A recent Department of Justice (“DOJ”) settlement highlights the importance of assessing cybersecurity compliance for government contractors during mergers and acquisitions (“M&A”). In April 2025, DOJ announced an $8.4 million settlement with a defense contractor resolving alleged cybersecurity noncompliance by a company it acquired. Notably, under the settlement, the acquiring company was liable for cybersecurity noncompliance that occurred prior to the acquisition.
In the M&A context, successor liability arises when an acquiring company becomes responsible for liabilities, obligations, or wrongful acts committed by the company to be acquired prior to the acquisition. Fundamentally, successor liability ensures that a corporate acquisition does not allow the acquired entity to escape accountability. In the settlement, DOJ explicitly named the acquiring company as the “successor in liability” for the acquired company’s alleged violations, even though the conduct at issue occurred years before the acquisition. This underscores the importance for acquirers to add cybersecurity compliance to the issues vetted during due diligence.
Read the full post on our Government Contracts Navigator blog.
This blog post was reprinted in Westlaw Today on August 22, 2025.
