Bayport Networks conducts CCPA cybersecurity readiness audits and HIPAA compliance assessments for California businesses. The compliance program includes gap analysis, control implementation, policy documentation, and ongoing monitoring to satisfy regulatory requirements and cyber insurance underwriting standards.
What are the CCPA cybersecurity requirements for California businesses?
California businesses that collect or process consumer personal information must implement and maintain reasonable security controls under CCPA and CPRA. These controls include data encryption at rest and in transit, role-based access logging, documented incident response plans, regular vulnerability assessments, and employee security awareness training. Businesses that fail to maintain these controls face regulatory fines up to $7,500 per intentional violation and risk denied cyber insurance coverage at renewal.
What Changed in 2026
Three regulatory shifts hit California businesses simultaneously. Each carries independent compliance obligations and enforcement penalties.
Mandatory Cybersecurity Audits
Qualifying businesses must complete annual independent cybersecurity audits assessing all 18 required controls. Phased deadlines run from April 2028 through April 2030 based on revenue tier.
Risk Assessments
Active as of January 2026. Any business that sells or shares personal information, processes sensitive data, or uses automated decision-making must assess whether privacy risks outweigh benefits. Attestations due April 1, 2028.
AI & Automated Decision Rules
Effective January 2027. If AI assists hiring, compensation, housing, credit, or healthcare decisions, you must conduct risk assessments, provide pre-use notice, and enable consumer opt-out. Preparation starts now.
The 18 Required Cybersecurity Controls
California's cybersecurity audit framework requires independent assessment against all 18 of these controls. Auditors must use recognized standards (NIST CSF 2.0, AICPA, ISACA, or ISO).
Access & Authentication
Authentication
MFA and strong password requirements on all remote and admin access
Access Controls
Documented access policies and least-privilege enforcement
Data Protection
Encryption
Personal information encrypted at rest and in transit
Asset Inventory
Documented inventory of personal information and processing systems
System Segmentation
Isolation of systems handling sensitive personal data
Data Retention & Disposal
Documented retention policies and secure disposal procedures
Monitoring & Detection
Audit-Log Management
Centralized collection, retention, and monitoring of audit logs
Network Monitoring
Active network monitoring with threat detection and alerting
Endpoint Protection
EDR/antimalware coverage on all endpoints
Port & Protocol Control
Limitation and monitoring of exposed ports, services, and protocols
Infrastructure & Development
Secure Configuration
Hardened configurations for all hardware and software
Vulnerability Management
Internal/external vulnerability scans and penetration testing
Secure Development
Secure code review and development standards
Training, Policy & Response
Security Awareness Training
Training programs for all personnel on evolving threats
Cybersecurity Education
Formal training for staff with system access to security controls
Vendor Oversight
Security assessments and contract reviews for third parties
Incident Response
Written, tested incident response plan with tabletop exercises
Business Continuity
Tested backup/recovery procedures with documented RTO/RPO
Audit Timeline by Revenue Tier
Deadlines are phased by company size. Annual certification must be submitted to CalPrivacy by the deadline. Audit records must be retained for 5 years.
Over $100M revenue
$50M – $100M revenue
Under $50M revenue
Applies to businesses with $25M+ revenue processing 250,000+ consumers' data, or 50,000+ consumers' sensitive data, or deriving 50%+ of revenue from selling/sharing personal information.
Check Your Security Readiness
Answer 9 yes-or-no questions to see how your organization compares to what CPRA auditors, insurers, and regulators will look for.
Free assessment
9 questions. 2 minutes.
Find out if your organization meets the baseline controls that insurers and California regulators commonly look for.
Frequently Asked Questions
Does my business need to complete a California cybersecurity audit?+
If your business has $25M+ in annual revenue and processes personal information of 250,000+ California consumers (or sensitive personal information of 50,000+ consumers), you are subject to mandatory annual cybersecurity audits. Businesses that derive 50% or more of revenue from selling or sharing personal information are also covered regardless of size. The requirement phases in by revenue tier through 2030.
What's the difference between a risk assessment and a cybersecurity audit under CPRA?+
A risk assessment evaluates whether your data processing activities create privacy risks that outweigh their benefits. These are active now, with attestations due April 1, 2028. A cybersecurity audit is a separate requirement where an independent auditor assesses your organization against all 18 required security controls. Audits phase in between 2028 and 2030 depending on your revenue tier.
Can we use our existing SOC 2 or ISO 27001 audit to satisfy the CPRA requirement?+
Potentially. If your existing SOC 2 or ISO 27001 audit covers all the regulatory requirements under CCPA/CPRA and was conducted by a qualified independent professional using recognized standards (AICPA, PCAOB, ISACA, or ISO), it may satisfy the requirement. However, most existing audits will need supplementation to cover all 18 CPRA controls specifically.
How do California's ADMT rules affect my use of AI tools?+
If your business uses automated decision-making technology for significant decisions like hiring, compensation, promotions, housing, credit, or healthcare, you must conduct a risk assessment before deployment, provide pre-use notice to affected individuals, enable opt-out rights, and honor access requests. These rules take effect January 1, 2027.
What happens if my business doesn't complete the required cybersecurity audit?+
Penalties are $2,500 per negligent violation and $7,500 per intentional violation. There is also a private right of action allowing consumers to seek $100 to $750 per consumer per incident. Both the California Attorney General and CalPrivacy (California Privacy Protection Agency) have concurrent enforcement authority and have demonstrated willingness to act, including enforcement actions against data brokers in January 2026.
What does 'sensitive personal information' mean under California law?+
Sensitive personal information includes Social Security numbers, financial account data, precise geolocation, biometric templates, health information, sex and gender identity information, union membership, and similar categories. Processing this type of data at scale (50,000+ consumers) triggers the cybersecurity audit requirement at a lower threshold than general personal information.
How does cyber insurance underwriting relate to these new requirements?+
Cyber insurers evaluate controls against industry standards that closely align with the CPRA audit framework, including MFA, EDR, incident response plans, and audit logging. Passing a CPRA audit often improves insurance terms and reduces premiums. Conversely, 41% of first-time cyber insurance applications are denied, most commonly for missing the same baseline controls that CPRA now mandates.
How long does it take to become audit-ready?+
Most environments can reach audit readiness within 30 to 90 days depending on their starting point. Bayport Networks implements the core controls through Net.Protect, which layers managed security on top of your existing IT infrastructure. Organizations that already have some controls in place typically close gaps faster. The key is starting before your deadline, not waiting for enforcement.
Does my business need a CCPA cybersecurity audit?+
If your California business collects personal information from consumers and meets CCPA thresholds (annual revenue over $25 million, data on 100,000+ consumers, or 50%+ revenue from selling data), you are required to implement and maintain reasonable security controls. An audit identifies gaps before regulators or insurers do.
How does cyber insurance define adequate security controls?+
Most cyber insurance underwriters require multi-factor authentication on all remote access, endpoint detection and response on all devices, documented incident response plans, regular vulnerability scanning, and employee security awareness training. Failing to demonstrate these controls can result in denied claims or non-renewal.
What are the fines for HIPAA non-compliance in California?+
HIPAA penalties range from $141 per violation for unknowing violations to $2,134,831 per violation for willful neglect. California's additional state privacy laws (CCPA/CPRA) can add fines of $2,500 per unintentional violation and $7,500 per intentional violation. Beyond fines, a breach notification requirement can cost $50 to $150 per affected individual.