Compliance gets a bad rap as a cost center where its implemented, but a leading public research university might now be hoping it made the investment anyway.

Georgia Institue of Technology (which we Atlantans call Georgia Tech or just “Tech”) is under investigation by the U.S. Department of Justice for misrepresenting its compliance controls.

Misrepresenting endpoints and controls

As a contract awardee of the Department of Defense, Georgia Tech was required to adhere to NIST 800-171 cybersecurity standards. NIST 800 is an evolution of more basic compliance frameworks like SOC 2 Types I and II. Adherence to additional cybersecurity compliance rules is extremely common for organizations – public or private – that work with Uncle Sam.

The DoJ essentially makes two claims about Georgia Tech’s alleged lack of compliance: that they misrepresented their endpoints (read: potential vulnerabilities) and that they failed to implement required security controls, including fairly basic ones like installing anti-malware apps on their systems.

The U.S. government treats non-compliance about as seriously as you’d expect. A special agent-in-charge on the case said:

Deficiencies in cybersecurity controls pose a significant threat not only to our national security, but also to the safety of the men and women of our armed services that risk their lives daily. As force multipliers, we place a substantial amount of trust in our contractors and expect them to meet the strict standards our service members deserve.

Beyond public sector risk

There’s arguably no greater risk to organizational non-compliance than loss of life. Thankfully for Georgia Tech, their alleged non-compliance probably won’t result in anyone’s physical harm. The risk of litigation, though, is just as real for private companies who skip compliance and business insurance as it is for public research universities.

When customers include compliance controls as a prerequisiteto their business they’re not suggestions; they’re requirements for the partnership. Often these requirements can be as straightforward as having comprehensive business insurance and adhering to SOC 2 Type I compliance controls.

Koop’s customer assurance platform helps tech companies seamlessly navigate the complexities of business insurance, regulatory compliance, and security automation in one place.

‍We provide a comprehensive suite of insurance coverage that includes General Liability, Technology Errors & Omissions, Cyber Liability, and Management Liability coupled with the most cost-effective SOC 2 compliance certification on the market.

‍Ready to learn more? Visit our website at https://www.koop.ai or drop us a note at hello@koop.ai.

article highlights: