Texas SB 2610: What Mid-Market Leaders Need to Know

The cybersecurity liability landscape in Texas changed on September 1, 2025. Most mid-market businesses still don’t know how — or what their leadership team needs to be doing about it.

Texas SB 2610, signed into law in June 2025, created the first statewide cybersecurity safe harbor for small and mid-sized businesses. It rewards companies that implement reasonable safeguards aligned to a recognized framework with meaningful liability protection in the event of a data breach.

It is not a regulation. It does not require compliance. It is voluntary — and that’s exactly why most Texas business leaders haven’t acted on it.

This guide explains what SB 2610 actually does, who qualifies, what “reasonable conformity” looks like in practice, and the five questions every leadership team should be able to answer.

The Three Tiers — and Which One Applies to You

SB 2610 takes a tiered approach. The cybersecurity requirements scale with the size of your business — which is unusually pragmatic for cybersecurity legislation, and one of the reasons the law passed unanimously in the Texas Senate.

Tier 1

Basic Practices

Fewer than 20 employees

Required: basic cybersecurity practices.

Documented password policies, employee security awareness training, and a written cybersecurity program addressing administrative, technical, and physical safeguards. The bar is low but it is not zero. “We have antivirus” is not enough.

Tier 2

CIS Implementation Group 1

20 to 99 employees

Required: alignment to CIS Controls IG1.

CIS IG1 is a defined set of 56 specific safeguards developed by the Center for Internet Security. Covers asset inventory, access management, MFA, malware defenses, backup integrity, vulnerability management, and basic incident response. Most businesses here aren’t currently meeting it — but it is achievable without enterprise-scale investment.

Tier 3

Comprehensive Framework

100 to 249 employees

Required: a recognized comprehensive framework.

NIST CSF, NIST SP 800-53 or 800-171, ISO/IEC 27001, FedRAMP, or full CIS Controls. The expectation here is a documented program with ongoing monitoring and evidence of implementation. This is where vCSO program ownership becomes essential.

Most mid-market organizations fall into Tier 2 or Tier 3. The good news: a properly designed and operated security program can satisfy either tier — provided the safeguards are actually enforced, documented, and reviewed, not just written down once.

Five Questions Every Leadership Team Should Be Able to Answer

1

Are we operating safeguards aligned to a recognized framework — and which one?

If the answer is “we have antivirus and firewalls,” the answer is no. The framework alignment must be explicit (CIS, NIST, ISO) and documented.

2

Is multi-factor authentication enforced on every user account?

MFA is the single most-cited control across every recognized framework. If even a handful of accounts are exempted, the program has a defensible gap.

3

Are administrative privileges restricted to the minimum necessary?

Excess admin access is the most common audit finding. Every user with administrative rights they do not need is an unnecessary liability surface.

4

Do we have continuous detection and a documented incident response process?

“We’ll figure it out if something happens” is not incident response. The law expects a workflow, and so do the frameworks it references.

5

Can we prove all of the above in writing?

The safe harbor lives or dies on documentation. If you cannot produce evidence of your safeguards to a court, you cannot claim protection from one.

If you can answer all five with confidence, your safe-harbor position is strong. If you cannot, every day between now and the next breach is a day of unnecessary exposure.

Where We Stand

Total 360 Security designs and oversees the program that aligns your organization to a recognized cybersecurity framework — including CIS Controls, NIST CSF, ISO 27001, and the documentation that supports your SB 2610 safe-harbor position.

We do not certify legal compliance. We do not act as your attorney. Legal determinations about safe-harbor eligibility, breach notification obligations, and litigation strategy remain with your counsel — as they should.

What a vCSO engagement delivers against SB 2610:

  • Framework selection — CIS IG1, NIST CSF, ISO 27001, or full CIS Controls, calibrated to your tier and your sector.
  • Gap assessment and remediation plan — written, prioritized, and ratified by leadership.
  • Documented program — written policies, control narratives, and the evidence trail your counsel needs.
  • Quarterly board-ready reporting — the safe harbor demands ongoing alignment, not a one-time check-the-box.
  • Compass-backed evidence repository — controls, attestations, and audit artifacts in one defensible record.

This is the program-level oversight that turns operational security into legal defensibility.

Need the safeguards operationally enforced?

Total 360 Technology runs the IT operations layer.

MFA enforcement, patch compliance, 24×7 MDR, backup verification, and the technical safeguards that make CIS IG1 real on the ground.

See the Operations Side →

The SB 2610 Readiness Checklist

Free Download

The SB 2610 Readiness Checklist

A one-page checklist of the safeguards required at each SB 2610 tier, with space to mark which controls you currently have, which are partial, and which are missing. Designed to be completed by your leadership team and reviewed with your counsel.

Free. No sales call required to download. We’ll send the link to the checklist as soon as you submit a valid email address.