Navigating Cyber and IT Practices to Legal Safe Harbors

Description

Welcome to RIMScast. Your host is Justin Smulison, Business Content Manager at RIMS, the Risk and Insurance Management Society.

In this episode, Justin interviews Katherine Henry of Bradley, Arant, Boult, Cummings, and Harold (Hal) Weston of Georgia State University, Greenberg School of Risk Science, who are here to discuss their new professional report, “A 2025 Cybersecurity Legal Safe Harbor Overview.” Katherine and Hal take the discussion beyond the pages and delve into best cybersecurity practices, cyber insurance, and Safe Harbor laws offered by some states and possibly to be offered soon by others. They discuss frameworks and standards, and what compliance means for your organization, partly based on your state law.

Listen for advice to help you be prepared against cybercrime.

Key Takeaways:

[:01] About RIMS and RIMScast.

[:16] About this episode of RIMScast. We will be joined by the authors of the legislative review, “A 2025 Cybersecurity Legal Safe Harbor Overview”, Katherine Henry and Harold Weston. Katherine and Harold are also prominent members of the RIMS Public Policy Committee.

[:48] Katherine and Harold are also here to talk about Cybersecurity Awareness Month and safe practices. But first…

[:53] RIMS-CRMP Prep Workshops! The next RIMS-CRMP Prep Workshops will be held on October 29th and 30th and led by John Button.

[1:05] The next RIMS-CRMP-FED Virtual Workshop will be held on November 11th and 12th and led by Joseph Mayo. Links to these courses can be found through the Certifications page of RIMS.org and through this episode’s show notes.

[1:23] RIMS Virtual Workshops! RIMS has launched a new course, “Intro to ERM for Senior Leaders.” It will be held again on November 4th and 5th and will be led by Elise Farnham.

[1:37] On November 11th and 12th, Chris Hansen will lead “Fundamentals of Insurance”. It features everything you’ve always wanted to know about insurance but were afraid to ask. Fear not; ask Chris Hansen! RIMS members always enjoy deep discounts on the virtual workshops!

[1:56] The full schedule of virtual workshops can be found on the RIMS.org/education and RIMS.org/education/online-learning pages. A link is also in this episode’s notes.

[2:08] Several RIMS Webinars are being hosted this Fall. On October 16th, Zurich returns to deliver “Jury Dynamics: How Juries Shape Today's Legal Landscape”. On October 30th, Swiss Re will present “Parametric Insurance: Providing Financial Certainty in Uncertain Times”.

[2:28] On November 6th, HUB will present “Geopolitical Whiplash — Building Resilient Global Risk Programs in an Unstable World”. Register at RIMS.org/Webinars.

[2:40] Before we get on with the show, I wanted to let you know that this episode was recorded in the first week of October. That means we are amid a Federal Government shutdown. RIMS has produced a special report on “Key Considerations Regarding U.S. Government Shutdown.”

[2:58] This is an apolitical problem. It is available in the Risk Knowledge section of RIMS.org, and a link is in this episode’s show notes. Visit RIMS.org/Advocacy for more updates.

[3:12] Remember to save March 18th and 19th on your calendars for the RIMS Legislative Summit 2026, which will be held in Washington, D.C. I will continue to keep you informed about that critical event.

[3:24] On with the show! It’s National Cybersecurity Awareness Month here in the U.S. and in many places around the world. Cyber continues to be a top risk among organizations of all sizes in the public and private sectors.

[3:40] That is why I’m delighted that Katherine Henry and Harold (Hal) Weston are here to discuss their new professional report, “A 2025 Cybersecurity Legal Safe Harbor Overview”.

[3:52] This report provides a general overview of expected cybersecurity measures that organizations must take to satisfy legal Safe Harbor requirements.

[4:01] It summarizes state Safe Harbor laws that have been developed to ensure organizations are proactive about cybersecurity and that digital, financial, and intellectual assets are legally protected when that inevitable cyber attack occurs.

[4:15] We are here to extend the dialogue. Let’s get started!

[4:21] Interview! Katherine Henry and Hal Weston, welcome to RIMScast!

[4:41] Katherine was one of he first guests on RIMScast. Katherine is Chair of the Policyholder Insurance Coverage Practice at Bradley, Arant, Boult, Cummings. Her office is based in Washington, D.C. She works with risk managers all day on insurance issues.

[5:05] Katherine has been a member of the RIMS Public Policy Committee for several years. She serves as an advisor to the Committee.

[5:12] Justin thanks Katherine for her contributions to RIMS.

