The FTC Settlement That Should Make You Rethink Your Training Program
In January 2023, the FTC finalized a settlement with Drizly and its CEO after a data breach exposed the personal information of roughly 2.5 million consumers. The kicker? The FTC specifically called out the company's failure to implement adequate security awareness training. The order didn't just target the company — it followed the CEO personally to future roles. That's the new reality of cybersecurity training compliance.
If you're still treating security training as a once-a-year slideshow your employees click through while eating lunch, you're exposed. Regulators at the federal and state level are getting specific about what they expect. And when a breach happens, "we had a training program" isn't enough. They want to see what was in it, how often it ran, and whether it actually changed behavior.
This post breaks down what cybersecurity training compliance actually requires across major frameworks, what regulators look for during enforcement actions, and how to build a program that protects your organization — not just on paper, but in practice.
What Does Cybersecurity Training Compliance Actually Mean?
Cybersecurity training compliance refers to meeting the specific security awareness and education requirements set by laws, regulations, and industry standards that apply to your organization. These requirements vary depending on your industry, the data you handle, and where you operate — but they share common elements: regular training, documented participation, relevant content, and measurable outcomes.
It's not a single standard. It's the intersection of multiple obligations. HIPAA, PCI DSS, GLBA, CMMC, state privacy laws, and even the SEC's new cybersecurity disclosure rules all have training components. Miss any one of them, and you've created a compliance gap a regulator or plaintiff's attorney will find.
The Regulatory Landscape: Who Requires What
HIPAA: Healthcare's Training Mandate
The HIPAA Security Rule (45 CFR § 164.308(a)(5)) explicitly requires covered entities and business associates to implement a security awareness and training program. The HHS Office for Civil Rights has consistently cited training failures in breach settlement agreements. In 2023, OCR continued its enforcement streak, making it clear that "we didn't train our staff" is not an acceptable defense.
HIPAA doesn't specify exact content, but OCR guidance points to phishing simulation exercises, password management education, and procedures for reporting suspicious activity. If your workforce handles protected health information, a generic annual video won't satisfy the standard.
PCI DSS 4.0: The New Bar for Payment Card Security
PCI DSS v4.0, which organizations are transitioning to throughout 2023 and into 2025, strengthens training requirements. Requirement 12.6 now mandates that security awareness training be reviewed and updated at least once every 12 months, and that it specifically address threats relevant to the organization's cardholder data environment — including social engineering and phishing.
The standard also requires that organizations confirm personnel acknowledge their training annually. No more assuming people completed it. You need receipts.
CMMC: Defense Contractors Under the Microscope
If you're in the defense industrial base, the Cybersecurity Maturity Model Certification requires security awareness training at every level. CMMC Level 2 maps directly to NIST SP 800-171, which includes requirement 3.2.1 (security awareness training) and 3.2.2 (role-based training for privileged users). The Department of Defense is making it clear: if you want contracts, you need trained people.
State Privacy Laws and the SEC
Multiple state laws — including the New York SHIELD Act, the California Consumer Privacy Act regulations, and the Massachusetts 201 CMR 17.00 — include training requirements. New York's DFS Cybersecurity Regulation (23 NYCRR 500), which was amended in November 2023, explicitly requires annual cybersecurity awareness training for all personnel.
The SEC's new cybersecurity risk management rules for public companies, adopted in July 2023, don't mandate specific training programs — but they require disclosure of cybersecurity risk management processes. If your risk management strategy doesn't include workforce training, that's a disclosure problem.
The $4.88M Lesson Most Organizations Learn Too Late
IBM's 2023 Cost of a Data Breach Report pegged the global average cost of a breach at $4.45 million — a record high. Organizations with high levels of security skills shortage faced costs averaging $5.36 million. Training isn't overhead. It's a risk reduction investment with measurable ROI.
Here's what I've seen repeatedly in incident response engagements: the breach starts with a phishing email. The employee clicks because they were never trained to spot it — or they were trained once, two years ago, with content that didn't match current threat actor tactics. Credential theft leads to lateral movement, then ransomware deployment, then a seven-figure incident response bill.
The Verizon 2023 Data Breach Investigations Report found that 74% of all breaches involved the human element — including social engineering, errors, and misuse. You can deploy every technical control on the market, but if your people aren't trained, your attack surface remains massive. That's where cybersecurity awareness training programs become essential.
What Regulators Actually Look For After a Breach
I've reviewed enforcement actions from the FTC, HHS OCR, and state attorneys general. When regulators investigate a breach, they consistently ask the same questions about training:
- Frequency: Was training conducted at least annually? More often for high-risk roles?
- Relevance: Did the content address current threats — phishing, social engineering, credential theft, ransomware — or was it generic and outdated?
- Documentation: Can you prove who completed training and when? Are completion records maintained?
- Testing: Did you conduct phishing simulations or other exercises to measure actual employee behavior?
- Updates: Was the program updated to reflect new threats, new attack vectors, and lessons learned from prior incidents?
- Scope: Was every employee covered, including contractors, executives, and IT staff with privileged access?
If you can't answer "yes" to all six, you have a cybersecurity training compliance gap. It's that straightforward.
