Although not yet subject to a formal rulemaking process, the California Privacy Protection Agency (“CPPA”) is conducting cybersecurity audits as required by Section 1798.185(a)(15)(A) of the California Consumer Privacy Act. We have announced draft regulations regarding As amended by the California Privacy Rights Act (“CCPA”).[1] These proposed cybersecurity audit regulations would cover one of the remaining three areas in which the CPPA requires regulations to be promulgated.[2]
Even though the proposed draft regulations are subject to change and the formal rulemaking process has not officially begun, companies that are subject to the cybersecurity audit requirements described below should take steps to ensure their cybersecurity You should start planning and scheduling your audit. Qualified auditors are in high demand for these services and are expected to be in short supply due to limited capacity.
effective date. It is important to note that the proposed draft regulations require a company (as defined by the CCPA) to complete its first annual cybersecurity audit within 24 months from the effective date of the regulations. . Given that formal rulemaking on the subject has not yet begun, it will take companies at least 30 to 36 months from now to complete their first cybersecurity audit, with annual audits required thereafter.
range. Under the proposed draft regulations, a company subject to the CCPA would be subject to cybersecurity audit requirements only if (a) it derives more than 50% of its annual revenue from consumer sales or sharing;In other words, California residents), or (b) had gross revenue of $25 million or more in the previous calendar year and was processed in the previous calendar year for any of the following: (i) of 250,000 or more consumers or households; personal information. (ii) sensitive personal information of 50,000 or more consumers or households; or (iii) the personal information of more than 50,000 of her consumers who are known to be under the age of 16. Other companies would not be subject to cybersecurity audit requirements under the current proposed regulations.
Cybersecurity audit requirements. A cybersecurity audit must meet several requirements.
Auditor independence. According to Section 7122 of the proposed draft regulations, auditors can be internal or external auditors, but they must use procedures and standards generally accepted in the auditing profession and must be an independent auditor who makes objective and impartial judgments on all matters. They have cybersecurity audit authority and are free to make and evaluate decisions without being influenced by business owners, managers, employees, etc. Auditors are not permitted to participate in activities that impair, or appear to impair, their independence, including participating in business activities that the auditor evaluates (such as developing procedures or making recommendations regarding the company's cybersecurity program). yeah. If the auditor is internal to the company, the audit report must be issued directly to the company's governing body, which evaluates the auditor's performance and sets the auditor's remuneration.
Scope of audit. A cybersecurity audit should identify, assess, and document the company's cybersecurity program and related policies and procedures that are appropriate to the company's size and complexity, nature and scope of processing, and include, as applicable, the following 18: Cover specific elements.
- Authentication, including multi-factor authentication and passwords.
- Encryption of personal information at rest and in transit.
- Zero trust architecture.
- Account management and access control.
- Inventory and management of information assets.
- Secure configuration of hardware and software, including patch and change management.
- Internal and external vulnerability scanning, penetration testing, vulnerability disclosure and reporting.
- Audit log management.
- Network monitoring and defense.
- Antivirus and antimalware.
- System segmentation.
- Restrictions and controls for ports, services, and protocols.
- Cybersecurity awareness, education, and training.
- Best practices for secure development and coding.
- Supervision of service providers, contractors, and third parties.
- Storage and disposal.
- incident response; and
- Business continuity and disaster recovery.
Based on the proposed draft regulations, the audit will assess these factors, identify and describe gaps and weaknesses, document plans to address the gaps and weaknesses, and include the position of the person responsible for the cybersecurity program. , and will include the date of submission to the governing body. . The audit will require identification and description of past notifications to consumers and government agencies, as well as copies of notification letters.
annual certification. The proposed draft regulations would require each company required to complete a cybersecurity audit to provide an annual attestation of compliance with cybersecurity audit requirements, or a complete You will be required to provide written acknowledgment of non-compliance to the CPPA. Repair timeline.
—
