Utah Code Ann. § 78B-4-703
(1) Subject to Subsection (3), a person's written cybersecurity program reasonably conforms to a recognized cybersecurity framework if the written cybersecurity program:
(b)
(ii) reasonably conforms to the current version of any of the following frameworks or publications, or any combination of the following frameworks or publications:
(iii) for personal information obtained in the breach of the system security that is regulated by the federal government or state government, reasonably complies with the requirements of the regulation, including:
(2) A written cybersecurity program is a reasonable security program under Subsection (1)(b)(i) if:
(d) the person, or an employee of the person, conducts risk assessments to test and monitor the practice and procedures under Subsection (2)(b), including risk assessments on:
(3)
(b) If a recognized cybersecurity framework described in Subsection (1)(b)(iii) is amended, a person with a written cybersecurity program that relies upon that recognized cybersecurity framework shall reasonably conform to the amended regulation of the framework in a reasonable amount of time, taking into consideration the urgency of the amendment in terms of:
Enacted by Chapter 40, 2021 General Session