Safe harbor is not insurance

A client asked me last month whether the new Texas cyber statute means he can drop his cyber insurance. The answer is no, and the reason is worth a post.

SB 2610 is a defense, not coverage. A safe harbor reduces the worst-case verdict. Insurance pays the bill. They are not substitutes. Used together, they are a coherent strategy. Used as substitutes, they leave large holes.

What does the safe harbor actually defend against? Punitive or exemplary damages — the part of a Texas verdict where a jury, having found the defendant liable, decides to multiply the actual damages as a signal. Punitive awards in cyber cases have been the difference between a survivable incident and a company-ending one. Removing that risk is meaningful. Removing it does not remove the other risks.

Here is what the safe harbor does not touch. The actual damages your customers, employees, or partners can prove. The statutory penalties under federal or state law that apply by their own terms. Regulatory enforcement from agencies whose authority comes from a different statute. Contract liabilities you accepted in your customer or vendor agreements. Reputational damage. Operational downtime. The cost of notification, credit monitoring, and forensics. None of that is shielded.

What it does mean is that if you can demonstrate you had a written, framework-aligned cybersecurity program that reasonably conforms to a recognized standard, and that you were maintaining it at the time of the incident, the punitive multiplier comes off the table. That alone changes the calculus of whether to settle, what reserves to set, and how aggressively plaintiff counsel will pursue you.

What reasonable means in a Texas courtroom is the next question. The statute does not define it precisely, which is intentional. It will be determined case by case. But here is what we know already from how Texas courts have treated analogous statutes. Reasonable means written. Reasonable means current. Reasonable means dated. Reasonable means scoped to your size — a 40-person firm is not held to the same standard as a 240-person firm, and the statute's three tiers reflect that. Reasonable means evidence: a quarterly review document, an asset inventory, a policy acknowledgment from every employee, a record of training, a tested incident response plan.

What it does not mean is we bought EDR and our IT guy says we are fine.

The actual deliverable of a cyber program — under SB 2610, under FTC Safeguards, under any insurance policy with conditions, under the state attorney general's eye — is documentation. The tools are the means. The documentation is the proof.

The question to ask your IT provider this quarter is simple. If we got breached today, and a plaintiff lawyer subpoenaed our cybersecurity program documentation, what would you hand them? If the answer is I would put something together, you do not have a program. You have a tooling stack and good intentions.