Bass, Berry & Sims attorneys Roy Wyman and Wesley McCulloch co-authored an article for Cyber Defense Magazine outlining how executives and cybersecurity leaders can prepare for the California Consumer Privacy Act’s (CCPA) cybersecurity audit requirements.
In 2025, the California Privacy Protection Agency (CalPrivacy) finalized the new regulations for the new CCPA. The attorneys provided guidance on what an organization’s executives and cybersecurity leaders need to know to conduct cybersecurity audits that are required under the new regulations.
Roy and Wesley clarified that only certain businesses, whose personal data processing activities present a “significant risk,” are required to conduct cybersecurity audits under the new regulations. The attorneys noted that each year these certain businesses must conduct a security audit, and the new regulations require them to submit an executive certification to CalPrivacy by April 1 of the next calendar year.
The authors advised that businesses should forecast whether they may become subject to audit requirements as of the next calendar year to prepare for the audits. The authors also recommended that businesses be mindful in determining whether to use an internal auditor, due to the possibility of greater scrutiny. Whether it’s an internal or external auditor, that individual cannot audit both the cybersecurity program and develop or implement any part of the program, including remediation recommendations.
The authors also highlighted risks imposed on executives directly by the certification requirements. “Executives should review carefully the New Regulations and consider what information they will need to satisfy themselves that the audit was conducted as described in the audit report,” said Roy and Wesley.
The full article, “Preparing for CCPA’s Coming Cybersecurity Audit Requirements: How Executives and Cybersecurity Leaders Can Prepare,” was published in the February edition of Cyber Defense Magazine and is available online.