The cybersecurity mandates in U.S. state privacy laws often are overlooked. However, the requirements are not slight – they fall into four basic categories, including securing personal information, ensuring third parties do the same, assessing cyber measures and reporting assessment or audit results to AGs. Adding to existing requirements, last month, California’s privacy regulator released a bold draft regulation under the California Privacy Rights Act that proposes a costly audit of 18 mandatory components, including a first-ever requirement to use zero trust architecture, of a company’s cyber program. This article examines the shifting cybersecurity landscape across state laws and includes analysis shared with the Cybersecurity Law Report by Frankfurt Kurnit partner Richard Borden and insights delivered during the recent International Association of Privacy Professionals’ Privacy.Security.Risk conference by Morrison Foerster and Ampersand counsel. See our two-part series analyzing 2023’s new state privacy laws: “The First Six Plus Compliance Measures” (Jun. 28, 2023), and “Oregon and Delaware Join the Strictest Tier” (Jul. 12, 2023).