Professor Brian Ray discussed how a growing number of state laws require organizations to demonstrate that they have developed a cybersecurity governance framework that adopts “reasonable” security measures but critically leave the specifics of that standard undedefined. A smaller number of states, led by Ohio, have identified industry frameworks like NIST, CIS and others as a relevant source of those specifics. Similarly, federal and state regulators have recommended and, in some instances, required organizations to map to those frameworks. This trend overlaps with the increase in more specific cybersecurity requirements in other contexts including federal contractor requirements and federal regulatory agencies.