New CCPA Regulations Require Submission of Cybersecurity Audit Certifications

The new California cybersecurity audit regulations are effective on Jan. 1, 2026. The submission due dates of required cybersecurity audit certifications to the California Privacy Protection Agency (“CPPA”) are based on revenue:

1. April 1, 2028, if the business makes over $100 million;
2. April 1, 2029, if the business makes between $50 million and $100 million; or
3. April 1, 2030, if the business makes less than $50 million.

The initial submission focus is on larger companies. But companies should not rely on submission dates to procrastinate. Potential investigations and the consequences of not having a cybersecurity program do not rely on the submission dates.

Requirement to Complete a Cybersecurity Audit

Every business whose processing of consumers’ personal information presents significant risk to consumers’ security must complete a cybersecurity audit. A significant risk to consumers’ security includes the following:

(1) The business derives 50% or more of its annual revenues from selling or sharing consumers’ personal information; or

(2) The business meets the annual revenue threshold, which is now north of $26 million; and

(A) Processed the personal information of 250,000 or more consumers or households in the preceding calendar year; or

(B) Processed the sensitive personal information of 50,000 or more consumers in the preceding calendar year.

Note: When a visitor visits a website and third-party cookies are placed in browser storage, that visitor’s personal information has been processed.

Requirements for Thoroughness and Independence of Cybersecurity Audits

Cybersecurity audits must use a qualified, objective, independent professional (“auditor”) using procedures and standards accepted in the profession of auditing.

Independent does not mean the auditor has to be external to the company:

The “auditor must have knowledge of cybersecurity and how to audit a business’s cybersecurity program.” “The auditor may be internal or external to the business but must exercise objective and impartial judgment on all issues within the scope of the cybersecurity audit, must be free to make decisions and assessments without influence by the business being audited, including the business’s owners, managers, or employees; and must not participate in activities that may compromise the auditor’s independence.”

The auditor, internal or external, must have access:

“The business must make available to the auditor all information in the business’s possession, custody, or control that the auditor requests as relevant to the cybersecurity audit (e.g., information about the business’s cybersecurity program and information system and the business’s use of service providers or contractors).” And the “business must make good-faith efforts to disclose to the auditor all facts relevant to the cybersecurity audit and must not misrepresent any fact relevant to the cybersecurity audit.”

Audits cannot rely on assertions or attestations; the tires have to be kicked:

The required audits are rigorous in that no “finding of any cybersecurity audit may rely primarily on assertions or attestations by the business’s management.”

The cybersecurity audit report must include the following information:

(1) Description of the business’s information system, plus identification of:

(A) the policies, procedures and practices that the cybersecurity audit assessed;

(B) the criteria used for the cybersecurity audit; and

(C) the specific evidence examined to make decisions and assessments.

(2) Identify the following applicable components:

• authentication
• encryption
• account management and access controls
• inventory and management of personal information (PI) and the company’s information system
• secure configuration of hardware and software
• vulnerability scans, penetration testing, and vulnerability disclosure and reporting
• network monitoring and defenses
• antivirus and antimalware protections
• segmentation of information system
• limitation and control of ports, services and protocols
• cybersecurity awareness
• cybersecurity education and training
• secure development and coding best practices, including code-reviews and testing
• oversight of service providers, contractors and third parties to ensure compliance
• retention schedules and proper disposal of personal information (PI) no longer required to be retained
• how the company manages its responses to security incidents
• business continuity and disaster recovery plans, including data-recovery

(3) Identify and describe in detail the status of any gaps or weaknesses of the policies and procedures, the applicable components and any additional component assessed that the auditor deemed to increase the risk of unauthorized access, destruction, use, modification or disclosure of consumers’ personal information, or increase the risk of unauthorized activity resulting in the loss of availability of personal information.

(4) Document the business’s plan to address the gaps and weaknesses identified.

(5) Identify any corrections or amendments to any prior cybersecurity audit reports.

(6) Include qualified individuals responsible for the business’s cybersecurity program.

(7) Include the auditor’s name, affiliation and relevant qualifications.

(8) Include a signed statement that certifies an independent review of the cybersecurity program and information system, objective and impartial judgment on all issues within the scope of the cybersecurity audit and did not rely primarily on assertions or attestations by the business’s management.

(9) Whether the business provided notification to affected consumers.

(10) Whether the business was required to notify any agency.

Your company may be able to substitute a current audit or assessment:

A business may utilize a cybersecurity audit, assessment or evaluation that it has prepared for another purpose, provided that it meets all of the requirements, either on its own or through supplementation.

The company and the auditor must retain all documents relevant to each cybersecurity audit for a minimum of five years after completion of the cybersecurity audit.

Practice Pointer: If your company doesn’t have a document retention policy that includes data classification, add that as an additional task.

Scope of Cybersecurity Audit and Audit Report

The cybersecurity audit must assess how the company’s cybersecurity program: protects personal information from unauthorized access, destruction, use, modification or disclosure, and protects against unauthorized activity resulting in the loss of availability of personal information.

In other words, how does the company carry out protecting the confidentiality, integrity and availability (“CIA) through the application of appropriate physical, administrative and technical safeguards, the cybersecurity professional’s mantra.

Certification of Completion

(a) Each calendar year that a business is required to complete a cybersecurity audit, it must submit to the CPPA a written certification that the business completed the cybersecurity audit as required.

(b) The company must submit the certification no later than April 1 following any year that the business is required to complete a cybersecurity audit.

(c) The written certification must be completed by a member of the company’s executive management team who:

(1) is directly responsible for the business’s cybersecurity-audit compliance;

(2) has sufficient knowledge of the business’s cybersecurity audit to provide accurate information; and

(3) has the authority to submit the company’s certification to the agency.

(d) The written certification must be completed and submitted to the agency via its website at https://cppa.ca.gov/.

If a process for such a cybersecurity audit is not in place and this is a first-time effort, it will be significant and will touch upon many company resources.