Evening, home view, people in apartments, dark apartments, city life.

How CCPA’s cybersecurity audit rules reshape cyber governance

Photographic portrait of Jaime Kipnes
Jaime Kipnes

EY Global and Americas Technology Risk Cybersecurity Leader

11 minute read 09 Mar 2026

With annual CCPA cybersecurity audits beginning in 2027, organizations must rethink governance, documentation and executive accountability.

In brief
  • CCPA cybersecurity audit requirements will require calendar year annual audits beginning in 2027, raising expectations for compliance and executive oversight.
  • Organizations must demonstrate full-year control effectiveness, clear documentation and readiness to support an audit performed by a qualified, independent auditor.
  • Cyber program maturity assessments, SOC reporting and stronger governance and evidence practices can help organizations prepare ahead of initial certification.

California has enacted updates to the California Consumer Privacy Act (CCPA) that introduce a new independent cybersecurity audit requirement for any organization conducting business in California that handles consumer personal information. Beginning in calendar year 2027, organizations that meet certain revenue thresholds must complete an annual cybersecurity audit and certify that the audit covers the calendar year.

These rules mark an evolution in how organizations demonstrate the maturity of their cybersecurity risk management program. Rather than focusing solely on implementing controls, organizations must now show how effectively those controls perform over a sustained period. This shift also signals a broader trend: cybersecurity governance is becoming more formalized, more transparent and more closely scrutinized by regulators, customers and executive leadership.

The CCPA applies to for-profit businesses that do business in California and meet any of the following1:

  • Have a gross annual revenue of over US$25 million.
  • Buy, sell or share the personal information of 100,000 or more California residents or households.
  • Derive 50% or more of their annual revenue from selling California residents’ personal information.

How EY can help

What the CCPA cybersecurity audit rule requires

 

Under California’s new regulations, organizations whose processing of personal information presents “significant risk” must complete a yearly cybersecurity audit. While “significant risk” covers several scenarios, it generally applies to organizations that handle large volumes of personal information, process sensitive categories of data or rely on personal data as part of their business model.

 

The independent cybersecurity audit examines how well the organization’s cybersecurity program protects personal information across a full year. It evaluates not only whether controls exist but also how consistently they operate. Typical areas of focus include authentication practices, encryption standards, access management, network security, incident response planning and the documentation that supports these controls.

 

To reinforce accountability, a senior leader must formally sign off on the completion of the annual audit. The certification confirms that the independent audit was completed and that the executive has reviewed the results. The certification is then submitted to the state of California though the detailed audit report itself is not.

 

“Rising expectations for executive accountability reflect the higher standards organizations are being held to for protecting personal data. These expectations are shaped by an increasingly complex cybersecurity landscape and the real impact failures can have on consumer privacy and trust,” said Jaime Kipnes, EY Global and Americas Technology Risk Cybersecurity Assurance Leader.


Practical challenges in meeting CCPA cybersecurity audit requirements

Many organizations already conduct security assessments but the new cybersecurity audit requirements in California introduce several complexities:

How SOC 2 supports CCPA cybersecurity audit readiness

A System and Organization Controls 2 (SOC 2) examination evaluates controls relevant to security, availability, processing integrity, confidentiality and privacy. These areas, known as the Trust Services Criteria, provide a structured approach for demonstrating how well systems and processes protect information. Organizations typically scope SOC 2 examinations based on relevance to their services and risk profile and it is rare for a single report to include all five criteria.

Although a SOC 2 report is not a direct replacement for a CCPA cybersecurity audit, it can serve as an important foundation with strong overlap. Organizations with mature SOC programs often have:

  • clearly documented controls
  • well-maintained evidence trails
  • defined control owners
  • annual cycles of independent review

Such practices support the discipline required for the new cybersecurity audit. SOC 2 also reinforces activities like evidence management, repeatable testing and governance documentation, which are essential for demonstrating full-year compliance. To comply with the CCPA cybersecurity audit requirement, organizations may choose to have their external auditor supplement the SOC 2 work with a targeted CCPA attestation report that addresses remaining CCPA audit requirements, reducing duplication and streamlining preparation.

“By preparing early and integrating SOC 2 leading practices with targeted CCPA audit efforts, organizations build not only compliance, but confidence — they will be ready to meet regulatory demands while strengthening operational resilience,” says Brandon Miller, EY Global and Americas Technology Risk System and Organization Controls, Attestation and Certification Leader.

Leadership priorities for CCPA cybersecurity audit readiness

Preparing early not only supports compliance but also strengthens trust and operational resilience. Several actions can help organizations move forward confidently.

1. Evaluate independence

Engage your external auditor or, if an internal audit team will perform the cybersecurity review, verify that reporting structures preserve independence and confirm that auditors have defined authority and appropriate access.

2. Map current controls to CCPA expectations

Organizations with SOC programs can assess how existing controls align with the CCPA audit requirements to identify where further enhancements or additional documentation may be needed.

3. Plan for full-year audit evidence

Collecting evidence across a complete calendar year requires intentional processes, checkpoints and coordination across cybersecurity, technology, compliance and risk teams.

4. Develop a clear executive certification process

Executives responsible for signing audit certifications need structured review processes and visibility into cybersecurity performance throughout the year in addition to audit results. Establishing these processes early will help ensure accuracy and confidence.


Summary 

The CCPA cybersecurity audit requirement represents a shift in how organizations demonstrate readiness and accountability for protecting personal information. It encourages leaders to engage more deeply with cybersecurity performance and fosters greater accountability for protecting personal information.

While meeting these new expectations will require planning and coordination, they also present an opportunity. Organizations that prepare early will not only meet compliance deadlines but also enhance their governance, build trust with stakeholders and demonstrate a long-term commitment to strong cybersecurity practices.

Understanding CCPA Cybersecurity Audits

About this article

Photographic portrait of Jaime Kipnes
Jaime Kipnes
EY Global and Americas Technology Risk Cybersecurity Leader
Passionate leader focused on cybersecurity risk management where audit, technology and compliance intersect. Recognized diversity champion, coach and mentor. Proud mom.
Related topics
Technology risk
Assurance
Audit

Related articles

How organizations are turning risk into resilience

Survey shows organizations are highly focused on turning risk into resilience with governance and assessments. Read more.

Daryl Box + 1

Cyber and AI oversight disclosures: what companies shared in 2025

Find out what Fortune 100 companies disclosed in 2025 about cyber and AI oversight.

Pat Niemann

Why cyber risk management matters for financial resilience

By embedding cyber risk management into financial planning, CFOs can enhance their organization’s cyber resilience. Read more.

Tunde Lawson + 1

    EY refers to the global organization, and may refer to one or more, of the member firms of Ernst & Young Global Limited, each of which is a separate legal entity. Ernst & Young Global Limited, a UK company limited by guarantee, does not provide services to clients.