Background

On November 8, 2023, the California Privacy Protection Agency (CPPA) published an updated proposed draft of its cybersecurity audit regulations under the California Consumer Privacy Act (CCPA). While the CPPA has yet to initiate the formal rulemaking process, entities that satisfy proposed applicability thresholds are well-advised to consider potential compliance implications arising from the proposed draft. Notably, the CPPA indicated in its March 2024 board meeting that it hopes to move to formal rulemaking in July 2024. Once the draft regulations are finalized in formal rulemaking, the compliance date may quickly approach due to a recent California appeals court decision enabling the CPPA to enforce violations of its regulations as soon as they become effective. In light of this development, businesses may wish to review the proposed regulations now to prepare for compliance.

Proposed Draft Cybersecurity Audit Requirements

Applicability

The proposed draft regulations would require every business whose processing of consumers’ personal information presents “significant risk to consumers’ security” to complete a cybersecurity audit.¹ The draft, however, assesses whether the processing poses a risk on the basis of volume. Companies that hold significant amounts of personal data would likely qualify, regardless of the type of personal information held or other circumstances that might reduce risk. Specifically, the proposed draft regulations provide that a business’s processing presents significant risk to consumers’ security when either of the following is true:

1. The business derived 50 percent or more of its annual revenues from “selling” or “sharing” consumers’ personal information in the preceding calendar year; or

2. As of January 1 of the calendar year, the business had annual gross revenues in excess of $25,000,000 in the preceding calendar year, and:

1. Processed the personal information of 250,000 or more consumers or households in the preceding calendar year; or

2. Processed sensitive personal information of 50,000 or more consumers in the preceding calendar year; or

3. Processed the personal information of 50,000 or more consumers that the business had actual knowledge were less than 16 years of age in the preceding calendar year.²

Timing of Audits

Businesses must complete their first cybersecurity audit within 24 months after the regulations become effective, as well as subsequent audits annually thereafter. The regulations specify that there must be no gap in the months covered by successive audits.

Independence of Audits

The proposed draft regulations specify that every business required to conduct cybersecurity audits must do so using a “qualified, objective, and independent” auditor who is “free to make decisions and assessments without influence by the business being audited.” The auditor may be internal or external, but the regulations place steep requirements for use of an internal auditor that do not align with most organizations’ governance in practice. For example, an internal auditor generally must report to the company’s board of directors or similar governing body regarding “cybersecurity audit issues”—not to business management that has direct responsibility for the business’s cybersecurity program). Additionally, the business’s board of directors, governing body, or highest-ranking executive that does not have direct responsibility for the business’s cybersecurity program must conduct the auditor’s performance evaluation and determine the auditor’s compensation.

The proposed draft regulations also separately require that all cybersecurity audits (whether conducted by an internal or external auditor) be reported to the business’s board of directors or governing body and that the audit include a written statement, signed by a member of the board or governing body, certifying that the business did not attempt to influence the auditor’s decisions or assessments.

Scope of Audits

At a high level, cybersecurity audits will need to assess and document both:

(1) how the business’s cybersecurity program protects consumer personal information from unauthorized access, destruction, use, modification, or disclosure, and

(2) how the program protects against unauthorized activity that results in the loss of availability of personal information.

The proposed draft regulations provide the company’s auditor with broad discretion in determining the scope of required audits, as “appropriate to the business’s size and complexity and the nature and scope of its processing activities, taking into account the state of the art and cost of implementation.”³

Beyond this broad discretion, the proposed draft regulations expressly require that a cybersecurity audit identify, assess, and document 18 specific program components, to the extent applicable. Many of these are components typically addressed in commonly referenced security frameworks (e.g., NIST CSF or ISO 27000), such as authentication, encryption, security training, and patching. However, the proposed draft regulations also explicitly include more emerging or less commonly adopted security practices, including zero trust architecture, personal information inventories, and hardware/software inventories.

Notably, the draft regulations also require an assessment of companies’ vulnerability disclosure program, which is an element that is not always a focus of cybersecurity audits. Companies that currently do not have a vulnerability disclosure program may wish to consider creating one. The draft regulations also list only two examples of vulnerability disclosure programs: bug bounty programs and ethical hacking programs. While the draft regulations do not require either of those be set up specifically, and a simple vulnerability information intake process would presumably suffice for an audit, this may be a good time for companies to consider whether it would be helpful to create a bug bounty program.

Where a business has not implemented one of the 18 enumerated components, the business will need to implement compensating controls and explain why the component “is not necessary to the business’s protection of personal information and how the safeguards that the business does have in place provide at least equivalent security.”⁴

Among other requirements, audits must assess and document the effectiveness of each specified component at preventing unauthorized access, use, modification, or disclosure of personal information, and at preventing unauthorized activity that results in the loss of availability of personal information. An audit must further include detailed descriptions of any identified gaps or weaknesses, and document the business’s plan to address those gaps and weaknesses. Further, if a business provided data breach notifications to California consumers or (similar to the long-arm language used by NYDFS’s cybersecurity requirements) to “any agency with jurisdiction over privacy laws or other data processing authority,” the audit must include sample copies of such notifications.

If a business has already conducted an audit, assessment, or evaluation that meets all requirements set forth in the proposed draft regulations, the business is not required to conduct a duplicative audit. However, the business will need to specifically explain how such audit, assessment, or evaluation satisfies all requirements set forth in the proposed draft regulations. Businesses that have implemented pre-existing processes for cybersecurity-related audits may wish to consider a cross-walk to identify areas of additional or enhanced testing so as to align their existing cybersecurity audits with requirements set forth in the proposed draft regulations.

Annual Certification

Businesses that are required to conduct cybersecurity audits must annually submit to the CPPA either (i) a written certification that the business complied with the cybersecurity audit regulations, or (ii) a written acknowledgement that the business “did not fully comply” with the regulations, which must describe the nature and extent of the business’s noncompliance and provide either a remediation timeline or confirmation that remediation has already been completed. Further, the draft regulations would require the written certification or acknowledgement to be signed by a member of the business’s board of directors or governing body (rather than business leadership), or if no such body exists, the business’s highest-ranking executive who is responsible for oversight of the business’s cybersecurity audit compliance.

Next Steps

Businesses may want to consider taking a variety of steps to prepare for compliance, including the following:

• Consider whether the business’s internal audit function may be able to conduct any cybersecurity audits required by the draft regulations (particularly given the governance requirements), or if the business will opt to engage an external auditor.

• Assess whether and to what extent any audits, assessments, or evaluations that the business already conducts may be sufficient to satisfy portions of the draft regulations’ requirements—and where opportunities to enhance assessments in preparation may exist.

• Implement policies, procedures, and reporting structures to facilitate compliance with governance requirements set forth in the proposed draft regulations, including as needed to address the requirement that all cybersecurity audits be reported to the business’s board of directors or governing body.

Where a business has not implemented one or more of the 18 cybersecurity program components that must be addressed in a cybersecurity audit, evaluate potential compensating controls that may provide at least an equivalent level of security as the specified component.