CPPA Releases Draft Cybersecurity Regulations
October 5, 2023
The California Privacy Protection Agency (CPPA) has released draft regulations detailing cybersecurity program audit requirements for businesses that process the personal information of consumers and present a significant risk to consumers’ security. Whether or not an entity presents a “significant risk” is defined by the thresholds of revenue, the volume of consumers and the known age of the consumer. If adopted, this would represent a significant step forward in providing uniform requirements on how a cybersecurity program must be assessed, documented and measured.
Background
The CPPA was formed in 2020 with the objective of adopting regulations for businesses that handle the personal data of consumers. The agency is governed by a five-member board and is responsible for the implementation and enforcement of the privacy protection laws introduced under the California Privacy Rights Act (CPRA).
What do these regulations do?
If enacted, the CPPA’s draft regulations would impose major cybersecurity requirements on covered businesses. It would require an annual audit to assess, document and detail each applicable component of a business’s cybersecurity program, including the identification of any gaps and weaknesses that must be addressed before the next audit cycle.
What components do these regulations cover?
If adopted, several areas across the cybersecurity landscape would be in scope. These areas are not vastly different than what is covered in other industry-wide control frameworks. However, the specificity of components that a cybersecurity program will be audited on establishes a clear picture of what every entity’s program must include. The following cyber elements are specifically listed for assessment and documentation:
Cybersecurity Components Covered: | |
---|---|
Authentication | Antivirus Protections |
Encryption | Network Segmentation |
Zero Trust Architecture | Ports, Services and Protocols |
Access Controls | Cybersecurity Awareness and Training |
Personal Data Inventory | Secure Coding |
Secure Configuration | Third-Party Oversight |
Vulnerability Scanning | Data Retention and Destruction |
Log Management | Incident Response |
Network Monitoring and Defense | Business Continuity Planning |
What is unique about these draft regulations?
The security measures detailed by the CPPA are defined in a uniform manner. This means that an increased burden would be placed on covered entities to explain the remediation plan for any gaps found during an audit. Covered entities might also have to explain how the current process provides equivalent security to what is outlined if a business doesn’t believe that the control is applicable to them.
Another unique topic that the CPPA includes for consideration is how a business might map “reduction in harm” information to each control. This aims to define whether or not a program component actually reduces the chance of a negative event taking place.
Conclusion
While the CPPA has not yet begun the formal rulemaking process, it has provided these draft regulations to facilitate discussions between the board of directors and the public. Many phases of review, feedback and change are necessary before the adoption of the final regulations. Regardless of the final outcome, this is a compelling start to providing uniform guidance on which components must be covered in a cybersecurity program and what covered entities will need to have in place to ensure the privacy of consumer data.
If you have questions about compliance with state privacy laws and how they affect your organization, click here to learn more about our offerings, or drop us a line.
Optiv Security: Secure greatness.®
Optiv is the cyber advisory and solutions leader, delivering strategic and technical expertise to nearly 6,000 companies across every major industry. We partner with organizations to advise, deploy and operate complete cybersecurity programs from strategy and managed security services to risk, integration and technology solutions. With clients at the center of our unmatched ecosystem of people, products, partners and programs, we accelerate business progress like no other company can. At Optiv, we manage cyber risk so you can secure your full potential. For more information, visit www.optiv.com.