In our August 1 post, we discussed how companies that acquire government contractors can inherit the False Claims Act (“FCA”) exposure based on their targets’ cybersecurity violations. Now, the Department of Justice (“DOJ”) delivered another vivid real-world example: a $1.75 million settlement in which a private equity (“PE”) firm, Gallant Capital Partners LLC, was named jointly and severally liable for its portfolio company’s cybersecurity violations on a U.S. Air Force contract.
The outcome underscores two critical truths. First, DOJ will pursue financial sponsors when a contractor in their portfolio fails to comply with its contractual cybersecurity requirements. Second, investors that fail to ask about, document, and remediate a target’s security shortcomings can find themselves financing both the acquisition and the government’s recovery.
Allegations in Settlement Agreement with Gallant and ATI
From 2019 to 2024, Gallant, through investment funds for which it acted as an advisor, owned a controlling stake in Aero Turbine Inc. (“ATI”). Between January 2018 and February 2020, during performance of a U.S. Air Force contract, ATI allegedly submitted claims while not complying with multiple NIST SP 800-171 controls incorporated through DFARS 252.204-7012. Additionally, ATI and Gallant allegedly failed to safeguard controlled unclassified information (“CUI”) by limiting its access to authorized users when they provided files containing protected information to a software company based in Egypt.
Although ATI and Gallant voluntarily disclosed the issues, cooperated, and swiftly remediated, DOJ still held both entities liable for “knowingly” submitting false claims.
Further, Gallant’s status as a non-operating financial owner offered no safe harbor. The settlement agreement styles Gallant as a direct defendant, making clear that equity control, board oversight, and involvement in the contractor’s information-system were enough to trigger FCA exposure.
Key Takeaways
- Cyber Is a Core Deal Risk—Treat It That Way. Traditional diligence checklists are insufficient. Buyers must thoroughly evaluate a seller’s cybersecurity compliance posture. This includes evaluating the system security plans, Plan of Action & Milestones (“POA&Ms”), incident-response protocols, and subcontractor cyber hygiene.
- Voluntary Disclosure Helps—But Does Not Erase Liability. ATI and Gallant received cooperation credit that reduced the ultimate payment. Yet the $1.75 million price tag illustrates that disclosure mitigates damages; it does not guarantee a government pass.
- Buyers Must Treat Post-Closing Remediation Seriously. As DOJ’s Cyber-FCA initiative matures—and as Cybersecurity Maturity Model Certification (“CMMC”) requirements take hold—acquirers should budget for accelerated remediation post-closing.
- Representations, Warranties, and Indemnities Need a Cyber Refresh. Allocation of risk on paper cannot replace factual compliance. Nonetheless, well-crafted representations tied to NIST controls, third-party assessments, and CUI handling can give buyers’ options if latent defects surface after signing.