As many of you know, California leads the nation when it comes to data protection, whether it be the California Online Privacy and Protection Act (CalOPPA), the California Invasion of Privacy Act (CIPA), or the California Privacy Rights Act (CPRA), the State has always been at the forefront of providing privacy protections to consumers. The California Privacy Protection Agency (CPPA) recently enhanced protections for individuals and requirements for businesses by releasing Regulations requiring certain companies to undertake cybersecurity audits. In this article, we will discuss which types of companies need to complete a cybersecurity audit, what audits look like, and what the audit must include so that you are informed of your obligations if your company needs to perform an audit.
Who needs to comply with the CPRA?
Since the CPPA Regulations only apply to businesses that need to comply with the CPRA, the first step that you need to take is determining whether the CPRA applies to you. The CPRA applies to for-profit businesses that do business in California, collect the personal information of residents of California and that:
- Have annual gross revenue in excess of 25,000,000; or
- Buy, sell, or share the personal information of 100,000 or more California consumers; or
- Derive 50% or more of annual revenue from selling or sharing the personal information of California consumers.
Note that your business does not need to be located in California for this privacy law to apply – as long as you meet the factors above, you will need to keep reading to determine which types of businesses need to meet the audit requirement.
Who needs to perform the cybersecurity audit?
A business that needs to comply with the CPRA will need to perform a cybersecurity audit if its processing of consumers’ personal information presents a significant risk to consumers’ security.
If a business meets the factors above, it will need to perform a cybersecurity audit if it also:
- Processed the personal information of 250,000 or more California consumers or households in the preceding calendar year; or
- Processed the sensitive personal information of 50,000 or more California consumers in the preceding calendar year.
Meeting the factors above means that the processing of consumers’ personal information by the business presents a significant risk to consumers’ security and thus the business needs to perform a cybersecurity audit.
When does a cybersecurity audit need to be performed?
When an audit needs to be conducted will depend upon the annual revenue of the business:
- Businesses with annual gross revenue for 2026 of more than one hundred million dollars will need to complete the audit by April 1, 2028;
- Businesses with annual gross revenue for 2027 of between fifty million dollars and one hundred million dollars will need to complete the audit by April 1, 2029;
- Businesses with annual gross revenue for 2028 of less than fifty million dollars will need to complete the report by April 1, 2030.
It is important to note that businesses that need to conduct a cybersecurity audit will be required to perform the audit on an annual basis.
Who actually performs the cybersecurity audit?
Unlike other audits such as third party vendor assessments, which are usually performed by staff employed by the business, the CPPA states that the audit must be performed by a qualified, objective, and independent professional auditor. While the CPPA does provide that the audit may be performed by an employee of the business, it does underscore that the employee must maintain independence by reporting directly to a member of the business’s executive team who does not have direct responsibility for the business’s cybersecurity program.
The Regulations’ emphasis on the auditor’s independence may signal that the CPPA would prefer the audit to be completed by a completely independent individual, who is not employed by the business.
Scope of the cybersecurity audit
Every auditor knows that an audit scope can be very easily used to make or break the results of the audit. The more items you look at, the more likely you are to get a comprehensive picture of the company’s cybersecurity posture. The less items you look at, the more likely it is that the company will pass the audit. The CPPA was probably well aware of this as it included the audit’s scope into the Regulations.
First, as a general statement, the Regulations note that the audit must assess how the business’s cybersecurity program:
- Protects personal information from unauthorized access, destruction, use, modification, or disclosure; and
- Protects against unauthorized activity resulting in the loss of availability of personal information.
Then, the Regulations get more specific in stating that the scope must include:
- The business’s establishment, implementation, and maintenance of its cybersecurity program, including the related written documentation (e.g. policies and procedures);
- How the business implements and enforces compliance with its cybersecurity program;
- Each of the following components:
- Authentication (including multi-factor authentication and password management);
- Encryption of personal information (at rest and in transit);
- Account management and access controls (including restriction of existing accounts, privileged accounts, new accounts, and physical access to personal information);
- Inventory and management of personal information and the business’s information system (including personal information inventories, hardware and software inventories, and hardware and software approval processes);
- Secure configuration of hardware and software (including updates and upgrades, securing on-premises and cloud based environments, masking sensitive personal information, security and patch management, and change management);
- Internal and external vulnerability scans, penetration testing and vulnerability disclosure and reporting;
- Audit-log management;
- Network monitoring and defenses (including the deployment of technologies such as bot detection, intrusion detection and intrusion prevention and data loss prevention systems);
- Antivirus and antimalware protections;
- Segmentation of an information security system;
- Limitation and control of ports, services, and protocols;
- Cybersecurity awareness;
- Cybersecurity education and training;
- Secure development and coding best practices;
- Oversight of service providers, contractors, and third parties;
- Retention schedules and proper disposal of personal information;
- How the business manages its responses to security incidents (including documentation of predetermined instructions or procedures, testing, continuity and disaster recovery plans).
Once the above items are audited, the auditor must also create an audit report, which would outline the items above, as well as describe any gaps or weaknesses in the cybersecurity program, and document the business’s plan to address those gaps and vulnerabilities.
Submitting a certification
Each year that a business completes the cybersecurity audit, it must also submit to the CPPA a written certification that the audit has been completed. This certification must be submitted no later than April 1 following any year that the business is required to complete the audit. The certification must be completed by a member of the business’s executive management team who:
- Is directly responsible for the business’s cybersecurity audit compliance;
- Has sufficient knowledge of the audit to provide accurate information; and
- Has the authority to submit the certification to the CPPA.
As you can see from the above, the cybersecurity audit requirement is much more than a “check the box” compliance obligation. Companies that need to perform this cybersecurity audit should start preparations now as finding the right auditor and performing all of the steps required in the audit scope will take much more time than just a few days.
