I do not usually post about proposed laws and regulations, but I will on occasion. It just so happens that currently there are a lot of significant new and proposed federal and California laws and regulations, in addition to lawsuits and regulatory actions.
I have provided below pdf copies of materials that were circulated at the September 8, meeting of the California Privacy Protection Agency. These are drafts for the board meeting only; however, I would plan on eventual enactment in substantial part. The two materials are titled: Agenda Item 8 – Part 1 Draft Cybersecurity Audit Regulations; and Agenda Item 8 – Part 2 Draft Risk Assessment Regulations. Thus, the materials pertain to three areas that I cover and that are important to my connections: laws and regulations, audit, and risk assessment or management.
I have pasted immediately below some of the language from the draft cybersecurity audit regulations, and below that I have provided both of the entire draft documents. Also note that the audit can be performed by a qualified internal auditor or by a qualified outside or external auditor, and the auditor shall report the audit, which is a serious, detailed audit, to the board of directors or governing body, or if there is no such board or governing body, then to the highest-ranking executive that does not have direct responsibility for the business’s cybersecurity program.
You can see that significant effort has been put into these draft regulations; however, if regulations are eventually enacted, the enactment and enforcement might also be attacked in court.
The following is select language from the draft cybersecurity audit regulations:
- Thoroughness and Independence of Cybersecurity Audits.
(a) Every business required to complete a cybersecurity audit pursuant to this Article shall do so
using a qualified, objective, independent professional (“auditor”) using procedures and
standards generally accepted in the profession of auditing.
(1) The auditor may be internal or external to the business but shall exercise objective and
impartial judgment on all issues within the scope of the cybersecurity audit, shall be free
to make decisions and assessments without influence by the business being audited,
including the business’s owners, managers, or employees; and shall not participate in
activities that may compromise, or appear to compromise, the auditor’s independence.
For example, the auditor shall not develop, implement, or maintain the business’s
cybersecurity program, nor prepare the business’s documents or participate in the
business activities that the auditor may review in the current or subsequent
cybersecurity audits.
(2) If a business uses an internal auditor, the auditor shall report regarding cybersecurity
audit issues directly to the business’s board of directors or governing body, not to
business management that has direct responsibility for the business’s cybersecurity
program. If no such board or equivalent body exists, the internal auditor shall report to
the business’s highest-ranking executive that does not have direct responsibility for the
business’s cybersecurity program. The business’s board of directors, governing body, or
highest-ranking executive that does not have direct responsibility for the business’s
cybersecurity program shall conduct the auditor’s performance evaluation and
determine the auditor’s compensation.
(b) To enable the auditor to determine the scope of the cybersecurity audit and the criteria the
cybersecurity audit will evaluate, the business shall make available to the auditor all relevant
information about the business’s cybersecurity program and information system; all relevant
information about the business’s use of service providers or contractors; and all other
information in its possession, custody, or control that the auditor deems relevant to the
cybersecurity audit.
(c) The business shall disclose all facts relevant to the cybersecurity audit to the auditor, and shall
not misrepresent in any manner any fact relevant to the cybersecurity audit.
(d) The cybersecurity audit shall articulate its scope, articulate its criteria, and identify the specific
evidence (including documents reviewed, sampling and testing performed, and interviews
conducted) examined to make decisions and assessments, and explain why the scope of the
The following is a copy of Agenda Item 8 – Part 1 Draft Cybersecurity Audit Regulations:
The following is a copy of Agenda Item 8 – Part 2 Draft Risk Assessment Regulations:
* * * *
Thank you for viewing this discussion. Please do pass this blog and blog post and information to other people who would be interested as it is only through collaboration and sharing that great things and success are more quickly achieved. If you are interested in discussing anything that I have said in the discussion above or in either of my two blogs (see blog addresses below), or if you simply want to reach out or are seeking assistance, it is best to reach me by email at dave@tateattorney.com.
David Tate, Esq. (and inactive CPA)
- Business litigation and disputes – business, breach of contract/commercial, co-owners, shareholders, investors, founders, workplace and employment, environmental, D&O, governance, boards and committees.
- Trust, estate and probate court litigation and disputes – trust, estate, probate, elder and dependent abuse, conservatorship, POA, real property, mental health and care, mental capacity, undue influence, conflicts of interest, and contentious administrations.
- Governance, boards, audit and governance committees, investigations, auditing, ESG, etc.
- Mediator and facilitating dispute resolution (evaluative and facilitative):
- Trust, estate, probate, conservatorship, elder and dependent abuse, etc.
- Business, breach of contract/commercial, owner, shareholder, investor, etc.
- D&O, board, audit and governance committee, accountant and CPA related.
- Other: workplace and employment, environmental, trade secret.
Remember, every case and situation is different. It is important to obtain and evaluate all of the evidence that is available, and to apply that evidence to the applicable standards and laws. You do need to consult with an attorney and other professionals about your particular situation. This post is not a solicitation for legal or other services inside of or outside of California, and, of course, this post only is a summary of information that changes from time to time, and does not apply to any particular situation or to your specific situation. So . . . you cannot rely on this post for your situation or as legal or other professional advice or representation, or as or for my opinions and views on the subject matter.
Also note – sometimes I include links to or comments about materials from other organizations or people – if I do so, it is because I believe that the materials are worthwhile reading or viewing; however, that does not mean that I do not or that I might not have a different view about some or even all of the subject matter or materials, or that I necessarily agree with, or agree with everything about or relating to, that organization or person, or those materials or the subject matter.
Please also subscribe to this blog and my other blog (see below), and connect with me on LinkedIn and Twitter.
My two blogs are:
http://tateattorney.com – business, D&O, audit committee, governance, compliance, etc. – previously at http://auditcommitteeupdate.com
Trust, estate, conservatorship, elder and elder abuse, etc. litigation and contentious administrations http://californiaestatetrust.com
David Tate, Esq. (and inactive California CPA) – practicing only as an attorney in California.
David Tate, Esq. Headlines (and inactive CPA) – Trust, estate, probate and elder abuse disputes, litigation and contentious administrations; business litigation and internal and co-owner business disputes, litigation, and governance; real property and co-owner disputes and litigation; mediator and dispute resolution services; and social and digital media for law, people, businesses and legal risk management. 