(a) Every business required to complete a cybersecurity audit pursuant to this Article must do so using a qualified, objective, independent professional (“auditor”) using procedures and standards accepted in the profession of auditing, such as procedures and standards provided or adopted by the American Institute of Certified Public Accountants, the Public Company Accountability Oversight Board, the Information Systems Audit and Control Association, or the International Organization for Standardization.
- (1) To be qualified, an auditor must have knowledge of cybersecurity and how to audit a business's cybersecurity program.
- (2) The auditor may be internal or external to the business but must exercise objective and impartial judgment on all issues within the scope of the cybersecurity audit, must be free to make decisions and assessments without influence by the business being audited, including the business's owners, managers, or employees; and must not participate in activities that may compromise the auditor's independence. For example, the auditor must not participate in business activities that the auditor may assess in the current or subsequent cybersecurity audits, including developing procedures, preparing the business's documents, making recommendations regarding the business's cybersecurity program (separate from articulating audit findings), or implementing or maintaining the business's cybersecurity program.
- (3) If a business uses an internal auditor, to maintain the auditor's independence, the highest-ranking auditor must report directly to a member of the business's executive management team who does not have direct responsibility for the business's cybersecurity program. A member of the business's executive management team who does not have direct responsibility for the business's cybersecurity program must conduct the highest-ranking auditor's performance evaluation, if any, and determine the auditor's compensation.
- (b) The business must make available to the auditor all information in the business's possession, custody, or control that the auditor requests as relevant to the cybersecurity audit (e.g., information about the business's cybersecurity program and information system and the business's use of service providers or contractors). For example, the auditor may request information to determine the scope of the cybersecurity audit and the criteria the cybersecurity audit will use.
- (c) The business must make good-faith efforts to disclose to the auditor all facts relevant to the cybersecurity audit and must not misrepresent any fact relevant to the cybersecurity audit.
- (d) No finding of any cybersecurity audit may rely primarily on assertions or attestations by the business's management. Cybersecurity audit findings must rely primarily upon the specific evidence (including documents reviewed, sampling and testing performed, and interviews conducted) that the auditor deems appropriate.
- (e) The cybersecurity audit report must include the information set forth in section 7123, subsection (e).
- (f) The cybersecurity audit report must be provided to a member of the business's executive management team who has direct responsibility for the business's cybersecurity program.
- (g) The business and the auditor must retain all documents relevant to each cybersecurity audit for a minimum of five (5) years after completion of the cybersecurity audit.
Note: Authority cited: Section 1798.185, Civil Code. Reference: Section 1798.185, Civil Code.
History
1. New section filed 9-22-2025; operative 1-1-2026 (Register 2025, No. 39).