What started as a cybersecurity engagement quickly revealed a bigger issue. As Guardian worked with a Texas technology company, vulnerabilities surfaced not only within the organization itself, but across the third-party partners and systems it relied on every day. Using the Texas Safe Harbor framework under SB 2610 as a guide, Guardian helped both companies focus on the controls that mattered most, reduce risk, and build a practical path toward Safe Harbor eligibility.

Texas Senate Bill 2610 gives businesses a legal incentive to invite in cybersecurity. Companies that implement and maintain a qualifying cybersecurity program may receive protection from punitive damages following a data breach. The requirements vary based on company size, creating an achievable starting point for many Texas small and mid-sized businesses.

We spoke with Guardian CEO Chuck Smith about how this engagement evolved into a practical Safe Harbor roadmap for both organizations.

Q: Where did the Safe Harbor conversation begin?

Chuck: We were already implementing upgraded cybersecurity controls with a Texas-based tech company that provides the restaurant industry with point-of-sale and online ordering systems. Let’s call them “OrderCo.” They use an agency in the Dallas-Fort Worth area for marketing and website hosting we’ll call “HostCo.” In working with OrderCo, we found that critical vulnerabilities existed through HostCo. We brought it to HostCo’s attention, and they understood the issues right away and engaged us to help. They’re a small company, but they hold 20 years’ worth of data for over 100 customers. They realized that punitive damages from a data breach could be catastrophic. Actually, they signed with us before Safe Harbor came out. We pivoted to Safe Harbor for a stairstep approach.

Q: Describe how that developed.

Chuck: The cybersecurity compliance best practices that every company should have is commonly called “CIS 18.” That’s for 18 control objectives from the Center for Internet Security (CIS). Each of these controls has “safeguards,” and there is a total of 153 safeguards across the controls. We started tackling these 18 objectives with HostCo, using Guardian’s Lumen and Glass solutions to provide our security and compliance as a service. Even with the best conditions, the work can take time and seem overwhelming to a small company. Under Safe Harbor, the qualifying program for a company with fewer than 20 employees lines up to just seven of the 18 objectives totaling 16 related safeguards. So, we circled back to HostCo and said, “Let’s do this subset of seven first and you’re covered under Safe Harbor.  But, cautionary tale, the program had to be in place, with full artifacts, fully documented and implemented. In other words, the test is whether you are really practicing cyber hygiene.”

Q: How did HostCo react?

Chuck: It made perfect sense to them. They see the step process and the tangible benefit of each step along the way. It’s more than just protection for the company – it’s something to show their customers. At Guardian, we’re turning the SB 2610 designation into a marketing tool with our “Texas Safe Harbor Badge.” HostCo can go to both new and existing clients with the badge and show that they have control objectives in place that protect data.

Q: What was the motivating force for OrderCo?

Chuck: OrderCo found that new RFPs and contracts are all requiring cyber insurance. Insurance providers conducted questionnaires with the company and wouldn’t issue coverage. Insurers want to have dated proof that cybersecurity controls are in place. OrderCo needed insurance to win new business and, of course, in the event of an incident. They’re happy with our efforts and the path we have them on. And, we have some underwriters lined up for when the company is ready.

Q: You talk about cybersecurity in terms of an “Aspen Forest” analogy. Can you explain that and how it applies to these clients?

Chuck: In Aspen forests, one tree will send out underground roots that sprout new tree trunks. The forest may look like different trees, but they are all connected by the same root system. Because it’s a single interconnected organism, a threat that affects one area can damage the entire system.

So, OrderCo has its proprietary software installed in a thousand restaurants and bars across the country. Every one of those software endpoints is a potential vulnerability for the entire OrderCo network. And those restaurants and bars have their own systems and apps that could be a hacker’s entry point. When OrderCo’s clients need something, they contact the company through the HostCo-run website, which is hosted on a popular publishing system. As I discussed, HostCo has its own potential vulnerabilities, as well as the website publisher itself. They’re all part of the same “root system.”

In an Aspen forest, a disease can hit the weakest part of the root system and spread quickly. Bad actors attack the weakest link in these chains of interconnected companies and move around from there. That’s why a company must examine their big-picture security and look at it as an outside cybercriminal would.

Key Takeaway

Safe Harbor isn’t about checking a compliance box. It’s about establishing the cybersecurity practices, documentation, and accountability that reduce risk and demonstrate due diligence. For many Texas businesses, it can also provide a practical roadmap for deciding where to start.

More Safe Harbor Resources

VIDEO: Safe Harbor, an Introduction

BLOG: What SB 2610 Really Means for Texas Businesses

ASSESSMENT: Safe Harbor Readiness