2. A covered entity’s cybersecurity program shall be designed to do all of the following:
- a. Continually evaluate and mitigate any reasonably anticipated internal or external threats or hazards that could lead to a data breach.
- b. Periodically evaluate no less than annually the maximum probable loss attainable from a data breach.
- c. Communicate to any affected parties the extent of any risk posed and any actions the affected parties could take to reduce any damages if a data breach is known to have occurred.