Skip to main content
Skip to navigation

Regulatory Policy

California cybersecurity audit rule scope begins taking shape at CPPA meeting

By Adrianne Appel2023-09-12T12:41:00

California skyline

A final version of California’s cybersecurity audit rules likely won’t be released until later next year at the earliest, according to a rough timeline discussed by the state’s privacy rulemaking agency, which debated a preliminary draft of the rules Friday.

The draft cybersecurity rules were approved among sweeping amendments to the state’s 2020 data privacy law under the California Privacy Rights Act. The changes to the California Consumer Privacy Act (CCPA) created the California Privacy Protection Agency (CPPA) to write and enforce the rules.

The five-member CPPA board mainly debated two aspects of the cybersecurity rules Friday: which businesses should be required to conduct annual audits and what should be included in those audits.

THIS IS MEMBERS-ONLY CONTENT

cw-membership

You are not logged in and do not have access to members-only content.

If you are already a registered user or a member, SIGN IN now.

Related articles

Premium
CPPA preview: Cybersecurity audit regs nearing formal proposal

2024-01-09T20:16:00Z By Adrianne Appel

Companies with business in California could face tough new cybersecurity mandates under draft regulations that could be headed for formal rulemaking as soon as Friday.
Premium
Automated decision-making tech rules added to crowded CPPA agenda

2023-12-01T22:34:00Z By Adrianne Appel

The California Privacy Protection Agency drafted its rules to apply the rights allowed to residents under the California Consumer Privacy Act to automated decision-making technology used by businesses.
Premium
Modern-day enterprises: How to prepare for and prove network compliance

2023-10-17T13:46:00Z By Matt Honea, CW guest columnist

The need to prove network compliance is intensifying as lawmakers introduce new privacy legislation and organizations update their contractual security requirements for third-party vendors.

More from Regulatory Policy

Article
Bank of England tightens liquidity requirements for U.K. banks

2026-03-25T20:37:00Z By Ruth Prickett

U.K. banks must reassess how quickly they could monetize their assets in the event of a crisis under new rules proposed by the Bank of England’s regulatory body, the Prudential Regulation Authority. The proposals are the first changes to the liquidity rules since these were updated in the aftermath of ...
Article
Europe’s groundbreaking crypto rules put at risk by delays in implementation

2026-03-24T21:25:00Z By Neil Hodge

Europe may have taken the lead in attempting to regulate cryptoasset firms before any other major jurisdiction, but a year after the ground-breaking rules came into force, it does not necessarily follow that they are robust or that the industry they are meant to hold accountable is embracing them.
Article
Compliance must focus on corruption as EU and U.K. seek to tackle rising risks

2026-03-19T14:50:00Z By Ruth Prickett

Corruption isn’t something that happens somewhere else, in other countries and committed by other people. Nowhere is corruption-proof, and new rules being introduced in the EU and the U.K. aim to focus compliance officers on the full gamut of risks in all jurisdictions and every sector.