Online cybercriminal activity has been rampant for at least the last couple of decades. The media and news are full of stories and reports about hacking, ransoms, cybertheft, denial of service attacks, and other forms of online criminal behavior. At the federal level, lawmakers have enacted laws that criminalize such behavior and that require reporting and compensation when consumer data is stolen. Similar laws exist at the State level.

California regulators have gone a step further and have proposed requiring that businesses conduct annual cybersecurity audits and submit compliance certifications. The new regulations have been proposed by the California Privacy Protection Agency (“CPPA”), which was created to enforce and issue regulations related to the California Consumer Privacy Act (“CCPA”) (and its various amendments). The CCPA is generally focused on consumer data privacy, but part of the CCPA mandates that businesses maintain a certain level of appropriate and reasonable cybersecurity for consumer data that is collected and retained. The proposed regulations are expected to be approved and will begin taking effect in April 2028.

Privately-conducted and internal cybersecurity audits are “normal” for businesses that have any sort of large online presence or that use computer systems for any significant proportion of business operations. However, such audits are now officially being mandated by the proposed California CPPA regulations. Since many States have enacted consumer data privacy statutes and since many of those statutes have similar cybersecurity requirements, it is reasonable to assume that the CPPA’s regulations will serve as a template for other States.

As noted, under the regulations, audits will be mandatory and must be conducted annually. In addition, “compliance certificates” related to the audits must be filed annually with the CPPA. Further, audits must now be done by “qualified, objective, independent professionals using accepted auditing standards.” The auditors can still be internal to the organization, but must have the training and experience to use the “accepted auditing standards.”

The regulations require assessment of a long list of potential cybersecurity issues, including the following:

• Proper and state-of-the-art equipment
• Software tested against “back-doors” and other vulnerabilities
• Added software protections against viruses/malware
• Configuration of data systems — including hardware, software, and all devices
• Configuration and network monitoring and defenses, network segmentation,
• Controls on employee and vendor use of their own devices/software
• User authentications — employee, third-party, vendor ,and consumer (where applicable)
• Encryption where needed (such as for personal data)
• Access controls — for physical locations, for each device, and for wireless/online access
• Personnel training
• Contractual mandates — employee, third-party, vendo,r and consumer
• Data inventories, use, disposal/destruction schedules, etc.
• Vulnerability testing
• Logs of actual and attempted cybercriminal efforts — both external and internal
• Incident responses
• Recovery and remediation policies and testing

For what it is worth, this is an excellent list of how cybersecurity can be created by new businesses or those without existing cybersecurity policies. Assuming final approval, the CPPA regulations will go into effect on April 1, 2028, for businesses with over $100 million in annual gross revenue, on April 1, 2029, for businesses with over $50 million in annual gross revenu,e and on April 1, 203,0 for all other businesses.

The CCPA/CPRA Cybersecurity Mandate: Legal Foundation

The proposed audit regulations flow from the California Consumer Privacy Act, Cal. Civ. Code §§ 1798.100 et seq., as significantly amended by the California Privacy Rights Act of 2020. The CPRA created the California Privacy Protection Agency (“CPPA”) as an independent enforcement agency and expressly directed it to issue regulations on cybersecurity audits. Cal. Civ. Code § 1798.185(a)(15). The proposed regulations are expected to be finalized and implemented on a phased schedule based on business revenue, as described above.

Which Businesses Are Subject to the Audit Requirement

Not every California business will be subject to the cybersecurity audit mandate. The regulations apply to “businesses” as defined under the CCPA — which requires meeting one of the following thresholds:

• Annual gross revenues in excess of $25 million
• Annually buying, selling, receiving, or sharing for commercial purposes the personal information of 100,000 or more consumers or households
• Deriving 50% or more of annual revenues from selling or sharing consumers’ personal information

Out-of-state businesses that collect personal information from California consumers and meet one of these thresholds are also subject to the CCPA and, therefore, to the audit requirements. The scope of the California mandate effectively makes it a de facto national standard for any significant U.S. consumer-facing business.

What “Accepted Auditing Standards” Means in Practice

The proposed regulations require that cybersecurity audits be conducted using “accepted auditing standards.” The CPPA has indicated that acceptable frameworks include:

• The NIST Cybersecurity Framework (CSF), Version 2.0
• ISO/IEC 27001 and ISO/IEC 27002
• SOC 2 Type II auditing standards (AICPA Trust Services Criteria)
• The Center for Internet Security (CIS) Controls
• FedRAMP standards (for organizations that interact with federal systems)

Businesses that are already conducting SOC 2 Type II audits for their enterprise clients have a head start — those audits address many of the same security domains covered by the proposed CPPA regulations. However, the CPPA audit requirements are specifically focused on the protection of consumer personal data and include elements, such as automated decision-making system reviews and data broker relationship audits, that go beyond standard SOC 2 coverage.

The Compliance Certification Requirement

In addition to conducting the audit, businesses must file an annual compliance certification with the CPPA. The proposed regulations specify the content of the certification, which must include:

• A description of the business’s data processing activities and the personal information collected
• A description of the cybersecurity controls implemented
• Identification of any significant risks found during the audit
• The remediation steps taken or planned for identified risks
• A statement by the auditor that the audit was conducted in accordance with accepted standards
• A statement by a responsible corporate officer acknowledging accuracy and accountability

These certifications will be public records to the extent the CPPA publishes them. The practical consequence is that material cybersecurity failures identified in an audit — and not remediated — create potential liability exposure. Businesses should treat the audit and certification process as a rigorous compliance exercise, not a box-checking formality.

Preparing Now: A Phased Compliance Roadmap

Even though the largest-revenue businesses face the April 2028 effective date, preparation should begin now. The audit framework, internal reporting structure, and vendor relationships required for a mature cybersecurity audit program take 18-24 months to build. Recommended steps include:

• Conduct a gap analysis against NIST CSF 2.0 or ISO 27001 to identify current deficiencies
• Inventory all personal data you collect, store, and process — you cannot audit what you have not mapped
• Assess third-party vendor relationships and their cybersecurity posture
• Designate a qualified privacy/security officer responsible for compliance
• Engage a qualified third-party auditor to conduct a pilot audit before the regulatory deadline
• Document all cybersecurity policies, procedures, and controls in writing
• Implement a formal incident response plan that includes regulatory notification procedures

Contact Revision Legal

If you have questions about cybersecurity and data privacy law, the experienced attorneys at Revision Legal can help. We represent businesses, entrepreneurs, and individuals across the country. Contact us through the form on this page, visit our cybersecurity and data privacy law practice page, or call us at (855) 473-8474.