False Claims Act Enforcement Is Becoming Cybersecurity Enforcement

The False Claims Act Is Quietly Becoming A Cybersecurity Enforcement Engine

For years, cybersecurity in federal contracting was treated primarily as a compliance exercise. Requirements existed, audits occurred and gaps were remediated over time. The consequences of falling short were typically operational, not existential. That dynamic is now changing with the use of one of the federal government’s most powerful legal tools: the False Claims Act.

This is not a new law, but its application to cybersecurity is reshaping how risk should be understood at the executive level. The implications extend well beyond the defense sector and are increasingly relevant to any company participating in federal procurement more broadly.

…

Historically, enforcement focused on financial misrepresentation. Today, the Department of Justice is applying the same framework to cybersecurity. When a company represents that it has implemented required controls, meets specific standards or maintains a defined security posture as part of a federal contract, those representations carry legal weight.

If they are materially inaccurate, the issue is no longer a compliance gap. It becomes a potential FSA matter.

North Korea-linked hack hits largely invisible software that powers online services

Hackers linked to North Korea breached behind-the-scenes software that runs many common online functions in an effort to steal login information that could enable further cyber operations, Google said on Tuesday.

The hackers targeted Axios, a program that connects apps and ‌web services, by adding their own malicious software to an update issued Monday, Google and independent cyber researchers said after the hack came to light early on Tuesday.

“Every time you load a website, check your bank balance, or open an app on your phone, there’s a good chance Axios is running somewhere in the background making that work,” said Tom Hegel, a ⁠senior researcher at SentinelOne.

The malicious software, which has since been removed, could have given hackers access to a computer's data including access credentials, which can then be used to carry out additional data theft or other kinds of attacks.

Compliance is not security: What businesses get wrong about cyber risk

Across many industries, organizations invest significant time and resources into cybersecurity compliance. They pursue regulatory certifications, document policies, implement required controls and prepare for audits.

These efforts are important. Compliance frameworks establish critical baselines that help organizations structure security programs and demonstrate accountability. But a common misconception continues to create risk for many companies: Compliance does not necessarily mean an organization is secure.

“Compliance frameworks provide important structure,” says Regine Bonneau, The Cyber Queen™, founder and CEO of RB Advisory. “But organizations often assume compliance equals protection. True security requires continuous risk assessment and leadership visibility into where vulnerabilities exist.”

In fact, organizations that rely too heavily on compliance alone may unknowingly leave themselves exposed to evolving cyber threats.

Chubb: Cyber Claim Severity Nearly Doubled for Large Businesses

Average cyber insurance claim severity for large accounts in the U.S. nearly doubled in 2025, according to a new Chubb report.

The insurer’s 2026 Cyber Claims Report found that average severity for businesses with $1 billion or more in revenue reached about $4.4 million in 2025, up from roughly $2.2 million in 2024. That represented a 586% increase from 2021.

“While severity remained stable in the SME segment, it increased considerably in the middle market and even more dramatically in the large account segment,” the report said. “There are several contributing factors to this increase, including the rise in business interruption expenses and the increasing cost of both data breach- and privacy-related litigation.”

…

In its cyber claims report, Chubb reported that middle market claim severity rose from about $619,000 to roughly $759,000 year over year. SME severity, meanwhile, fell from roughly $215,000 in 2024 to about $142,000 in 2025.

9 ways CISOs can combat AI hallucinations

AI-based compliance assessment tools might not be ready for fully independent assessments, if CISOs are using these tools we share some best practices to ensure accuracy and avoid risks or fines.

AI hallucinations are a well-known problem and, when it comes to compliance assessments, these convincing but inaccurate assessments can cause real damage with poor risk assessments, incorrect policy guidance, or even inaccurate incident reports.

Cybersecurity leaders say the real trouble starts when AI moves past writing summaries and begins making judgment calls. That’s when it’s asked to decide things such as whether security controls are doing their job, if a company is meeting compliance standards, or if an incident was handled the right way.

Here are nine ways CISOs can tackle the problem of AI hallucinations.

The external pressures redefining cybersecurity risk

Over the last four years, I’ve watched organizations get blindsided by threats that originated in a third-party network. More than 35% of data breaches are caused by a compromised vendor or partner, not by any failure in the organization’s controls. While many organizations know that the biggest threats to their security come from forces entirely outside their control, that risk is accelerating this year.

Some of those forces come from beyond their network and even far beyond their region. International conflict is influencing attacker behavior in ways that are showing up far from conflict zones. AI-driven automation is reducing the effort required to exploit systems and people. Third-party risk continues to be the most common reason well-defended organizations still suffer serious incidents.

These three factors are creating an environment that is heightening cybersecurity risk. I work with organizations that invest in security, quantify risk and take resilience seriously. Yet when something truly disruptive happens, it is rarely because a basic control was missing.