The California Privacy Protection Agency (the "Agency") released draft Cybersecurity Audit Regulations ("Draft Regulations") for consideration by the Board of the Agency at a meeting schedule for September 8. The Draft Regulations provide that every business whose processing of personal information presents a significant risk to consumers' security will be required to perform a cybersecurity audit. Interestingly, the threshold for "significant risk" is proposed to be size-based instead of based on other risk factors, such as processing of sensitive personal information. This means that the audit requirement will be broad. As discussed below, there are a number of significant challenges for businesses subject to this requirement.
And, audit will mean audit, not assessment. That means that the auditor must use procedures and standards generally accepted in the auditing profession. These include (i) impartiality, and (ii) a reporting structure outside of the management chain that oversees the cybersecurity function. This also includes direct reporting to the board of directors, unless the company does not have a board. For companies that have an internal; audit function, the audit may be performed internally. Those that do not will have to hire an audit/accounting firm.
The audit requirement also has a thoroughness component, which includes the scope, criteria, and specific evidence observed and assessed. The audit will be required to be presented to the board, and a board member will be required to certify that they have reviewed the audit and understand the findings. This is not a trivial matter.
The scope of the required audit goes beyond a SOC2, which is currently the most widely offered cybersecurity audit. The cybersecurity audit will be required to "assess and document the business’s cybersecurity program that is appropriate to the business’s size and complexity and the nature and scope of its processing activities, taking into account the state of the art and cost of implementation." Additionally, the Agency Board has been provided options concerning additional scope requirements. Some of these potential scope requirements go beyond cybersecurity into core privacy requirements. These include:
- Impairing consumers’ control over their personal information associated with the unauthorized access, destruction, use, modification, or disclosure of personal information; or unauthorized activity resulting in the loss of availability of personal information.
- Economic harm to consumers associated with the unauthorized access, destruction, use, modification, or disclosure of personal information; or unauthorized activity resulting in the loss of availability of personal information. This includes, for example, the direct and indirect costs associated with identity theft.
- Physical harm to consumers or to property associated with the unauthorized access, destruction, use, modification, or disclosure of personal information; or unauthorized activity resulting in the loss of availability of personal information.
- Psychological harm to consumers, including emotional distress, anxiety, embarrassment, fear, frustration, shame, and feelings of violation associated with the unauthorized access, destruction, use, modification, or disclosure of personal information; or unauthorized activity resulting in the loss of availability of personal information.
- Reputational harm to consumers, including stigmatization associated with the unauthorized access, destruction, use, modification, or disclosure of personal information; or unauthorized activity resulting in the loss of availability of personal information.
The scope includes a list of 18 specific technical and administrative safeguards (plus numerous sub-items) that must be assessed, and if they are not in place, the audit (not the business) must provide an explanation as to why they are not necessary, and how the safeguards in place have at least equivalent security. One particular requirement required in the audit scope is zero trust architecture ("ZTA"). This is very new in cybersecurity, and is not widely used throughout existing networks. For those who would like to understand some of the technical complexities, the NIST Special Publication 800-207 may be found here. For those who are not as technical, this statement from NIST 800-207 will give you a flavor: "Transitioning to ZTA is a journey concerning how an organization evaluates risk in its mission and cannot simply be accomplished with a wholesale replacement of technology." When NIST says that something is a journey, it will be very, very hard to audit!
Service providers and contractors will be required to "assist" the company in completing it's cybersecurity audit. What this means is not clear. Presumably, they will have to provide information to the company. But, the requirements could be read much more broadly. The 18 technical and administrative controls described above may, or may not, apply to service providers or contractors. If they do, the amount of information required to be collected from service providers and contractors may be overwhelming, except for the largest enterprises. Currently, large enterprises struggle with service provider cybersecurity assessments. Making this an audit requirement will significantly increase the costs for many service providers and businesses.
Perhaps most concerning is that the Agency appears to have borrowed the concept of certification from the New York Department of Financial Services. Businesses required to conduct audits will be required to "submit to the Agency either: (1) A written certification that the business complied with the requirements set forth in this Article during the 12 months that the audit covers; or (2) A written acknowledgment that the business did not fully comply with the requirements set forth in this Article during the 12 months that the audit covers. The written acknowledgement shall: (A) Identify all sections and subsections of this Article that the business has not complied with and describe the nature and extent of such noncompliance; and (B) Provide a remediation timeline or confirmation that remediation has been completed." A member of the company's board, or a specified officer if there is no board, will be required to sign the certification or acknowledgment. That means that the Agency will have evidence every year of the companies that have conducted audits, and those that have not. It makes enforcement much easier.
Businesses will have 24 months from the date the regulations are completed to finalize cybersecurity audits, plus an updated audit annually thereafter. As a SOC2 generally takes at least a year, as it includes 6 months of control effectiveness testing, in-scope businesses should call their counsel and auditor today to get on their calendar and begin the process. It is likely that the number of businesses required to complete these audits will far outstrip the supply of auditors. The next 24 months will be a wild ride!
The scope of the required required audit goes beyond a SOC2, which is currently the most widely offered cybersecurity audit.