Editor's note: The IAPP is policy neutral. We publish contributed opinion and analysis pieces to enable our members to hear a broad spectrum of views in our domains.
On 24 July, the California Privacy Protection Agency approved a sweeping rulemaking package that will establish new regulatory requirements, including for covered businesses to conduct annual cybersecurity audits.
The rulemaking package now awaits formal approval by the California Office of Administrative Law. Once approved, covered California businesses should take steps to proactively prepare themselves for these new audit obligations, which can be found in Article 9 of the proposed regulations.
Whether to utilize an internal or external auditor to conduct the cybersecurity audit is a key question companies will need to answer early on. There are pros and cons to both options that need to be assessed in the context of the company's organizational structure and cybersecurity program.
What the regulations say about auditors
According to Section 7122 of the looming CPPA regulations, covered businesses will need to select "a qualified, objective, independent" auditor, internal or external, to conduct the cybersecurity audit. The regulations stipulate that regardless of whether the auditor is internal or external to the business, they must use "procedures and standards accepted in the profession of auditing."
In addition, an auditor cannot solely rely on assertions made by a covered business. Instead, they must "primarily" base findings on specific evidence reviewed through the course of the audit. Moreover, an auditor is required to review and assess what security safeguards the company has in place; whether the company's cybersecurity program is "appropriate" based on its size, complexity and the nature and scope of the processing; and how the business implemented the security program.
The CPPA regulations appear to promote an ongoing relationship between a covered business and an auditor as opposed to a one-and-done structure. For example, Section 7122(g) states that both the covered business and the auditor "must retain all documents relevant to each cybersecurity audit for a minimum of five (5) years after completion of the cybersecurity audit."
Pros and cons to using an internal auditor
Depending on the size and complexity of a particular company, it may be prudent to use an internal auditor. Tasking an existing member of an organization with undertaking a cybersecurity audit could make the process more efficient, considering an internal team member likely has a better understanding of the company's existing cybersecurity protocols and vendor relationships.
A potential drawback to using an internal auditor is the need to establish an additional layer of governance to a company's team structure. For example, the CPPA regulations state that if a business opts to use an internal auditor, the auditor must "report directly to a member of the business's executive management team who does not have direct responsibility for the business's cybersecurity program."
That member of the executive management team "must conduct the highest-ranking auditor's performance evaluation, if any, and determine the auditor's compensation."
In effect, the CPPA regulations envision an internal auditor being placed on a separate track or siloed within a company. For example, the regulations state an auditor "must not participate in the business activities that the auditor may assess in the current or subsequent cybersecurity audits, including developing procedures, preparing the business's documents, making recommendations regarding the business's cybersecurity program (separate from articulating audit findings), or implementing or maintaining the business's cybersecurity program."
Not being able to participate in "business activities" that the internal auditor "may assess" in current or subsequent audits raises important questions around the scope of the regulations and what an auditor may be allowed to do following completion of an audit. For example, if a company holds an annual cybersecurity training session or a tabletop exercise, would the internal auditor be prohibited from attending since such training would be considered part of the company's broader cybersecurity program? There isn't a clear answer.
Pros and cons to using an external auditor
Using an external cybersecurity auditor may be preferable for certain covered companies, especially those operating in sectors where utilizing an outside auditor or assessor may be required under different cybersecurity frameworks.
For example, cloud service providers seeking to do business with the federal government under the Federal Risk and Authorization Management Program are generally required to engage with a third-party assessment organization. For context, a third-party assessment organization retained for FedRAMP compliance will serve as an independent third party responsible for performing initial and periodic assessments of cloud systems to ensure they meet FedRAMP requirements.
Defense contractors and organizations within the broader defense industrial base are also familiar with the concept of a third-party assessment organization serving as a cybersecurity auditor/assessor. For example, organizations subject to the Cybersecurity Maturity Model Certification Program may be obligated to retain a CMMC third-party assessor organization. For context, the requirement to use a CMCC third-party assessor organization depends largely on whether an organization handles controlled unclassified information.
The existence of external auditors capable of providing cybersecurity assessment services may provide a basis for a business to go with an external auditor for CPPA compliance. For example, the regulations state "a business may utilize a cybersecurity audit, assessment, or evaluation that it has prepared for another purpose," provided it meets all requirements under the regulations "either on its own or through supplementation."
The regulations provide an example of a business that may have conducted an audit of its cybersecurity program using the U.S. National Institute of Standards and Technology's Cybersecurity Framework 2.0. According to Section 7123(f), such an audit would likely meet the CPPA's regulatory requirements.
A potential drawback to using an external auditor is the time and resources often necessary to get an outside party fully acquainted with an organization's cybersecurity program. Possessing a depth of knowledge about an organization's internal cybersecurity protocols is likely necessary. This is especially true considering the CPPA regulations envision a comprehensive, in-depth audit covering "how the business's cybersecurity program: protects personal information from unauthorized access, destruction, use, modification, or disclosure; and protects against unauthorized activity resulting in the loss of availability of personal information."
The audit must also assess an array of security components, such as the use of multi-factor authentication, and determine whether the business encrypts data in transit and at rest, whether vulnerability scans and penetration testing are conducted, and so forth.
What to do next
Ultimately, deciding whether to use an internal or external auditor will be dependent on a business' specific needs and circumstances. There is no one right choice that applies to all businesses.
In addition to the decision on which type of auditor to use, businesses need to start taking steps to strengthen their broader compliance posture. For example, organizations should start proactively identifying categories of information that will likely be covered by an audit. They should also consider conducting a gap assessment between the organization's existing cybersecurity program and established cybersecurity frameworks, such as the NIST CSF 2.0, System and Organizations Control 2 Type 2, the International Organization for Standardization's 27001 standard, and so forth.
Once a gap assessment is conducted, businesses should implement measures to address gaps in areas specifically identified in the new regulations, including multi-factor authentication, service provider oversight, data encryption, data retention, incident response and disaster recovery procedures and more.
Patrick J. Austin, CIPM, CIPP/E, CIPP/US, FIP, PLS, is an attorney in the cybersecurity and data privacy practice group of Woods Rogers.