top of page
Search

A Working Definition of “Reasonable Security” in Cybersecurity

  • Writer: Hector R. Lopez
    Hector R. Lopez
  • Oct 1
  • 6 min read

Updated: Oct 21

Introduction


“Reasonable security” is one of the most cited but least defined standards in cybersecurity. Regulators invoke it in consent decrees, state laws reference it, contracts require it, and insurers ask about it. Yet when a board or executive team asks: What does reasonable security actually mean for us? The answers are often unclear — usually delivered as a laundry list with no pathway to coherent operationalization.


The truth is, reasonable security is not a checklist or a dollar amount. It is a governance-driven lifecycle: management engages in ongoing due care to stay informed about organizational risks and develop strategies to protect against them, and due diligence to monitor and adjust those strategies for effectiveness. In this way, cybersecurity oversight is following the same trajectory as financial oversight. Just as boards are expected to be financially literate — able to read statements, understand risks, and ask informed questions — they are increasingly expected to be cyber literate: equipped to oversee safeguards, scale them to risk, and demand proof of defensibility.


This article develops a working definition of reasonable security by drawing from negligence law, regulatory enforcement, and governance principles. We’ll show why it must be scalable, why spending alone does not determine defensibility, and provide a strategy boards can use to meet the standard.



Negligence Role in Reasonable Security in Cybersecurity


Negligence law turns on a simple question: What would a reasonable person do under similar circumstances? For companies, that becomes: Would a reasonable board have acted the same way to secure digital assets?


If laws or regulations require protection of sensitive information, the next question is whether management exercised due care — strategies to protect against risks and ongoing attention to threats — and due diligence — testing and validating that those strategies were implemented effectively and proportionately, consistent with frameworks like the NIST Cybersecurity Framework or PCI-DSS.


When breaches occur, defensibility pivots on whether the company can prove that management exercised due care and due diligence: prioritizing risks, controlling and monitoring them, and engaging in continuous efforts to improve security.


For boards, the “reasonable person” test becomes the reasonable board standard. The question is not perfection, but whether directors acted reasonably in light of the risks. A company spending $1 million on tools may still be negligent if it failed to develop a strategy. Conversely, a company spending $20,000 may be defensible if its strategy was risk-based, proportional, and well-documented.


Reasonable security is not about buying the most tools — it’s about making thoughtful, risk-informed choices backed by documented care and diligence.



How Regulators View the Definition of Reasonable Security in Cybersecurity


Regulators apply the negligence lens to definition of reasonable security in cybersecurity through consent decrees. Each case highlights how due care (choosing appropriate safeguards) and due diligence (verifying, monitoring, and documenting those safeguards) define reasonable security:


  • Wawa (2019 breach, 2022 settlement): Due care through encryption at payment terminals and written information security policies; due diligence through independent monitoring and annual penetration testing. Importantly, the settlement stressed proportionality — safeguards must scale with data sensitivity and organizational realities.


  • Blackbaud (FTC 2023–24): Due care in encryption, stricter access controls, and retention limits; due diligence in improved breach notification processes.


  • Marriott / Starwood (FTC 2024): Due care in multi-factor authentication, asset inventory, and program design; due diligence in biennial third-party security assessments.


  • Drizly (FTC 2023): Due care through data minimization and retention limits; due diligence through long-term monitoring and reporting obligations.


The pattern is clear: regulators don’t demand perfection, but they do expect boards to demonstrate risk assessments, governance oversight, documentation, and proportional safeguards as the hallmarks of reasonable and defensible security.



The Parallel: From Compliance to the Definition of Reasonable Security in Cybersecurity


The evolution of the definition of reasonable security in cybersecurity mirrors the rise of corporate compliance in the late 20th century. In the mid-1980s, vague expectations of “good conduct” gave way to structured standards when the DOJ issued the U.S. Sentencing Guidelines for Organizations. Those guidelines defined the seven elements of an effective compliance program — standards, oversight, due care, training, monitoring, enforcement, and corrective action.


The same elements now frame “reasonable security” through the lens of due care (attention to risks, policies, and governance) and due diligence (verification, monitoring, and corrective action):


DOJ Guidelines → Reasonable Security in Cybersecurity


  • Standards & Procedures → Written Information Security Program (WISP)


  • Oversight by High-Level Personnel → Board reporting & accountability


  • Due Care in Delegation → Vendor & third-party risk management


  • Communication & Training → Security awareness & employee training


  • Monitoring & Auditing → Logging, testing, vulnerability scans


  • Enforcement & Discipline → Incident response & corrective action


  • Response & Prevention → Ongoing risk assessment & improvement


Both frameworks emphasize that reasonableness is not perfection. It is about governance, documentation, and proportionality: exercising due care to anticipate risks, and due diligence to validate that safeguards are working and evolving.



Why Reasonable Security is Scalable


It is a misconception that reasonable security means implementing every possible control. That is not the standard.


