes you about this and what should our clients bear in mind?
Matt Walsh (01:51):
Well, the first thing that came to mind is contract rigor really pulling back from the specificities of this matter and considering what our most sophisticated contractors go through every day, which is dealing with increasingly and complex contract language. Looking at that contract language, having a very collaborative effect on how they interact with their team is very critical, but whether it's the legal department, the risk department, their outside counsel and of course their broker advisors as well, and how important it is to really make sure that everyone understands all the words. And especially in the context of federal requirements, they can be quite complex and sometimes, somewhat opaque depending on who's reading them.
David Finz (02:33):
Right. And I mean, one of the things that the courts seem to focus on here in allowing the FCA claims to go forward is not whether the defendant was non-compliant because who is 100% compliant with all of the requirements, but really it was a matter of degree, right? It was a matter of the fact that they did not necessarily disclose or there's reason to believe they did not necessarily disclose the extent of the non-compliance. And would it have made a decision to the government as the purchaser right. In terms of knowing that upfront? So, Steve, with that kind of framework, how do we advise our clients?
Steve Pierce (03:13):
Well, for us, you know, I think it starts with how they go about bidding and how extensively they're reviewing both with internal and outside counsel to make sure that they understand what they have to be compliant to versus just submitting a bid and automatically being non-compliant from the outset. Then from there, I think typically our more sophisticated clients check in with us as their advisor and we'll walk through that. We were working a large, higher ed. opportunity and we actually saw as a broker, a requirement that we felt was onerous and went through that process and vetted that with our own legal counsel and actually chose in that case to not submit a bid. I think this is one of the things where we, by working with our clients, we just need to know what that requirement is. Should they, or will they be able to meet the requirement by the time the bid gets signed? And it's not just us as an insurance broker, in advising on coverage, it's also really going to the level of getting their counsel involved and making sure that it ticks and ties with the insurance requirements and the indemnity obligations.
David Finz (04:19):
Right? I mean, I can tell you from personal experience, we definitely see this play out in the area of cybersecurity as well, where council is engaged, not only just to ensure compliance, but also to help them avoid liability. Obviously, there's the issue of privilege and wanting to maintain some level of confidentiality around those deliberation. And sometimes the best decision for a company is to not put in a bid, right? And thereby avoid a situation where they could be creating an exposure for themselves. Are you beginning to see, and this goes out to either of you, Matt, or Steve, are you beginning to see cyber security become more top of mind for our clients when they go out to bid? Are those requirements becoming more rigorous in terms of the controls that the purchases want to see?
Matt Walsh (05:12):
Yeah, I would say absolutely, and Steve can weigh on this as well. We speak to these matters all the time. When you consider flowing down from the top end of a contract from the owner to the general contractors or design build contractors all the way down through their subs. The top end of that operation is going to have a fairly sophisticated process. But the question then comes how you work through the sub tier process and both from a standards perspective and also from an insurance perspective, nature of coverage and scope of coverage limits, etcetera, and most importantly, that might be required in the contract. And Steve, I know you've had a lot of thoughts on this in the past with how that impacts subcontractors.
Steve Pierce (05:51):
One of our larger contractors, they're probably biggest hiring need right now is to focus around this specific issue of IT security and making sure that they're compliant on anything that they bid. They do all public work. So, one, they want to be compliant, but then they then need to educate all their project managers and nobody who's working with the owners that they're working on behalf of and also to all those downstream subs. That's a big educational process because they're going to make the investment. They're going to do that as a prime contractor, and then they're going to have to trickle that down to every specialty to make sure because they're responsible for everything that's downstream to them. And right now, they're literally outsourcing a high level IT expert to basically shore up their technology department and their ability to be compliant on all these issues.
Matt Walsh (06:37):
What's interesting too, Steve, maybe think about this is the working backwards up through the sub. Some of the owners have thought about this and they're now starting to incorporate into their contracts project specific requirements. So, you're not in compliance with just your corporate program. You have to have a project specific placement and then that incorporates then project specific protocols around the cyber dynamics and IT dynamics and the control of all these documents flowing across. When you've got multi-billion-dollar projects, you've got scores of people that are involved with trading information. So that's one of the key challenges is how you scope that, how you get that coverage in place. We give the contractors and the insurance company's comfort that everyone has everyone's in a place where they have the right information. And David, I know you've looked at these topics. The key underwriting question is often how do those things work together in that project environment?
David Finz (07:33):
Exactly. No, it's true because I think it becomes something of a symbiotic relationship, right? Because the purchasers want to see when you go out forbid that you have the insurance in place, but in order to have the insurance in place to get the coverage, you need to have the requisite controls. So, in a sense, the underwriting process itself serves as a gut check, if you will, to make sure that the controls are in place. And in fact, we have a prioritization checklist that we offer clients with near medium- and long-term objectives for them to meet the types of security controls. Not only that their customers are looking for, but that not coincidentally are the same types controls that the underwriters expect to see in place. And we can certainly make that available to listeners upon request. Any other takeaways that our listeners should keep in mind, Matt, or Steve?
Steve Pierce (08:29):
I think one item is being way ahead of the issues. Not only from having the controls in place and making sure that they're outsourcing and securing this line, but also understanding that this line of coverage has changed so substantially, in terms of what types of coverages are being afforded now with a hard market and also the prices have gone up dramatically. So, it has a big impact on their budgeting. And so, if you're looking at a project and you've got all these sub tiers and you've got this aggregate effect of cost within the cost of the work, that's also budgeting's big issue for these folks. So, if they don't have that going in, everybody has to secure the coverage. After the contracts verified, then got a lot of budget busts.
David Finz (09:11):
Understandably, It's better to bake that into the cost going into it. Well, I think that about wraps it up and I want to thank you both for joining us today. Here at Alliant, we are all about helping our clients find a more rewarding way to manage risk, and you can find more about our construction practice and about our cyber insurance capabilities by visiting our website at www.Alliant.com, until next time. Thanks for listening.
Alliant note and disclaimer: This document is designed to provide general information and guidance. Please note that prior to implementation your legal counsel should review all details or policy information. Alliant Insurance Services does not provide legal advice or legal opinions. If a legal opinion is needed, please seek the services of your own legal advisor or ask Alliant Insurance Services for a referral. This document is provided on an “as is” basis without any warranty of any kind. Alliant Insurance Services disclaims any liability for any loss or damage from reliance on this document.
Thanks for your message.
We’ll be in touch shortly.
News & Resources
Specialty Podcast: Evolving Risk in the Power, Utility and Renewable Industry
The Alliant Power team continues to expand and provide the More Rewarding Way to Manage Risk for our Power, Utility and Renewable clients.
Specialty Podcast: Executive Liability Hot Topics - Trademark Infringement & ESG
David Finz and Matia Marks, Alliant, discuss recent events highlighted in this month's edition of the Executive Liability Insights Newsletter.
Specialty Podcast: Drone Insurance and Liability Coverage - Do You Need It?
Drones have seen rapid growth and advancements over the last few years as more and more industries discover ways that drones benefit their business. Drones are used for site inspections, infrastructure monitoring, crop monitoring and security surveillance just to name a few.