[5:25] Hal is with Georgia State University. He has been with RIMS for a couple of decades. Hal says he and Katherine have served together on the RIMS Public Policy Committee for maybe 10 years.

[5:48] Hal is a professor at Georgia State University, a Clinical Associate in the Robinson College of Business, Greenberg School of Risk Science, where he teaches risk management and insurance. Before his current role, Hal was an insurance lawyer, both regulatory and coverage.

[6:05] Hal has a lot of students. He is grading exams this week. He has standards for his class. In the real world, so does a business.

[6:46] Katherine and Hal met through the RIMS Public Policy Committee. They started together on some subcommittees. Now they see each other at the annual meeting and on monthly calls.

[7:05] Katherine and Hal just released a legislative review during RIMS’s 75th anniversary, “A 2025 Cybersecurity Legal Safe Harbor Overview”. It is available on the Risk Knowledge page of RIMS.org.

[7:20] We’re going to get a little bit of dialogue that extends beyond the pages.

[7:31] Katherine explains Safe Harbor: When parties are potentially liable to third parties for claims, certain states have instilled Safe Harbor Laws that say, If you comply with these requirements, we’ll provide you some liability protection.

[7:45] Katherine recommends that you read the paper to see what the laws are in your state. The purpose of the paper is to describe some of those Safe Harbor laws, as well as all the risks.

[8:04] October 14th, the date this episode is released, is World Standards Day. Hal calls that good news. Justin says the report has a correlation with the standards in the risk field.

[8:43] Justin states that many states tie Safe Harbor eligibility to frameworks like NIST, the ISO/IEC 27000, and CIS Controls.

[9:27] Hal says, There are several standards, and it would be up to the Chief Information Security Officer to guide a company on which framework might be most appropriate for them. There are the NIST, UL, and ISO, and they overlap quite a bit.

[9:56] These are recognized standards. In some states, if a company has met this standard of cybersecurity, a lawsuit against the company for breach of its standard of care for maintaining its information systems would probably be defensible for having met a recognized standard.

[10:23] Katherine adds that as risk managers, we can’t make the decision about which of these external standards is the best. Many organizations have a Cybersecurity Officer responsible for this.

[10:44] For smaller organizations, there are other options, including outsourcing to a vendor. Their insurance companies may have recommendations. So you’re not on your own in making this decision.

[11:14] Katherine says firms should definitely aim for one recognized standard. Katherine recommends you try to adhere to the highest standard. If you are global, you need to be conscious of standards in other countries.

[11:46] Hal says California tends to have the highest standards for privacy and data protection. If you’re a financial services company, you’re subject to New York State’s Department of Financial Services Cyber Regulation.

[12:02] If you’re operating in Europe, GDPR is going to be the guiding standard for what you should do. Hal agrees with Katherine: Any company that spans multiple states should pick the highest standard and stick to that, rather than try to implement five or 52 standards.

[12:23] When you’re overseas, you may not be able to just pick the highest standard; there are challenges in going from one country or region of Europe back to the U.S. If one is higher, it will probably be easier.

[12:38] There are major differences between the U.S., which has little Federal protection, vs. state protection.

[13:10] Katherine says if you don’t have the internal infrastructure, and you can’t afford that infrastructure, the best thing is to pivot to an outside vendor. There are many available, with a broad price range. Your cyber insurer may also have some vendors they already work with.

[13:40] Hal would add, Don’t just think about Safe Harbors. That’s just a legal defense. Think about how you reduce the risk by adopting standards or hiring outside firms that will provide that kind of risk protection and IT management.

[13:59] If they’re doing it right, they may tell you the standards they use, and they may have additional protocols, whether or not they fall within those standards, that would also be desirable. A mid-sized firm is probably outsourcing it to begin with.

[14:21] They have to be thinking about it as risk, rather than just Safe Harbor. You have to navigate to the Safe Harbor. You don’t just get there.

[14:31] Quick Break! RISKWORLD 2026 will be in Philadelphia, Pennsylvania, from May 3rd through the 6th. RIMS members can now lock in the 2025 rate for a full conference pass to RISKWORLD 2026 when you register by October 30th!

[14:50] This also lets you enjoy earlier access to the RISKWORLD hotel block. Register by October 30th, and you will also be entered to win a $500 raffle! Do not miss out on this chance to plan and score some of these extra perks!

[15:03] The members-only registration link is in this episode’s show notes. If you are not yet a member, this is the time to join us! Visit RIMS.org/Membership and build your network with us here at RIMS!

