In the digital era where cyber threats are on the rise, the concept of 'reasonable cybersecurity' holds great importance, especially for organizations handling sensitive data. The lack of a precise definition on what constitutes 'reasonable cybersecurity' led the Center for Internet Security (CIS) to release a guide in collaboration with technical cybersecurity and legal experts. Reasonable cybersecurity is subjective and dynamic, dependent on factors like industry practices, data sensitivity, resources, and available technology
Federal and state governments in the U.S. have laws requiring organizations to implement 'reasonable' cybersecurity measures but lack clear guidelines. The guide stresses the importance of choosing and implementing a framework correctly to demonstrate due care. It suggests using recognized standards like the CIS Critical Security Controls, advising organizations to conduct regular risk assessments and disaster recovery planning to enhance cybersecurity defenses. Lawyers, courts, and regulators also play crucial roles in understanding and implementing reasonable cybersecurity practices to prevent data breaches and reduce litigations. The guide aims to offer a methodology for determining what qualifies as reasonable cybersecurity, aligning cybersecurity programs with industry best practices to protect organizations' operations and customers' data effectively. https://www.cisecurity.org/insights/blog/reasonable-cybersecurity-on-the-need-for-a-definition