Cybersecurity Audit Requirements Coming to California

The new California Privacy Protection Agency (CPPA) rules promulgated in July introduce a variety of new AI and cyber requirements. One of the major new provisions requires companies to conduct annual cybersecurity audits. This requirement will only apply to certain companies that sell, share, or process personal or sensitive data. For those required to conduct them, audits must cover 18 specific areas related to a business’s data and cybersecurity protocols. A recent Faegre Drinker memo breaks down the audit report requirement:

“The results of the audit must be compiled in a cybersecurity audit report that is signed by the auditor and provided to the business’s management… The report must describe the business’s cybersecurity program and ‘identify and describe in detail’ any gaps that would increase the risk of unauthorized access or use of personal information… The report must be based on the ‘specific evidence’ examined by the author, rather than the assertions or attestations of the business’s management… Critically, however, a business may rely on another cybersecurity audit that it prepared for another purpose — such as NIST’s Cybersecurity Framework 2.0 — provided that the other audit satisfies the same requirements under the CCPA, ‘either on its own or through supplementation.'”

Companies won’t be required to conduct these audits until 2027, and the requirements will phase in sooner for larger companies than smaller ones. California’s rules for cyber audits are specific and prescribed, so companies subject to them need to begin preparation sooner rather than later. California is the second state to mandate such disclosures, following New York. However, California’s rules offer more guidance than New York’s and apply to a different scope of companies.