[15:16] The RIMS Legislative Summit 2026 is mentioned during today’s episode. Be sure to mark your calendar for March 18th and 19th in Washington, D.C. Keep those dates open.

[15:28] Join us in Washington, D.C., for two days of Congressional Meetings, networking, and advocating on behalf of the risk management community. Visit RIMS.org/Advocacy for more information and updates.

[15:41] Let’s return to our interview with Katherine Henry and Hal Weston!

[15:54] We’re talking about their new paper, “A 2025 Cybersecurity Legal Safe Harbor Overview”. Katherine mentions that some businesses are regulated. They have to comply with external regulatory standards.
[16:38] Other small brick-and-mortar businesses may not have any standards they have to comply with. They look for what to do to protect themselves from cyber risk, and how to tell others they are doing that.

[16:54] If you can meet the standards of Safe Harbor laws, a lot of which are preventative, before a breach, you can inform your customers, “These are the protections we have for your data.” You can tell your board, “These are the steps we’re taking in place.”

[17:13] You can look down the requirements of the Safe Harbor law in your state or a comparable state, and see steps you can take in advance so you can say, “We are doing these things and that makes our system safer for you and protects your data.”

[17:34] Hal says you don’t want to have a breach, and if you do, it would be embarrassing to admit you were late applying a patch, implementing multi-factor authentication, or another security measure. By following standards of better cyber protection, you avoid those exposures.

[18:07] Hal says every company has either been hacked and knows it, or has been hacked and doesn’t know it. If you’re attacked by a nation-state that is non-preventable, you’re in good shape.

[18:26] If you’re attacked because you’ve left some ports open on your system, or other things that are usually caught in cybersecurity analyses or assessments, that’s the embarrassing part. You don’t want to be in that position.

[18:43] Katherine says it’s not just your own systems, but if you rely on vendors, you want to ensure that the vendors have the proper security systems in place so that your data, to the extent that it’s transmitted to them, is not at risk.

[19:07] Also, make sure that your vendors have cyber insurance and that you’re an additional insured on that vendor’s policy if there’s any potential exposure.

[19:22] Hal says If you’re using a cloud provider, do you understand what the cloud provider is doing? In most cases, they will provide better security than what you could do on your own, but there have been news stories that even some of those have not been perfect.

[20:22] Hal talks about the importance of encryption. It’s in the state statutes and regulations. There have been news stories of companies that didn’t encrypt their data on their servers or in the cloud, and didn’t understand encryption, when a data breach was revealed.

[20:52] Hal places multi-factor authentication up with encryption in importance. There was a case brought against a company that did not have MFA, even though it said on its application on the cyber policy that the company used it.

[21:13] Hal says these are standard, basic things that no company should be missing. If you don’t know that your data is encrypted, get help fast to figure that out.

[21:51] Hal has also seen news stories of major companies where the Chief Technology Officer has been sued individually, either by the SEC or others, for not doing it right.

[22:07] Katherine mentions there are insurance implications. If you mistakenly state you’re providing some sort of protection on your insurance application that you’re not providing, the insurer can rescind your coverage, so you have no coverage in place at all.

[22:23] Katherine says, These are technical safeguards, but we know the human factor is one of the greatest risks in cybersecurity. Having training for everyone who has access to your computer system, virtually everyone in your organization, is very important.

[22:49] Have a test with questions like, Is this a spam email or a real email? There are some vendors who can do all this for you. Statistics show that the human element is one of the most significant problems in cybersecurity protection.

[23:05] Justin says it’s October, Cybersecurity Awareness Month in the U.S. Last week’s guest, Gwenn Cujdik, the Incident Response and Cyber Services Lead for North America at AXA XL, said the number one cyber risk is human error, like clicking the phishing link.

[23:45] Justin brings up that when he was recently on vacation, he got an email on his personal email account, “from his CEO,” asking him to handle something for them. Justin texted somebody else at RIMS, asking if they got the same email, and they hadn’t.

[24:14] Justin sent the suspect email to the IT director to handle. You have to be vigilant. Don’t let your guard down for a second.

[24:48] Katherine has received fake emails, as well.

[24:51] Hal says it has happened to so many people. Messages about gift cards or the vendor having a new bank account. Call the vendor that you know and ask what this is.

[25:12] Hall continues. It’s important to train employees in cybersecurity, making sure that they are using a VPN when they are outside of the office, or even a VPN that’s specific to your company.

