The U.S. Department of Justice (DOJ) has escalated its enforcement of cybersecurity compliance under the False Claims Act (FCA). Recent settlements totalling $11.5 million against Illumina Inc. and Aero Turbine Inc. underscore that companies can face liability for misrepresenting their cybersecurity measures—even if no breach occurs.

The DOJ’s actions highlight that cybersecurity is increasingly viewed not only as a technical matter but also as a legal and contractual obligation. Private equity owners were also implicated, signalling that corporate structures will not shield firms from accountability.

This shift places added pressure on contractors and vendors, especially those dealing with federal agencies. For companies across industries, the message is clear: cybersecurity compliance must be demonstrable, auditable, and embedded in corporate governance.