What is going on with cybersecurity “certification” in California?

California’s privacy regulations are evolving, this time with new cybersecurity audit requirements under the California Consumer Privacy Act (CCPA). The California Privacy Protection Agency (CPPA) has proposed draft regulations that would require certain businesses to conduct annual cybersecurity audits and submit written certification to the CPPA confirming compliance.

The draft regulations also cover privacy risk assessments (more on these here) and automated decision-making (ADM) technologies.

While the initial public comment period for these draft regulations closed on February 19, 2025, the rules remain in flux. 

In fact, based on turnover on the CPPA Board, pushback during public comment, conflict between the ADM regulations and newly introduced laws on related artificially intelligence (AI) technologies, and the estimated $9.7B financial impact of these regulations on businesses, changes are likely – only the extent of change remains in question.

But certain aspects will not change.

The CCPA is law. It requires (CCPA s1798.180(a)(14)) that the CPPA’s regulations include the following:

1. Mandate that certain businesses complete an annual cybersecurity audit.
2. Define the scope of the audit.
3. Establish a process to ensure these audits are thorough and independent.
4. Define the factors that determine if a business needs to complete the annual cybersecurity audit.
   1. These businesses include those “whose processing of consumers’ personal information presents significant risk to consumers’ privacy or security.”
   2. The factors that determine whether this “significant risk” applies must include the size and complexity of the business and the nature and scope of the processing activities. The CPPA must define these concepts further and determine if other criteria should apply.
5. Submit to the CPPA a risk assessment related to the processing of personal information (similar to the EU General Data Protection Regulation (GDPR)’s data protection impact assessment).

Key Takeaways

1. We know some businesses will need to complete annual cybersecurity audits. But until the regulations are finalized, it will not be clear exactly which ones.

The fourth point above emphasizes that the CPPA is responsible for determining how broadly this requirement applies. The CPPA’s Board has debated this heavily, especially about concerns as to the financial impact on individual businesses. However, the Board did not receive an estimate as to this impact until Fall 2024, as part of the process towards releasing these regulations for public comment. 

While there are thresholds defined in the proposed regulations, this is an area where further debate is likely.

1. The audit must be independent. While the draft regulations allow for an internal auditor in some scenarios, those requirements strictly constrain reporting relationships.

As currently listed, the regulations allow for internal auditors only where they do not “participate in the business activities that the auditor may assess in the current or subsequence cybersecurity audits” and where the auditor reports “regarding cybersecurity audit issues directly to the business’s board of directors or governing body, not to business management that has direct responsibility for the business’s cybersecurity program.” That includes the Board or governing body conducting the auditor’s performance evaluation and determining the auditor’s compensation.

External auditors are allowed but must also remain objective and impartial. 

Both internal and external auditors are prohibited from making recommendations regarding, implementing, or maintaining the business’s cybersecurity program.

The third point above mandates “independent” audits: this will not change. The details noted above may change, but the initial statement of reasons indicates these are based on FTC orders and auditing organizations’ auditing standards. Unless there compelling reasons emerge from public comment to apply a less stringent standard, these requirements will likely remain.

1. The law requires privacy risk assessments to be reported to the CPPA. It doesn’t say the same about the cybersecurity audits, yet the reporting requirement is unlikely to change.

The law also only states that the CPPA must define the scope of the audit and that it must be thorough and independent. These are broad requirements captured in a few lines, while the proposed cybersecurity regulations span 11.5 pages. The CPPA has the authority and obligation to provide detail, but those details are subject to revision.

However, the requirement to report on the completion of a cybersecurity audit has not yet led to significant discussion or controversy. With the related reporting requirement in place for privacy risk assessments, some level of proactive reporting to the CPPA about cybersecurity audits seems likely to remain.

1. If the cybersecurity audit’s certification requirement remains, it requires a business leader to attest to understanding the audit findings.

The draft regulations describe a written certification that the business has completed the cybersecurity audit:

1. Proactive submission: Be submitted to the CPPA
2. Time-limited: Identify the 12 months that the audit covers
3. Responsible individual:
   1. Be signed and dated by a member of the Board or governing body, or if neither exists, the business’s highest-ranking executive with authority to certify on behalf of the business and who is responsible for oversight of the business’s cybersecurity-audit compliance.
   2. Include a statement that certifies the signer has reviewed and understands the findings of the cybersecurity audit.
   3. Include the signer’s name and title.

Note that the findings of the audit itself are not included in the certification submission.

1. While the audit covers cybersecurity industry best practices, it requires extensive documentation of the current state and remediation plans.

The audit itself addresses 18 cybersecurity elements. According to the Initial Statement of Reasons (pdf link) that accompanied the draft regulations, these elements are aligned with the NIST Cybersecurity Framework 2.0 and the Center for Internet Security Critical Security Controls (CIS Controls version 8).

In these draft regulations, the audit is required to include:

• A summary of each CCPA-required component of the cybersecurity program, including their effectiveness
• An assessment of gaps/weaknesses
• The plan to remediate those gaps/weaknesses, including resource allocations
• An explanation for any control that the business does not implement, including an explanation of alternative measures that provide equivalent security

While the regulations state businesses are not required to complete a “duplicative cybersecurity audit,” any elements that do not cover the requirements in the regulation must be added as a supplement.

Closing Thoughts

The CCPA includes a contentious element: a private right of action, or the ability for consumers to sue a business. This provision also includes statutory damages of $100-$750 per consumer per incident, or actual damages, whichever is greater.

In the CCPA, this is specifically related to a personal information security breach “as a result of the business’ violation of the duty to implement and maintain reasonable security procedures.” (CCPA s. 1798.150)

While the draft regulations do not explicitly address the private right of action, any CCPA-mandated cybersecurity audit is likely to be taken into consideration in determining whether a business maintained reasonable security procedures.

When will this new obligation come due? The draft regulations give businesses two years from the date the regulations become effective. 

For businesses looking for assistance with a thorough and independent audit that complies with new CCPA requirements, Coalfire is an industry leader in cybersecurity compliance. Coalfire experts routinely provide businesses with cybersecurity assessments across 75+ frameworks.