Welcome to RIMScast. Your host is Justin Smulison, Business Content Manager at RIMS, the Risk and Insurance Management Society.

 

In this episode, Justin interviews Katherine Henry of Bradley, Arant, Boult, Cummings, and Harold (Hal) Weston of Georgia State University, Greenberg School of Risk Science, who are here to discuss their new professional report, “A 2025 Cybersecurity Legal Safe Harbor Overview”. Katherine and Henry share helpful insights into safe cybersecurity practices, cyber insurance, and Safe Harbor laws offered by some states and possibly to be offered soon by others. They discuss frameworks and standards, and what compliance means for your organization, partly based on your state law.

 

Listen for advice to help you be prepared against cybercrime.

 

Key Takeaways:

[:01] About RIMS and RIMScast.

[:16] About this episode of RIMScast. We will be joined by the authors of the legislative review, “A 2025 Cybersecurity Legal Safe Harbor Overview”, Katherine Henry and Harold Weston. Katherine and Harold are also prominent members of the RIMS Public Policy Committee.

[:48] Katherine and Harold are also here to talk about Cybersecurity Awareness Month and safe practices. But first… 

[:53] RIMS-CRMP Prep Workshops! The next RIMS-CRMP Prep Workshops will be held on October 29th and 30th and led by John Button.

[1:05 ] The next RIMS-CRMP-FED Virtual Workshop will be held on November 11th and 12th and led by Joseph Mayo. Links to these courses can be found through the Certifications page of RIMS.org and through this episode’s show notes.

[1:23 ] RIMS Virtual Workshops! RIMS has launched a new course, “Intro to ERM for Senior Leaders.” It will be held again on November 4th and 5th and will be led by Elise Farnham.

[1:37 ] On November 11th and 12th, Chris Hansen will lead “Fundamentals of Insurance”. It features everything you’ve always wanted to know about insurance but were afraid to ask. Fear not; ask Chris Hansen! RIMS members always enjoy deep discounts on the virtual workshops!

[1:56 ] The full schedule of virtual workshops can be found on the RIMS.org/education and RIMS.org/education/online-learning pages. A link is also in this episode’s notes.

[2:08 ] Several RIMS Webinars are being hosted this Fall. On October 16th, Zurich returns to deliver “Jury Dynamics: How Juries Shape Today's Legal Landscape”. On October 30th, Swiss Re will present “Parametric Insurance: Providing Financial Certainty in Uncertain Times”.

[2:28 ] On November 6th, HUB will present “Geopolitical Whiplash — Building Resilient Global Risk Programs in an Unstable World”. Register at RIMS.org/Webinars.

[2:40 ] Before we get on with the show, I wanted to let you know that this episode was recorded in the first week of October. That means we are amid a Federal Government shutdown. RIMS has produced a special report on “Key Considerations Regarding U.S. Government Shutdown.”

[2:58 ] This is an apolitical problem. It is available in the Risk Knowledge section of RIMS.org, and a link is in this episode’s show notes. Visit RIMS.org/Advocacy for more updates.

[3:12 ] Remember to save March 18th and 19th on your calendars for the RIMS Legislative Summit 2026, which will be held in Washington, D.C. I will continue to keep you informed about that critical event.

[3:24 ] On with the show! It’s National Cybersecurity Awareness Month here in the U.S. and in many places around the world. Cyber continues to be a top risk among organizations of all sizes in the public and private sectors.

[3:40 ] That is why I’m delighted that Katherine Henry and Harold (Hal) Weston are here to discuss their new professional report, “A 2025 Cybersecurity Legal Safe Harbor Overview”.

[3:52 ] This report provides a general overview of expected cybersecurity measures that organizations must take to satisfy legal Safe Harbor requirements.

[4:01 ] It summarizes state Safe Harbor laws that have been developed to ensure organizations are proactive about cybersecurity and that digital, financial, and intellectual assets are legally protected when that inevitable cyber attack occurs.

[4:15 ] We are here to extend the dialogue. Let’s get started!

[4:21 ] Interview! Katherine Henry and Hal Weston, welcome to RIMScast!

[4:41 ] Katherine was one of he first guests on RIMScast. Katherine is Chair of the Policyholder Insurance Coverage Practice at Bradley, Arant, Boult, Cummings. Her office is based in Washington, D.C. She works with risk managers all day on insurance issues.

[5:05 ] Katherine has been a member of the RIMS Public Policy Committee for several years. She serves as an advisor to the Committee.

[5:12 ] Justin thanks Katherine for her contributions to RIMS.

[5:25 ] Hal is with Georgia State University. He has been with RIMS for a couple of decades. Hal says he and Katherine have served together on the RIMS Public Policy Committee for maybe 10 years.

[5:48 ] Hal is a professor at Georgia State University, a Clinical Associate in the Robinson College of Business, Greenberg School of Risk Science, where he teaches risk management and insurance. Before his current role, Hal was an insurance lawyer, both regulatory and coverage.

[6:05 ] Hal has a lot of students. He is grading exams this week. He has standards for his class. In the real world, so does a business.

[6:46 ] Katherine and Hal met through the RIMS Public Policy Committee. They started together on some subcommittees. Now they see each other at the annual meeting and on monthly calls.

[7:05 ] Katherine and Hal just released a legislative review during RIMS’s 75th anniversary, “A 2025 Cybersecurity Legal Safe Harbor Overview”. It is available on the Risk Knowledge page of RIMS.org.

[7:20 ] We’re going to get a little bit of dialogue that extends beyond the pages.

[7:31 ] Katherine explains Safe Harbor: When parties are potentially liable to third parties for claims, certain states have instilled Safe Harbor Laws that say, If you comply with these requirements, we’ll provide you some liability protection.

[7:45 ] Katherine recommends that you read the paper to see what the laws are in your state. The purpose of the paper is to describe some of those Safe Harbor laws, as well as all the risks.

[8:04 ] October 14th, the date this episode is released, is World Standards Day. Hal calls that good news. Justin says the report has a correlation with the standards in the risk field.

[8:43 ] Justin states that many states tie Safe Harbor eligibility to frameworks like NIST, the ISO/IEC 27000, and CIS Controls.

[9:27 ] Hal says, There are several standards, and it would be up to the Chief Information Security Officer to guide a company on which framework might be most appropriate for them. There are the NIST, UL, and ISO, and they overlap quite a bit.

[9:56 ] These are recognized standards. In some states, if a company has met this standard of cybersecurity, a lawsuit against the company for breach of its standard of care for maintaining its information systems would probably be defensible for having met a recognized standard.

[10:23 ] Katherine adds that as risk managers, we can’t make the decision about which of these external standards is the best. Many organizations have a Cybersecurity Officer responsible for this.

[10:44 ] For smaller organizations, there are other options, including outsourcing to a vendor. Their insurance companies may have recommendations. So you’re not on your own in making this decision.

[11:14 ] Katherine says firms should definitely aim for one recognized standard. Katherine recommends you try to adhe