How to Build a Training Program That Holds Up
Step 1: Map Your Regulatory Obligations
Start with a compliance inventory. List every regulation, standard, and contractual obligation that applies to your organization. For each one, document the specific training requirements — frequency, content, documentation, and testing. This becomes your baseline.
Don't assume one training program covers everything. HIPAA requirements differ from PCI DSS requirements, which differ from CMMC requirements. You may need layered content to address each framework.
Step 2: Train Based on Real Threats, Not Theoretical Ones
Your training content must reflect the actual tactics threat actors use against your industry right now. In my experience, the most effective programs pull examples from real incidents. Show employees what a business email compromise attack actually looks like. Walk them through a real smishing campaign. Explain how multi-factor authentication fatigue attacks work — because attackers are using them right now.
Generic "don't click suspicious links" content fails because employees don't know what "suspicious" looks like. Specificity changes behavior. If you need a structured approach to phishing-specific education, phishing awareness training designed for organizations can give you a curriculum that maps to actual attack patterns.
Step 3: Run Phishing Simulations — Then Act on the Data
Phishing simulation is not optional for any serious cybersecurity training compliance program. CISA recommends it. NIST's SP 800-50 Revision 1 guidance emphasizes testing and measurement. PCI DSS 4.0 calls out social engineering exercises explicitly.
But simulations only work if you do something with the results. Identify repeat clickers. Provide targeted remediation training. Track improvement over time. If 30% of your finance team clicks simulated phishing emails, that's a risk you need to address before a real threat actor exploits it.
Step 4: Document Everything
This is where most organizations fail cybersecurity training compliance reviews. You ran the training — great. Can you prove it? Every session needs a completion record tied to a specific individual, date, and content module. Store these records for a minimum of six years, or whatever your longest applicable retention requirement mandates.
Phishing simulation results, training updates, and program review dates all need documentation. When an auditor, regulator, or opposing counsel comes asking, "show me your training records" should be a five-minute request, not a five-week scramble.
Step 5: Make It Continuous, Not Annual
Annual training satisfies the bare minimum of most regulatory requirements. But bare minimum doesn't stop breaches. The organizations I've seen perform best run monthly micro-trainings — five to ten minutes of targeted content — supplemented by quarterly phishing simulations and annual comprehensive sessions.
This approach keeps security awareness top of mind without creating training fatigue. It also gives you more data points to demonstrate compliance and measure behavioral change over time.
Step 6: Include Everyone — Especially Executives
The Verizon DBIR consistently shows that senior executives are high-value targets for social engineering. Yet in my experience, executives are the most likely group to skip training or request exemptions. That's a compliance failure and a security failure simultaneously.
Your program must cover all personnel: full-time employees, part-time staff, contractors, temporary workers, and the C-suite. Role-based training for privileged users — system administrators, finance staff with wire transfer authority, HR with access to PII — should go beyond the baseline.
Zero Trust Starts With Trained People
There's a tendency to think of zero trust as a purely technical architecture — network segmentation, identity verification, least-privilege access. But zero trust is also a mindset. Employees trained to verify before trusting, to question unexpected requests, and to report anomalies are the human layer of your zero trust strategy.
A well-trained workforce doesn't eliminate the need for technical controls. It makes those controls more effective. When an employee flags a suspicious email before clicking, that's zero trust in action at the human level. No firewall does that.
Real Numbers: What the FBI Is Seeing
The FBI's 2022 Internet Crime Report documented over $10.3 billion in losses from cybercrime complaints — a 49% increase from 2021. Business email compromise accounted for $2.7 billion of that. Phishing was the most reported crime category, with over 300,000 complaints.
These aren't sophisticated zero-day exploits. They're social engineering attacks that succeed because someone wasn't trained to recognize them. Every dollar you invest in cybersecurity training compliance is a dollar invested in not becoming one of those statistics.
The Audit-Ready Checklist
Here's a quick self-assessment. If you can check every box, your cybersecurity training compliance program is in strong shape:
- Training is conducted at least annually for all personnel
- Content is reviewed and updated at least once per year
- Phishing simulations run at least quarterly
- Completion records are maintained with dates and individual identifiers
- Role-based training exists for high-risk roles (IT admins, finance, HR, executives)
- Training addresses current threats: phishing, social engineering, ransomware, credential theft
- Remediation training is provided to employees who fail phishing simulations
- Program metrics are reported to senior leadership at least annually
If you're missing even one of these, start there. A structured cybersecurity awareness training program can close gaps quickly and give you the documentation framework you need for audit readiness.
Compliance Is the Floor, Not the Ceiling
Meeting regulatory requirements is necessary. It protects you from fines, enforcement actions, and breach notification liability. But compliance alone doesn't stop a determined threat actor. The organizations that avoid breaches combine compliance with culture — building a workforce that instinctively questions, verifies, and reports.
That takes sustained effort, leadership buy-in, and training content that respects your employees' intelligence. Nobody learns from a boring slideshow. Invest in programs that engage people with realistic scenarios, practical guidance, and measurable outcomes. If your current approach isn't moving the needle on phishing awareness and response, it's time to change it.
The regulatory environment is only getting stricter. The threats are only getting more sophisticated. The organizations that thrive will be the ones that stopped treating cybersecurity training compliance as a checkbox and started treating it as a core business function — starting today.