Texas Senate Bill 2610: What It Means for Your Company's Cyber Liability - New Protections, New Responsibilities

Oct 07, 2025

Starting September 1, 2025, Texas’ Senate Bill 2610 introduces a fresh legal safeguard for small and mid-sized businesses that experience a cyberattack or data breach if they can demonstrate they followed robust, recognized cybersecurity practices before any incident.

In short: if you’ve already been doing the hard work of protecting your systems, this law could protect you from the worst financial consequences. But you’ll need to meet its requirements to benefit. Let’s dig into what SB 2610 covers, who it affects, and how to ensure you qualify.

Who’s Covered? The Eligibility Criteria
SB 2610 is not a “one-size-fits-all” law. It’s targeted at Texas businesses that meet both of these criteria:

Fewer than 250 employees
Handle or store sensitive personal information in computer systems (employee data, client data, proprietary records, etc.)

In other words, many small professional services firms, engineering practices, financial service outfits, architecture or construction offices, and similar entities will fall under its purview.

If your company is larger, or doesn’t host such data, this particular statute may not apply though you may still face other state or federal cybersecurity obligations.

The Big Benefit: Protection from Punitive Damages
The centerpiece of SB 2610 is its promise: if you meet its standards, you may be shielded from punitive damages in a lawsuit following a breach.

Punitive damages are those extra, “punishment” awards courts sometimes impose beyond the direct (“actual”) losses. For small businesses, avoiding punitive damages can be the difference between surviving and shuttering.

Do note: this law does not shield you from actual damages such as costs related to remediation, credit monitoring, legal response, system repair, or regulatory fines. But it can protect you from the worst-case financial swing.

What You Must Do to Qualify: The Requirements
To access SB 2610’s protection, your organization must adopt a documented cybersecurity program aligned with recognized frameworks, able to prevent, detect, and respond to threats. Key requirements include:

Written policies, training, and technical controls to protect sensitive information
Adherence to a recognized cybersecurity framework (examples below)
Ongoing threat detection and response capability
Scaling requirements by company size:

Size
Minimum Requirements:

Under 20 employees - Basic password rules + cybersecurity awareness training
20 – 99 employees - Adoption of CIS Basic Controls (or equivalent)
100 – 249 employees - Full compliance with a recognized cybersecurity framework

Recognized Cybersecurity Frameworks & Standards
To meet the law’s standards, your program should align with a well-established framework. Some acceptable options include:

NIST Cybersecurity Framework
NIST SP 800-171 / 800-53
CIS Critical Security Controls
ISO/IEC 27000 series
SOC 2
PCI DSS (if your business processes card payments)
GLBA / FISMA (if those are already applicable in your industry)

Be aware: frameworks evolve. Compliance isn’t “set it and forget it”. Your cybersecurity program must stay current with updates and emerging threats.

Why SB 2610 Matters in Key Industries
Architecture, Engineering & Construction (AEC)
AEC firms deal in high-value data daily: CAD drawings, proprietary designs, bid documents, financial details, and client contracts. If that data is stolen or leaked:

Competitors could gain unfair advantage
Bids might be undermined
Intellectual property could be sold or exposed
SB 2610 compliance is not just a line item. It’s a way to preserve competitive edge, protect trust, and insulate your firm from costly litigation.

Financial & Professional Services
For firms in finance, insurance, consulting, and other data-intensive sectors:

Client PII, transaction records, account data, and financial models are prime targets
A breach can lead to regulatory scrutiny, class actions, and reputational damage

Demonstrating compliance with SB 2610 strengthens legal defensibility and shows clients you take security seriously

Risks of Non-Compliance
If you don’t meet SB 2610’s standards and a breach occurs, your business may be vulnerable to:

Full punitive damage exposure
Higher insurance premiums or coverage denial
Loss of client confidence and erosion of brand reputation
Potential regulatory actions (if other laws apply)

Now is the time to act! Waiting until after a breach is not a safe strategy.

How Arrow Cyber Advisors Can Help You Become SB 2610-Ready
At Arrow Cyber Advisors, our mission is to guide Texas businesses through the complexities of cybersecurity law and risk. Here’s how we can support you:

Gap Assessment & Readiness Review - We evaluate your current cyber controls and map them against SB 2610 requirements and recognized frameworks.
Cybersecurity Program Design - We help you build or refine written policies, training curricula, technical architecture, and operational controls tailored to your size and risk.
Implementation & Technical Enablement - From multi-factor authentication and encryption to network monitoring and incident response systems, we assist in deploying controls that satisfy the law.
Employee Training & Awareness - Your people are the first line of defense. We deliver customized training to help reduce human risk factors.
Ongoing Monitoring & Updates - We maintain and evolve your cybersecurity posture—keeping pace with new threats and framework updates so you remain protected.

Don’t Wait for “Maybe”
SB 2610 is a powerful opportunity for Texas businesses but only if you prepare before a breach. Taking steps now can protect you from punitive damages, elevate your security posture, and give your stakeholders confidence.

👉 If you’d like a personalized SB 2610 readiness assessment or help launching a compliance-aligned cybersecurity program, reach out to Arrow Cyber Advisors today. Let’s make sure your organization is one of that benefits not one that’s exposed.