California Consumer Privacy Act: Cybersecurity Audits as a Foundational Requirement
-
2026年5月04日
-
Effective January 1, 2026, California fundamentally changed how it regulates cybersecurity.
New California Consumer Privacy Act regulations implementing the California Consumer Privacy Act (“CCPA”) build upon existing requirements and introduce new obligations for in-scope organizations, including formal risk assessments, annual cybersecurity audits, and enhanced consumer rights processes related to the use of automated decision-making technologies.1
As we continue our series on the CCPA, this article focuses on Article 9 of the new regulations requiring mandatory cybersecurity audits (“Article 9”). In particular, we will examine key requirements and deadlines for these new requirements and best practices to follow to meet the new requirements.
An Overview
The California Privacy Rights Act (“CPRA”), adopted by a statewide ballot initiative in 2020, amended the CCPA, and directed the California Privacy Protection Agency (“CPPA”) to develop regulations governing certain privacy practices. Those regulations, which were effective January 1, 2026, add a requirement for certain businesses to conduct mandatory, recurring cybersecurity audits. These audit obligations are set out in Article 9 of the regulations2 and represent the first comprehensive cybersecurity audit regime imposed by a U.S. state privacy law of general applicability.
Historically, U.S. privacy and cybersecurity enforcement has focused on whether a business used “reasonable security.” Article 9 changes that approach by requiring evidence‑based, proactive assessments of cybersecurity preparedness.
For businesses, this means:
- Cybersecurity programs must be audit‑ready, not aspirational
- Documentation and testing matter as much as written policies
- Audit reports will become key regulatory and litigation artifacts
Details on which businesses are considered in scope and must conduct a cybersecurity audit, along with timelines for audit completion, can be found here.
What the Cybersecurity Audit Must Cover
Article 9 requires a comprehensive, evidence‑based audit of a business’s cybersecurity program—not a checklist or high‑level review.
Audits must assess whether safeguards reasonably protect personal information, given the nature and complexity of the business.
Regulations identify 18 core technical and organizational control areas, including:
- Authentication and access controls
- Encryption of personal information (at rest and in transit)
- Data inventory and management (including deletion)
- Secure configuration of systems and software
- Vulnerability scanning and penetration testing
- Audit-log management
- Network monitoring, protections, and segmentation
- Cybersecurity awareness and education
- Secure development and coding best practices
- Incident response procedures
- Vendor and third‑party security management
- Business continuity and disaster recovery
The important note here is that this is not a “paper exercise” and is a true audit. The audits must include actual testing of controls and systems. Businesses may want to utilize other prior audits, such as a System and Organizational Controls, or SOC, audit or an ISO audit, to fulfill the audit requirement under Article 9, but they can only do so if the other audits meet the standards outlined within Article 9. Key components of the standards to utilize prior audits include:
- Scope equivalency
- Scope coverage (controls)
- Evidence-based testing
- Independence and qualification of auditor
- Timeline and audit period alignment
- Proper documentation for regulatory review
Auditor Independence and Qualifications
Article 9 also imposes strict independence rules for auditors, similar to financial audits. The key requirements for the auditor include:
- The auditor must be qualified in cybersecurity and audit methodologies
- Auditors may be internal or external, but must:
- Remain objective and impartial
- Avoid auditing systems they designed or operate
- Remain free from business influence or conflicts of interest
If the auditor is internal:
- They must report to an executive without responsibility for cybersecurity
- That executive must handle the auditor’s evaluation and compensation
Audit Reports, Attestations, and Disclosure Risk
After the audit is conducted, businesses must prepare a written report describing the audit scope and methodology, the findings and deficiencies, and the identified risks and remediation considerations.
A qualified executive must submit a written certification confirming that the audit was completed in compliance with Article 9.
While audit reports are not automatically submitted to regulators, it is recommended that organizations have them prepared and available because:
- The CPPA or California Attorney General may request them at any time
- Reports will likely be demanded after data breaches or consumer complaints
- Audit findings may influence enforcement penalties and litigation outcomes
Why Businesses Should Act Now
Although the first reports are not due until 2028, Article 9 requires:
- Mature cybersecurity governance
- Cross‑functional coordination (legal, privacy, information technology, security, executive leadership)
- Significant documentation and testing readiness
Many organizations are already conducting privileged mock audits or assessments to identify gaps before formal compliance is required. This will help ensure that related controls are met during the required audit period.
Takeaway
Article 9 marks a turning point in U.S. cybersecurity regulation. California has effectively defined what “reasonable security” means in practice—through documentation, testing, and accountability.
For businesses that operate in California or touch California data, cybersecurity audits are no longer optional, informal, or purely technical exercises. They are now governance‑level obligations with regulatory and litigation consequences.
Now is the time to evaluate whether your business will fall within Article 9’s scope.
Footnotes:
1: Cal. Code Regs. tit. 11, §§ 7000–7304 (2026).
2: Cal. Code Regs. tit. 11, §§ 7120 – 7124, CCPA - Effective January 1, 2026.
相关服务
发布于
2026年5月04日
主要联络人
资深董事总经理