California Finalizes Cybersecurity Audit Rules under CCPA
- Katarzyna Celińska
- Oct 13
- 2 min read
The California Privacy Protection Agency has finalized long-awaited rules on automated decision making, risk assessments, and annual cybersecurity audits. These rules, adopted unanimously by the CPPA Board, are the result of over a year of debate and revisions.
Key Takeaways
☑️ Annual Cybersecurity Audits: Businesses whose data processing presents significant risk to consumer privacy or security must undergo independent yearly audits.
☑️ Scope of Risk: Factors include company size, complexity, and the nature of personal information processed. Companies meeting revenue and data volume thresholds are automatically subject to the audit rule.
☑️ Independence Matters: Audits must be conducted by a qualified and objective professional, whether internal or external. Internal auditors must report to senior leadership without cybersecurity program responsibility — ensuring independence.
☑️ Evidence-Based Audits: Findings cannot rely only on management attestations. Reports must show tested evidence, identify weaknesses, and include plans for remediation.
☑️ Reasonable Cybersecurity Practices: The rule outlines expected controls: MFA, encryption, access management, secure configuration, patching, vulnerability scanning, monitoring, training, and more. These mirror industry best practices and FTC/state breach settlement standards.
☑️ Risk Assessments: Required for activities like selling/sharing personal information, processing sensitive data, or deploying ADMT in consumer-facing decisions.
This is a long-awaited regulation. Honestly, I expected stricter rules, but they were watered down to reduce business burden. Still, requiring annual cybersecurity audits for high-risk organizations is a big step forward.
My key concern is whether these audits will focus on real cybersecurity risks or just a hasztag#compliance approach. Too often, frameworks are used to prove compliance rather than fix actual security gaps.
From my perspective, an approach like SOC2 + could add real value: incorporating these CCPA requirements into a SOC 2 report would provide assurance under AICPA standards, ensuring both compliance and meaningful security oversight.
At the end of the day, this is about moving companies toward basic cyber hygiene: IAM, patching, vulnerability management, monitoring, secure configurations, and governance.
Author: Sebastian Burgemejster
Comments