[25:32] Hal saw in the news recently that innocent-looking PDF files can harbor lots of malware. If you’re not expecting a PDF file from somebody, don’t click on that, even if you know them. Get verification. Start a new thread with the person who sent it and ask if it is a legitimate PDF.

[26:08] Justin says of cybercriminals that they are smart and their tactics evolve faster than legislation. How can organizations anticipate the next generation of threats?

[26:34] Katherine says, You need to have an infrastructure in your organization that does that, or you need to go to an outside vendor. You need some sort of protection, internally or externally.

[27:11] Katherine says she works with CFOs all the time. If an organization isn’t large enough to have a risk manager, it’s a natural fit for the CFO, who handles finances, to handle insurance. When it comes to cybersecurity, a CFO needs help.

[27:46] The CFO should check the cyber policy to see what support services are already there and see if there are any that are preventative, vs. after a breach. If there are not, Katherine suggests pivoting to an outside vendor.

[28:07] Hal continues, This interview is for RIMS members who are risk managers and the global risk community. Risk managers don’t claim to know all the risk control measures throughout a company. They rely upon the experts in the company and outside.

[28:29] If the CFO is the risk manager, he or she has big gaps in expertise needed for risk management. It’s the same for the General Counsel running risk management. Risk managers are known for having small staffs and working with everybody else to get the right answers.

[28:55] If you’re dealing with the CFO or General Counsel in those roles, they need to be even more mindful to work with the right experts for guidance.

[29:09] One Final Break! As many of you know, the RIMS ERM Conference 2025 will be held on November 17th and 18th in Seattle, Washington. We recently had ERM Conference Keynote Speaker Dan Chuparkoff on the show.

[29:26] He is back, just to deliver a quick message about what you can expect from his keynote on “AI and the Future of Risk.” Dan, welcome back to RIMScast!

[29:37] Dan says, Greetings, RIMS members and the global risk community! I’m Dan Chuparkoff, AI expert and the CEO of Reinvention Labs. I’m delighted to be your opening keynote on November 17th at the RIMS ERM Conference 2025 in Seattle, Washington.

[29:52] Artificial Intelligence is fueling the next era of work, productivity, and innovation. There are challenges in navigating anything new. This is especially true for risk management, as enterprises adapt to shifting global policies, economic swings, and a new generation of talent.

[30:10] We’ll have a realistic discussion about the challenges of preparing for the future of AI. To learn more about my keynote, “AI and the Future of Risk Management,” and how AI will impact Enterprise Risk Management for you, listen to my episode of RIMScast at RIMS.org/Dan.

[30:29] Be sure to register for the RIMS ERM Conference 2025, in Seattle, Washington, on November 17th and 18th, by visiting the Events page on RIMS.org. I look forward to seeing you all there.

[30:40] Justin thanks Dan and looks forward to seeing him again on November 17th and hearing all about the future of AI and risk management!

[30:48] Let’s Conclude Our Interview about Navigating Cyber and IT Practices to Legal Safe Harbors with Katherine Henry and Hal Weston!

[31:17] Katherine tells about how Safe Harbor compliance influences cyber insurance. If your organization applies for cyber insurance and you can’t meet some minimum threshold that will be identified on the application, the insurer will not even offer you cyber insurance.

[31:34] You need to have some cyber protections in place. That’s just to procure insurance. Cyber insurance availability is growing. Your broker can bring you more insurers to quote if you can show robust safeguards.

[32:05] After the breach, your insurer is supposed to step in to help you. Your insurer will be mindful of whether or not your policy application is correct and that you have all these protections in place.

[32:21] The more protections you have, the quicker you might be able to shut down the breach, and the resulting damage from the breach, and that will lower the resulting cost of the claim and have less of an impact on future premiums.

[32:36] If the cyber insurer just had to pay out the limits because something wasn’t in place, that quote next year is not going to look so pretty. Your protections have a direct impact on both the availability and cost of coverage.

[32:50] Justin mentions that the paper highlights Connecticut, Tennessee, Iowa, Ohio, Utah, and Oregon as the states with Safe Harbor laws. The Federal requirements are also listed. Katherine expects that more states will offer Safe Harbor laws as cybercrime lawsuits increase.

[33:42] Hal says Oregon, Ohio, and Utah were the leaders in creating Safe Harbors. Some of the other states have followed. Safe Harbor is a statutory protection against liability claims brought by the public.

[34:06] In other states, you can’t point to a statute that gives protection, but you can say you complied with the highest standards in the nation, and you probably have a pretty defensible case against a claim for not having kept up with your duty to protect against a cyber attack.

