Aerojet Rocketdyne to Pay $9 Million over Cybersecurity Violations

The aerospace and defense giant Aerojet Rocketdyne has agreed to pay $9 million to settle allegations made by an employee regarding the organization’s cybersecurity compliance practices.

The accusations date back to 2015, when Brian Markus – the former senior director of cybersecurity, compliance, and controls – filed a lawsuit under the False Claims Act stating that the company fraudulently procured federal government contracts.

Aeroject Rocketdyne is a major supplier for the U.S. government, including NASA and the Defense Department. As such, it is required to comply with federal laws and meet minimum cybersecurity standards to prevent unauthorized access to sensitive information.

But Markus, who was hired by the company in 2014 after it suffered a cyber attack, claimed that the organization fell well short of those standards and lied about it to the government and its board of directors.

He added that he had been promised a budget of between $10 million and $15 million and up to 35 employees to bolster the organization’s cybersecurity practices, but was only given a $3.8 million budget and fewer than ten employees.

Major compliance gaps

Following the 2013 cyber attack, Aerojet Rocketdyne hired Markus and subsequently conducted a cybersecurity audit. According to the lawsuit, that assessment revealed that the organization complied with less than 25% of its compliance requirements.

Markus states that he prepared a presentation to inform the board of Aerojet’s non-compliance, but the president at the time, Warren Boley, changed the contents of that presentation to hide crucial information.

The following year, EY conducted a cybersecurity assessment and discovered that Aerojet’s systems contained numerous critical vulnerabilities that could be exploited to access highly sensitive corporate and technical information.

Markus’ employment contract was terminated in September 2015, just a few months after he allegedly refused to sign documents falsely claiming that his employer was compliant with cybersecurity requirements.

In a court filing in April this year, Aerojet said it “made many detailed disclosures to the relevant government agencies regarding the state of its compliance with these cybersecurity standards in 2014, 2015, and beyond.”

Markus and Aeroject reached a settlement of the case on the second day of the trial, and it was approved by the U.S District Court in California on July 5. Markus will receive $2.61 million.

Aeroject Rocketdyne did not admit any wrongdoing as part of the settlement.

Listen to the experts

Perhaps the most confusing part of this lawsuit is why Aerojet Rocketdyne refused to address its compliance weaknesses after they had been identified.

Taking the necessary steps to improve its security practices would no doubt have been expensive, but the organization had only recently suffered a cyber attack and surely would have been aware of the damage that can be caused.

The decision would perhaps have been more understandable if Aeroject Rocketdyne was a small company dealing with a limited budget. In that case, a cyber attack would have severely hampered its financial standing.

However, the company has a net worth of over $3.2 billion, so as costly as the damage was, it will have only caused a minor dent in its budget. Yet, that’s not the only thing that was at stake.

Aerodyne should have expressed greater concern that its partners would discover that it had misrepresented its compliance status and severe its government contracts.

Aerodyne has ultimately paid for its poor judgment in the form of a $9 million penalty, but other organizations that make the same mistake won’t get away so easily. A data breach, particularly one caused by negligence, can have huge financial and reputational damage.

Although regulators and stakeholders now understand that security incidents are part of modern business – there are simply too many threats to eradicate them all – they will take less kindly to avoidable breaches.

That means ensuring that your information security and data protection practices meet compliance requirements, and taking care to actively monitor the effectiveness of your defenses.

Doing so means listening to expert advice and identifying issues that must be resolved. With IT Governance USA’s Cyber Health Check service, we provide the guidance you need to create strong, compliant defenses.

The three-day assessment combines an on-site audit with remote vulnerability assessments and an online staff survey to assess your cyber risk exposure.

Our team of experts will also provide consultancy supporting, helping you identify a practical route to minimize your risks.