An enterprise learns that a new privacy regulation was recently published to protect customers in the event of a breach involving personally identifiable information (PII). The IT risk management team`s FIRST course of action should be to: 

Answer options:

A. evaluate the risk appetite for the new regulation.
B. determine if the new regulation introduces new risk.
C. assign a risk owner for the new regulation.
D. define the risk tolerance for the new regulation.

C