Cybersecurity Audits as a Foundational Requirement
Cybersecurity Audits as a Foundational Requirement
Publish Date: 2026-05-04 04:45:00
Source Domain: www.fticonsulting.com
Using an unordered list, summarize the following article with between 4 and 8 key points.
Effective January 1, 2026, California fundamentally changed how it regulates cybersecurity.
New California Consumer Privacy Act regulations implementing the California Consumer Privacy Act (“CCPA”) build upon existing requirements and introduce new obligations for in-scope organizations, including formal risk assessments, annual cybersecurity audits, and enhanced consumer rights processes related to the use of automated decision-making technologies.1
As we continue our series on the CCPA, this article focuses on Article 9 of the new regulations requiring mandatory cybersecurity audits (“Article 9”). In particular, we will examine key requirements and deadlines for these new requirements and best practices to follow to meet the new requirements.
An Overview
The California Privacy Rights Act (“CPRA”), adopted by a statewide ballot initiative in 2020, amended the CCPA, and directed the California Privacy Protection Agency (“CPPA”) to develop regulations governing certain privacy practices. Those regulations, which were effective January 1, 2026, add a requirement for certain businesses to conduct mandatory, recurring cybersecurity audits. These audit obligations are set out in Article 9 of the regulations2 and represent the first comprehensive cybersecurity audit regime imposed by a U.S. state privacy law of general applicability.
Historically, U.S. privacy and cybersecurity enforcement has focused on whether a business used “reasonable security.” Article 9 changes that approach by requiring evidence‑based, proactive assessments of cybersecurity preparedness.
For businesses, this means:
Cybersecurity programs must be audit‑ready, not aspirational
Documentation and testing matter as much as written policies
Audit reports will become key regulatory and litigation artifacts
Details on which businesses are considered in scope and must conduct a cybersecurity audit, along with timelines for audit completion, can be found here.
What the Cybersecurity Audit Must Cover
Article 9 requires a comprehensive, evidence‑based audit of a business’s cybersecurity program—not a checklist or high‑level review.
Audits must assess whether safeguards reasonably protect personal information, given the nature and complexity of the business.
Regulations identify 18 core technical and organizational control areas, including:
Authentication and access controls
Encryption of personal information (at rest and in transit)
Data inventory and management (including deletion)
Secure configuration of systems and software
Vulnerability scanning and penetration testing
Audit-log management
Network monitoring, protections, and segmentation
Cybersecurity awareness and education
Secure development and coding best practices
Incident response procedures
Vendor and third‑party security management
Business continuity and disaster recovery
The important note here is that this is not a “paper exercise” and is a true audit. The audits must include actual testing of controls and systems. Businesses may want to utilize other prior audits, such as a System and Organizational Controls, or SOC, audit or an ISO audit, to fulfill the audit requirement under Article 9, but they can only do so if the other audits meet the standards outlined within Article 9. Key components of the standards to utilize prior audits include:
Scope equivalency
Scope coverage (controls)
Evidence-based testing
Independence and qualification of auditor
Timeline and audit period alignment
Proper documentation for regulatory review
Auditor Independence and Qualifications
Article 9 also imposes strict independence rules for auditors, similar to financial audits. The key requirements for the auditor include:
The auditor must be qualified in cybersecurity and audit methodologies
Auditors may be internal or external, but must:
Remain objective and impartial
Avoid auditing systems they designed or operate
Remain free from business influence or conflicts of interest
If the auditor is internal:
They must report to an executive without responsibility for cybersecurity
That executive must handle the auditor’s evaluation and compensation
Audit Reports, Attestations, and Disclosure Risk
After the audit is conducted, businesses must prepare a written report describing the audit scope and methodology, the findings and deficiencies, and the identified risks and remediation considerations.
A qualified executive must submit a written certification confirming that the audit was completed in compliance with Article 9.
While audit reports are not automatically submitted to regulators, it is recommended that organizations have them prepared and available because:
The CPPA or California Attorney General may request them at any time
Reports will likely be demanded after data breaches or consumer complaints
Audit findings may influence enforcement penalties and litigation outcomes
Why Businesses Should Act Now
Although the first reports are not due until 2028, Article 9 requires:
Mature cybersecurity governance
Cross‑functional coordination (legal, privacy, information technology, security, executive leadership)
Significant documentation and testing readiness
Many organizations are already conducting privileged mock audits or assessments to identify gaps before formal compliance is required. This will help ensure that related controls are met during the required audit period.
Takeaway
Article 9 marks a turning point in U.S. cybersecurity regulation. California has effectively defined what “reasonable security” means in practice—through documentation, testing, and accountability.
For businesses that operate in California or touch California data, cybersecurity audits are no longer optional, informal, or purely technical exercises. They are now governance‑level obligations with regulatory and litigation consequences.
Now is the time to evaluate whether your business will fall within Article 9’s scope.
