Broker Check

Reasonable Cyber Security

January 04, 2022

You may have heard of the "reasonable man" concept. You probably know the term "reasonable expectations". In 2022 the question of reasonable cyber security must be considered by all organizations.

The internet was created at a time when threat actors, data breaches and ransomware did not exist; consequently it developed with little concern for security. Now we live and work in a digital world where security is essential and no one can be trusted. What was considered adequate security a decade ago no longer meets reasonable expectations.

Reasonable cyber security does not and cannot totally eliminate risk. No system is foolproof, but businesses must demonstrate a duty of care to protect their employees and customers from harm. When defining reasonable security, compliance with laws and regulations is not enough. According to cyber security firm Halock, reasonable security means safeguards that do not pose a higher risk to an organization than lack of them poses to others.

There is no "one size fits all" approach to cybersecurity. Each organization needs to do its own risk assessment and establish a plan based on reasonable controls. There must be a balance between business goals, regulatory requirements, and social responsibility. 

According to Halock, 2021 was "the year of reasonable security". Their post ( lists the actions taken during the year.

  • The Sedona Conference provided a cost analysis for a reasonable security test.
  • The Center for Internet Security (CIS) issued updated Critical Security Controls.
  • The California Privacy Rights Act was passed as an extension of the CCPA; effective date is January 1, 2023 but some privacy and data security requirements are effective this year.
  • California also enacted the Genetic Information Privacy Act with security requirements for direct-to-consumer companies.
  • Connecticut followed Ohio and Utah with a "safe harbor" for companies with reasonable security measures.
  • The FTC revised its safeguards rule for service provider oversight.
  • The CIS released a new approach to risk, based on how cyber events will play out.

Going forward, the California Privacy Protection Agency (CPPA) must adopt final regulations by July 1, 2022. New privacy laws will take effect next January in Colorado and Virginia. As threats and new legislation increase, companies must adopt reasonable measures to address them.