Under new regulations effective January 1, 2026, California regulators now expect businesses to conduct an annual “cybersecurity audit” that assesses “how the business’s cybersecurity program protects personal information from unauthorized access, destruction, use, modification, or disclosure; and protects against unauthorized activity resulting in the loss of availability of personal information.”

Now is the time to prepare for these requirements.

As explained below, these requirements are detailed and contemplate a rigorous, professional, independent, evidence-based audit. Audit results must be shared with the California regulator under penalty of perjury.

Applicability & Distinction from Risk Assessments

California cybersecurity audit requirements apply generally to businesses which process the personal information of at least 250,000 consumers or households (50,000 if sensitive personal information), or any business that derives 50% or more of its revenue from “sale” or “sharing” of data. The cybersecurity audit requirements apply to any business which meets the volume and activity thresholds. Businesses should likely consider whether they may meet these requirements given their processing of any California-origin data for any reason (e.g., website visitors, customer data, etc.).

The cybersecurity audit requirements stand separately and distinctly from California risk assessment requirements. Unlike risk assessments, cybersecurity audits generally do not aim to assess specific processing activity separately. Instead, the cybersecurity audit aims to assess the quality of the overall cybersecurity program. The implicit assumption of the regulation therefore seems to be that businesses have such an over-arching cybersecurity program, and that such extend protections to all California resident information. That program will be assessed by the cybersecurity audit.

Timing

The regulation contemplates that larger businesses (gross revenue > $100MM) will be the first to submit a comprehensive cybersecurity audit report in April of 2028, for the period January 1, 2027-January 1, 2028. Eventually, however, all businesses meeting applicability requirements will need to conduct and submit requirements. After the first submission, the expectation is that audit reports will need be submitted annually thereafter in April for the preceding year.

Businesses should strongly consider conducting an advance cybersecurity assessment – a “mock” audit – in 2026. An advance assessment can potentially provide an opportunity to identify and repair certain issues before mandatory audit and submission to the California regulator.

Auditors – Professional, Independent, and Evidence-Based

The cybersecurity audit must be conducted by a “qualified, objective, independent professional, using procedures and standards accepted in the profession of auditing.” Auditors must have both specific cybersecurity knowledge and knowledge of “how to audit a business’s cybersecurity program.” The regulations give auditors real authority to compel the business to provide relevant information. Companies should think carefully about their selection of auditor under these standards.

For companies with a strong internal audit function, internal auditors are permitted. However, crucially, the lead internal auditor must report directly to a member of the business’s executive team who does not have direct responsibility for the business’s cybersecurity program. This likely means that the cybersecurity audit function cannot fall under the information security organization itself or be the responsibility of the CISO.

The regulation contemplates that auditors will independently examine evidence to prepare their findings. Auditors may not base findings “primarily on assertions or attestations by the business’s management.”

Reliance on Other Audits

Given certain detailed audit requirements particular to California law, it is likely that existing audits conducted by a business likely will not suffice for purposes of satisfying California requirements. Businesses may, however, partially utilize and supplement existing audits, assuming adequate scope and that such audits otherwise meet California requirements. Organizations may want to consider conducting a crosswalk or mapping to identify how their existing audit frameworks correspond to California requirements.

Detailed Audit Requirements

California regulations provide a detailed list of issues and controls that must be assessed as part of the audit. This detail defies any sort of usable general summary. For very limited example, the cybersecurity audit must assess:

  • “oversight of service providers, contractors, and third parties to ensure compliance with [detailed California contracting requirement]”
  • “Personal information inventories (e.g., maps and flows identifying where personal information is stored, and how it can be accessed) and the classification and tagging of personal information (e.g., how personal information is tagged and how those tags are used to control the use and disclosure of personal information)”; and
  • “Internal and external vulnerability scans, penetration testing, and vulnerability disclosure and reporting (e.g., bug bounty and ethical hacking programs)”

Among many other detailed requirements. The audit report must detail gaps, weaknesses and remediation plans in areas covered.

Submission Under Penalty of Perjury

Once completed, the cybersecurity audit must ultimately be certified by an executive responsible for the audit and knowledgeable enough to provide accurate information. This executive will need to submit the audit to the California regulatory under penalty of perjury. Submission in this form strongly suggests that the executive may be held personally liable for inaccuracies, perhaps especially if deemed to be intentional falsehoods. Companies should probably anticipate that in the event of any adverse interaction with the regulator, their past audit reports may become a particular point of regulatory scrutiny, and certifying executives may be asked to give testimony.

Legal Support

Experienced counsel can help businesses prepare in at least a few different ways for cybersecurity audits. First, counsel can help assess and confirm applicability requirements. Counsel can help bridge the gap between regulatory text and implementation by working with internal or external auditors who validate audit design and ensure that detailed audit requirements are understood. Once an audit report is prepared in draft form, experienced counsel can advise on the final form of the document that will ultimately need to be submitted to an increasingly active and punitive privacy regulator.   For more information, please do not hesitate to contact a member of Taft’s Privacy, Security, and Artificial Intelligence team.