The False Claims Act (“FCA”), the U.S. federal government’s principal civil anti-fraud statute, imposes liability on entities that knowingly submit, or cause the submission of, false or misleading claims for payment to the United States. The FCA has long served as a significant enforcement tool for the U.S. Department of Justice (“DOJ”) in dealing with fraud against the government. In October 2021, the FCA formally reached the realm of cybersecurity with the announcement of the Civil Cyber-Fraud Initiative and the DOJ continued expanding FCA’s reach through additional initiatives.

In January 2026, the DOJ announced that cyber-related cases occupied a prominent share ($52 million in nine settlements) of the record-shattering $6.8 billion total FCA recoveries in the fiscal year ending in September 2025. The DOJ reported that cybersecurity fraud resolutions have more than tripled in each of the past two years. As government dollars increasingly flow with strings attached to its contractors, technology vendors, and research grant recipients that handle sensitive systems and government data, the DOJ is poised to increasingly utilize the FCA in addressing cybersecurity-related shortcomings.

Deputy Assistant Attorney General Brenna Jenny of the DOJ’s Civil Division articulated this approach at the American Conference Institute’s Annual Advanced Forum on False Claims and Qui Tam Enforcement last week. In her remarks, she named cybersecurity fraud as a key FCA enforcement priority and explained that the DOJ expects qui tam filings (i.e., whistleblower suits brought by private relators on behalf of the government under the FCA, with the relator potentially entitled to a share of the recovery) to continue increasing.

Notably, Jenny highlighted that the DOJ’s cyber enforcement is not about punishing victims of data breaches but rather addressing misrepresentations to the government where representations of compliance do not align with actual practices. This approach aligns with questions other federal and state agencies are asking about cybersecurity programs across sectors – e.g., Do organizations understand applicable requirements? Do they invest in the appropriate governance structure? Are there solid mechanisms in place to validate and improve existing controls? As whistleblowers remain key sources for detecting potential noncompliance, maintaining clear channels of communication to take and address concerns from stakeholders and insiders with visibility is crucial.

As cyber-related FCA enforcement continues to gain momentum, building a cross-functional team with (1) clearly defined responsibilities and accountability; (2) comprehensive understanding of obligations; (3) coordinated reporting and escalation channels to raise and investigate cybersecurity concerns;  and (4) established process to continuously assess the cybersecurity posture (including gaps and plans to address those gaps) with expert assistance will be key to placing organizations on stronger footing.