What Is the Civil Cyber-Fraud Initiative?

If a bank or federal contractor experiences a data breach, the federal government wants to know about it—and the new Civil Cyber-Fraud Initiative has teeth to back it up. 

Throughout 2021, the federal government has taken the fight to global hackers on multiple fronts, fueled by President Biden’s May 2021 executive order. Two of the latest moves are the Department of Justice’s Civil Cyber-Fraud Initiative and new FDIC rules that ramp up reporting requirements when federal contractors, federal grant recipients or banking entities experience data breaches. 

This post explains what you need to know about how the Civil Cyber-Fraud Initiative and other new regulations could affect you. 

Why Does the Government Want Breach Reports? 

A data breach affects far more than the compromised organization. In this era of heavily interconnected supply chains, a breach of a single organization can rapidly cascade into dozens of others. (This year’s Kaseya breach provided a painful example of how supply chain attacks can go global in very little time). Through moves like the Civil Cyber-Fraud Initiative, the government wants to know when anyone handling its data or connected to its systems experiences a compromise. 

Sharing breach information also lets the greater community stop bad guys more quickly. When breaches go unreported, hackers may keep using the same kind of attack on other organizations in both the public and private sectors. When you report a breach, the government can spread the word about the vulnerability exploited and the type of attack used, etc. and help others quickly harden their defenses. Shared breach information helps developers respond with the patches that close the vulnerabilities. 

An FBI agent explained in one of our recent blogs that agents like companies to report even suspected attacks so that they can add the threat data to the information shared with all their offices. 

The DOJ’s announcement of its new requirements also acknowledged a critical point for private companies: Companies should have incentives to invest in good information security. With new regulations built on cybersecurity best practices, the government wants to stop companies from skimping on security investments and undercutting prices from those doing the right thing. 

What’s in the Civil Cyber-Fraud Initiative 

In October, Deputy Attorney General Lisa O. Monaco announced the Civil Cyber-Fraud Initiative saying, “For too long, companies have chosen silence under the mistaken belief that it is less risky to hide a breach than to bring it forward and to report it. Well, that changes today.” 

The new act’s enforcement comes via the False Claims Act, a tool that lets the feds levy fines against parties who put government programs and operations at risk through inadequate information security measures. In short, if you operate under federal contracts or receive federal grant funding, you need to be aware of the new requirements. Under this new program, firms could face government penalties if they knowingly: 

• Provide deficient cybersecurity products or services 

• Misrepresent cybersecurity practices or protocols 
• Violate obligations to monitor and report cybersecurity incidents and breaches 

Whistleblower provisions in the False Claims Act empower individuals to report any wrongdoing they know about (and gives them a chance to share in assets recovered). Based on the whistleblower empowerment and the regulations’ complexity, observers expect to see a significant whistleblowing, which is what the feds are hoping for. Violations could be as simple as, for example, falsely stating that you have a written incident response plan or system monitoring in place. 

Plenty of questions remain about how the government will judge a “knowing” failure, how penalties would be assessed, how responsible a company is for its subcontractors, etc. 

What’s in the New FDIC Notification Rules 

The FDIC issued its own new regulation about incident notification in November. The new rule requires banking organizations to notify their primary Federal regulator of any “computer-security incident” that rises to the level of “notification incident,” as soon as possible, with the window not to exceed 36 hours after discovering the incident. 

In short, this regulation applies to incidents that could disrupt, degrade or impair banking operations and services. 

The rule also requires notification of customers if services will be disrupted or degraded for four hours or more. The rule takes effect April 1, 2022. 

Clearly, it will take time for organizations to sort through the new rules and establish policies accordingly. For help understanding how the Civil Cyber-Fraud Initiative and the new FDIC rules affect you, contact an HBS expert.