Publications + Presentations

Summary

• On July 24, 2025, the CPPA Board unanimously approved regulations addressing the requirement to complete cybersecurity audits and submit written certifications.
• Businesses that meet any of the prescribed cybersecurity audit triggers must conduct annual cybersecurity audits satisfying detailed thoroughness and independence requirements.
• The cybersecurity audit must assess – and the cybersecurity audit report must document – the effectiveness of prescribed components.
• Covered businesses must submit written certification to the CPPA every calendar year.
• The certification must be signed and dated by a member of the board or governing body – or in certain circumstances the business’s highest-ranking executive with authority – and must include their name, title, and a statement that the signer has reviewed and understands the findings of the cybersecurity audit.

On July 24, 2025, the CPPA Board unanimously approved regulations addressing the requirement to complete cybersecurity audits and submit written certifications. Among other topics, the regulations address requirements with respect to cybersecurity audits, including independence, timing, scope requirements, and mandatory written certifications to the California Privacy Protection Agency (“CPPA”).

What are the Cybersecurity Audit Triggers?

An independent cybersecurity audit must be conducted by a business subject to the California Consumer Privacy Act (“CCPA”) if the processing of personal information presents a significant risk to the consumers’ security.

A business’s processing of personal information presents a significant risk to consumers’ security, and a cybersecurity audit must be completed, if any of the below cybersecurity audit triggers are met:

• The business has annual gross revenue of $25.625 million¹ or more for the preceding calendar year, and
  • Processed either the IP addresses or other personal information of 250,000 or more consumers in the preceding calendar year, or
  • Processed the sensitive personal information of 50,000 or more consumers in the preceding calendar year, or
• The business derives 50 percent or more of its annual revenue from selling or sharing personal information. 

Are Cybersecurity Audits a New Concept?

The concept of audits exists in several sectoral laws often focused on highly regulated industries (e.g., health care, financial services, or critical infrastructure).

However, these regulations clarify that the requirements may apply to both bakeries and banks, expanding the reach of their concepts to additional businesses irrespective of whether those businesses are highly regulated (banks) or not (selling cakes, t-shirts, marketing services, etc.).

The regulations also apply to GLBA and certain other highly regulated businesses due to certain data-level (not entity-level) exemptions contained in the CCPA. The CPPA’s regulations expressly permit businesses to utilize cybersecurity audits, assessments, or evaluations engaged in for other purposes, provided they meet the CCPA cybersecurity audit requirements. While a business is not required to complete a duplicative cybersecurity audit, it may need to supplement existing audits.

Audits Require Independence

Every business required to complete a cybersecurity audit must do so using a qualified, objective, independent professional, as well as generally accepted standards and procedures. The auditor may be internal or external but must exercise objective and impartial judgement.

The regulations include detailed independence examples and factors. By way of example, the auditor must not participate in the business activities that they may assess in the current or subsequent cybersecurity audits, including developing procedures, preparing the business’s documents, or making recommendations (separate from articulating audit findings) regarding, implementing, or maintaining the business’s cybersecurity program.

The cybersecurity audit must include the auditor’s name, affiliation, and relevant qualifications.

What is a Cybersecurity Audit Report?

A cybersecurity audit report is the document that every business that is required to complete a cybersecurity audit must create as part of its cybersecurity audit.

Among other prescribed requirements, the cybersecurity audit report must:

1. Articulate the audit’s scope and criteria, and identify the specific evidence (including documents reviewed, sampling and testing performed, and interviews conducted) examined to make decisions and assessments,
2. Document and summarize each applicable component of the business’s cybersecurity program,
3. Specifically identify any gaps or weaknesses in the business’s cybersecurity program,
4. Specifically address the status of any gaps or weaknesses identified in any prior cybersecurity audit reports,
5. Specifically identify any corrections or amendments to any prior cybersecurity audit reports, and
6. Document how the business’s cybersecurity program protects personal information from unauthorized access, destruction, use, modification, or disclosure; and protects against unauthorized activity resulting in the loss of availability of personal information; and specifically identify and document:
   • the business’s establishment, implementation, and maintenance of its cybersecurity program, including the related written documentation thereof (e.g., policies and procedures), that is appropriate to the business’s size and complexity, and the nature and scope of its processing activities, taking into account the state of the art and cost of implementing the components of a cybersecurity program, including specific required components; and
   • specific listed components of the business’s cybersecurity program, as applicable, (e.g., multi-factor authentication, encryption, or zero trust architecture).

The items included above are select excerpts and summaries from the prescriptive required content, which is significantly more extensive. The text of the regulations includes over twenty categories regarding thoroughness, independence, and scope, with many detailed subcategories.

Cybersecurity Audit Timing

To determine the required timing, the initial questions to answer are:

1. Does the business meet any of the cybersecurity audit triggers, and
2. When did the business first meet the requirements?

Subsequent cybersecurity audits must be completed every calendar year, and there must be no gap in the months covered by successive cybersecurity audits.

Records and Retention

In addition to a broad personal information retention schedule and disposal requirements, the regulations require the business and the auditor to retain all documents relevant to each cybersecurity audit for a minimum of five years after completion of the cybersecurity audit.

Certification of Completion

Each business required to complete a cybersecurity audit must submit a written certification of completion to the CPPA every calendar year. The written certification must be signed and dated by a member of the board or governing body, or if no such board or equivalent body exists, the business’s highest-ranking executive with authority. The certification must include a statement that the signer has reviewed and understands the findings of the cybersecurity audit.

For further clarification on how these regulations impact your business or to discuss the cybersecurity audit process, contact David Wilson at dwilson@keglerbrown.com

[1] This monetary threshold is indexed to the Consumer Price Index and may change on January 1^st of any odd numbered year.