  • Sensitivity matters: Safeguards for PHI or payment card data must be stronger than those for non-sensitive marketing data.


  • Risk matters: Likelihood × impact drives proportional investment (Corporate Compliance Insights).


  • Resources matter: Regulators do not expect small firms to mirror Fortune 500 budgets.


This is why dollars don’t equal defensibility. A company may spend heavily yet fail due care and due diligence if its controls are misaligned with its risks. Another may spend modestly but succeed if its safeguards are scaled, risk-based, and well-documented.

Reasonableness = due care (ongoing risk assessment) + due diligence (validation and documentation) + proportionality.



Defining Reasonable Security


Taken together, negligence law, compliance principles, regulatory enforcement, and scalability all point to the same conclusion: reasonable security is not perfection, not a checklist, and not a dollar figure. It is governance-driven proportionality, demonstrated through a continuous lifecycle of due care and due diligence.


A program is reasonable and defensible when:


  • Risks are assessed continuously.


  • Safeguards are aligned to the sensitivity of data and scaled to organizational resources.



  • Decisions, monitoring, and improvements are documented.


In short, reasonable security = due care (strategic attention to risks) + due diligence (verification and documentation) + proportionality.



A Cybersecurity Roadmap for Boards


Just as boards were once expected to become financially literate — able to read statements, oversee internal controls, and ensure independent audits — they are now expected to be cyber literate. The governance path is the same: set expectations, adopt frameworks, demand documentation, and validate performance.


Boards don’t need to configure firewalls or write policies. But they do need to oversee to ensure the right tools exist through a governance process. A defensible security program at the board level comes down to:


  • Put cyber risk on the agenda — make it a standing item in board meetings, not a one-off report.


  • Confirm adoption of a framework — just as finance uses GAAP or IFRS, security oversight should be anchored in a recognized framework (e.g., NIST, ISO, HIPAA, PCI DSS).


  • Demand regular reporting and documentation — risk assessments, policies, training, monitoring, vendor oversight, and incident response must be visible to the board.


  • Insist on testing and independent validation — penetration tests, audits, and third-party assessments play the same role as financial audits.


  • Ensure leadership accountability — confirm that a qualified CISO or equivalent role owns the program and reports into the board.


  • Promote continuous improvement — expect management to adjust safeguards as risks, technologies, and regulations evolve.


In financial oversight, boards don’t balance the books — they ensure that management follows standards, applies proportional controls, and validates outcomes. In cybersecurity oversight, the expectation is the same. Reasonable security means applying due care and due diligence with the same rigor boards already bring to financial risk.



BravoCheck Perspective: Building a Defensible Cybersecurity Program


A working definition of reasonable security in cybersecurity is this: a governance-driven program that scales safeguards to the sensitivity of data and risks, demonstrates due care in board and executive decisions, and produces documentation that makes those choices defensible to regulators and courts.


Perfection is not required. Unlimited spending is not required. What matters is process, proportionality, and proof of diligence.


Boards that set the tempo with due care and verify execution with due diligence that security programs meet the standard they establish. In doing so, they not only protect stakeholders but also demonstrate accountability and defensibility in the face of regulatory or legal scrutiny.


What sets BravoCheck apart is a JD-led, ANSI-accredited, DoD-approved approach to governance. Our authority isn’t theoretical — it’s grounded in decades of guiding boards, executives, and public leaders to expand their view of cyber risk, and security program development.


For more on aligning governance with communication and ensuring your security strategy is coherent from board to operations, see BravoCheck’s post: Security Control Readiness: More Levers ≠ More Protection.


Comments

All Briefings | Strategy & Operations | Risk & Governance | Compliancy & Privacy | Resilience & Value

Two climbers on a steep rock face, one guiding and supporting the other upward — symbolizing cybersecurity leadership helping organizations turn risk into resilience.

Turn Cyber Risk Into Enterprise Value

Briefings show the path — BravoCheck helps you climb it. With ANSI-accredited and DoD-approved expertise, we turn strategy into disciplined execution, aligning priorities and operations so cybersecurity delivers measurable outcomes and enterprise value.

BravoCheck is JD-led and holds ANSI-accredited and DoD-approved certifications such as CISSP and CGRC — credentials that boards, regulators, and auditors already rely on as decision heuristics.

The outcome: cybersecurity strategies that are independently validated and defensible under scrutiny.

CISSP — ISC2. DoD-approved; ANAB-accredited.
CGRC — ISC2. DoD-approved; ANAB-accredited.
CIPT — IAPP. ANAB-accredited.
CIPM — IAPP. ANAB-accredited.
CIPP/US — IAPP. ANAB-accredited.
CIPP/E — IAPP. ANAB-accredited.
AIGP — IAPP.
CFE — ACFE.
CECI — Certified Expert in Cyber Investigations.
CCEP — SCCE.
bravocheck-cybersecurity-wireframe-process-background.jpg

Credentials That Leaders and Regulators Already Trust

bottom of page