[34:55] Hal adds that every company is going to be sued, and the claim is that you failed to do something. If you have protected yourself with all the known best practices, as they evolve, what more is a company supposed to do?

[35:18] The adversaries are nation-states; they are professional criminals, sometimes operating under the protection of nation-states, and they’re using artificial intelligence to craft even more devious ways to get in.

[36:19] Katherine speaks from a historical perspective. A decade ago, cyber insurance was available, but there was no appetite for it. There wasn’t an understanding of the risk.

[36:32] As breaches began to happen and to multiply, in large amounts of exposure, with companies looking at millions of dollars in claims, interest grew. Katherine would be surprised today if any responsible board didn’t take cyber risk extremely seriously.

[36:55] The board’s decision now is what limits to purchase and from whom, and not, “Should we have cyber insurance at all?” Katherine doesn’t think it’s an issue anymore in any medium-sized company.

[37:17] The risk manager should present to the board, “We benchmark. Our broker benchmarks. Companies of our size have had this type of claim, with this type of exposure, and they’ve purchased this amount of limits. We need to be at least in that place.” Boards will be receptive.

[37:43] If they are not receptive, put on a PowerPoint with all the data that’s out there about how bad the situation is. The average cost of a breach is well over $2 million. The statistics are quite alarming. A wise decision-maker will understand that you need to procure this coverage.

[38:10] Katherine says, from the cybersecurity side, you procure the coverage, you protect the company, and take advantage of the Safe Harbors. All of those things come together with the preventative measures we’ve been talking about.

[38:24] You can show your decision-makers and stakeholders that if you do all those things, comply with these Safe Harbor provisions, you’re going to minimize your exposure, increase the availability of insurance, and keep your premiums down. It’s a win-win package.

[38:41] Justin says, It has been such a pleasure to meet you, Hal, and thank you for joining us. Katherine, it is an annual pleasure to see you. We’re going to see you, most likely, at the RIM Legislative Summit, March 18th and 19th, 2026, in Washington, D.C.

[39:01] Details to come, at RIMS.org/Advocacy. Katherine, you’ll be there to answer questions. Katherine looks forward to the Summit. She has gone there for years. It’s a great opportunity for risk managers to speak directly to decision-makers about things that are important to them.

[39:42] Special thanks again to Katherine Henry and Hal Weston for joining us here today on RIMScast! Remember to download the new RIMS Legislative Review, “A 2025 Cybersecurity Legal Safe Harbor Overview”.

[39:58] We are past the 30-day mark now, so the review is publicly available through the Risk Knowledge Page of RIMS.org. You can also visit RIMS.org/Advocacy for more information. In this episode’s notes, I’ve got links to Katherine’s prior RIMScast appearances.

[40:18] Plug Time! You can sponsor a RIMScast episode for this, our weekly show, or a dedicated episode. Links to sponsored episodes are in the show notes.

[40:47] RIMScast has a global audience of risk and insurance professionals, legal professionals, students, business leaders, C-Suite executives, and more. Let’s collaborate and help you reach them! Contact pd@rims.org for more information.

[41:05] Become a RIMS member and get access to the tools, thought leadership, and network you need to succeed. Visit RIMS.org/membership or email membershipdept@RIMS.org for more information.

[41:22] Risk Knowledge is the RIMS searchable content library that provides relevant information for today’s risk professionals. Materials include RIMS executive reports, survey findings, contributed articles, industry research, benchmarking data, and more.

[41:39] For the best reporting on the profession of risk management, read Risk Management Magazine at RMMagazine.com. It is written and published by the best minds in risk management.

[41:53] Justin Smulison is the Business Content Manager at RIMS. Please remember to subscribe to RIMScast on your favorite podcasting app. You can email us at Content@RIMS.org.

[42:05] Practice good risk management, stay safe, and thank you again for your continuous support!

Links:

RIMS Professional Report: “A 2025 Cybersecurity Legal Safe Harbor Overview”

RISK PAC | RIMS Advocacy | RIMS Legislative Summit SAVE THE DATE — March 18‒19, 2026

RIMS ERM Conference 2025 — Nov. 17‒18

RISKWORLD 2026 — Members-only early registration through Oct 30!

RIMS-Certified Risk Management Professional (RIMS-CRMP)

The Strategic and Enterprise Risk Center

RIMS Diversity Equity Inclusion Council

RIMS Risk Management magazine | Contribute

RIMS Now

Cybersecurity Awareness Month