CPPA Releases Draft Cybersecurity Regulations

October 5, 2023

The California Privacy Protection Agency (CPPA) has released draft regulations detailing cybersecurity program audit requirements for businesses that process the personal information of consumers and present a significant risk to consumers’ security. Whether or not an entity presents a “significant risk” is defined by the thresholds of revenue, the volume of consumers and the known age of the consumer. If adopted, this would represent a significant step forward in providing uniform requirements on how a cybersecurity program must be assessed, documented and measured.




The CPPA was formed in 2020 with the objective of adopting regulations for businesses that handle the personal data of consumers. The agency is governed by a five-member board and is responsible for the implementation and enforcement of the privacy protection laws introduced under the California Privacy Rights Act (CPRA).



What do these regulations do?

If enacted, the CPPA’s draft regulations would impose major cybersecurity requirements on covered businesses. It would require an annual audit to assess, document and detail each applicable component of a business’s cybersecurity program, including the identification of any gaps and weaknesses that must be addressed before the next audit cycle.



What components do these regulations cover?

If adopted, several areas across the cybersecurity landscape would be in scope. These areas are not vastly different than what is covered in other industry-wide control frameworks. However, the specificity of components that a cybersecurity program will be audited on establishes a clear picture of what every entity’s program must include. The following cyber elements are specifically listed for assessment and documentation:


Cybersecurity Components Covered:  
Authentication Antivirus Protections
Encryption Network Segmentation
Zero Trust Architecture Ports, Services and Protocols
Access Controls Cybersecurity Awareness and Training
Personal Data Inventory Secure Coding
Secure Configuration Third-Party Oversight
Vulnerability Scanning Data Retention and Destruction
Log Management Incident Response
Network Monitoring and Defense Business Continuity Planning



What is unique about these draft regulations?

The security measures detailed by the CPPA are defined in a uniform manner. This means that an increased burden would be placed on covered entities to explain the remediation plan for any gaps found during an audit. Covered entities might also have to explain how the current process provides equivalent security to what is outlined if a business doesn’t believe that the control is applicable to them.


Another unique topic that the CPPA includes for consideration is how a business might map “reduction in harm” information to each control. This aims to define whether or not a program component actually reduces the chance of a negative event taking place.




While the CPPA has not yet begun the formal rulemaking process, it has provided these draft regulations to facilitate discussions between the board of directors and the public. Many phases of review, feedback and change are necessary before the adoption of the final regulations. Regardless of the final outcome, this is a compelling start to providing uniform guidance on which components must be covered in a cybersecurity program and what covered entities will need to have in place to ensure the privacy of consumer data.


If you have questions about compliance with state privacy laws and how they affect your organization, click here to learn more about our offerings, or drop us a line.
TJ Carsten
TJ Carsten has over 16 years’ experience in both consulting and corporate enterprise data management. He has experience working with medium sized businesses as well as Fortune 500 corporations to build and enhance their data privacy and governance programs.

Optiv Security: Secure greatness.®

Optiv is the cyber advisory and solutions leader, delivering strategic and technical expertise to nearly 6,000 companies across every major industry. We partner with organizations to advise, deploy and operate complete cybersecurity programs from strategy and managed security services to risk, integration and technology solutions. With clients at the center of our unmatched ecosystem of people, products, partners and programs, we accelerate business progress like no other company can. At Optiv, we manage cyber risk so you can secure your full potential. For more information, visit www.optiv.com.