United States of America: Published draft Cybersecurity Audit Regulations

On 28 August 2023, the California Privacy Protection Agency (CPPA) released materials ahead of its 8 September 2023 board meeting, including draft Cybersecurity Audit Regulations. The CPPA clarified that formal rulemaking processes for cybersecurity audits, risk assessments, and automated decision-making technology have not yet begun. These drafts aim to facilitate board discussions and public involvement. The draft Cybersecurity Audit Regulations outline requirements for service providers and contractors, aiding businesses in audit compliance. The Regulations set out that every business whose processing of personal information could present a significant risk to consumers' security must complete an audit. The Regulations also specify the components to be assessed and the steps that should be taken.