The FTC Doesn't Care About Your Good Intentions

In 2023, the FTC finalized an order against Drizly — an online alcohol delivery company — after a data breach exposed the personal information of roughly 2.5 million consumers. The kicker? The FTC didn't just go after the company. They personally named the CEO and required him to implement a security program at any company he leads for the next decade. One of the core failures cited: inadequate security awareness training for employees.

That's the reality of cybersecurity training compliance in 2026. Regulators aren't issuing gentle suggestions. They're issuing orders, levying fines, and holding individuals accountable. If your organization treats security training as a checkbox exercise — a 15-minute video once a year — you're building a compliance gap that a threat actor or an auditor will eventually exploit.

This post breaks down what regulators actually require, which frameworks mandate training, what "adequate" really means, and how to build a program that protects your people and satisfies your auditors.

Which Regulations Require Cybersecurity Training?

The short answer: almost all of them. The longer answer matters because each framework has different expectations around frequency, documentation, and scope. Here's what I see organizations struggle with most.

HIPAA Security Rule

The HIPAA Security Rule (45 CFR § 164.308) explicitly requires covered entities and business associates to implement a security awareness and training program. The Department of Health and Human Services has made clear in multiple enforcement actions that annual training alone may not be sufficient. The rule uses the phrase "periodic" — which HHS interprets as ongoing, not once a year.

PCI DSS 4.0

PCI DSS version 4.0, now fully enforced, requires security awareness training upon hire and at least annually (Requirement 12.6). But it added a critical new element: training must specifically address phishing and social engineering threats. Organizations processing card data now need documented phishing simulation programs — not just PowerPoint decks.

GLBA Safeguards Rule (FTC)

The updated FTC Safeguards Rule under the Gramm-Leach-Bliley Act requires financial institutions to implement employee training as part of their information security programs. The FTC has been aggressive here, particularly with non-bank financial institutions like auto dealers, mortgage brokers, and tax preparers who often don't think of themselves as "financial institutions."

State Privacy Laws

Massachusetts 201 CMR 17.00, New York's SHIELD Act, and the CPRA all contain provisions that effectively mandate training. New York's DFS Cybersecurity Regulation (23 NYCRR 500) is particularly prescriptive — it requires annual training and monitoring of its effectiveness.

CMMC and Federal Contractors

If you work with the Department of Defense, CMMC Level 2 incorporates NIST SP 800-171 controls, including AT-2 (Security Awareness Training). This isn't optional. No training program, no contract.

What Does "Adequate" Cybersecurity Training Compliance Look Like?

This is the question I get asked most, and it's the one most compliance officers answer wrong. They think "adequate" means "we did it." Regulators think "adequate" means "it works, and you can prove it."

Here's what every enforcement action and audit finding I've reviewed has in common. Regulators look for these elements:

  • Frequency: Training must be ongoing. Annual isn't enough for most frameworks. Quarterly touchpoints or monthly phishing simulations demonstrate a continuous program.
  • Relevance: Generic training gets flagged. Content must address the specific threats your organization faces — credential theft, ransomware, business email compromise.
  • Documentation: Completion records, test scores, simulation results, remediation steps. If you can't produce these during an audit, the training effectively didn't happen.
  • Role-based training: Executives, IT staff, and front-line employees face different threats. A one-size-fits-all program won't satisfy sophisticated regulators.
  • Measurable outcomes: Click rates on phishing simulations dropping over time. Incident reporting going up. Regulators want to see your program is changing behavior, not just filling seats.

If your current program doesn't hit all five, you have a gap. And gaps become findings.

The $4.88M Lesson Most Organizations Still Haven't Learned

According to IBM's 2024 Cost of a Data Breach Report, the global average cost of a data breach reached $4.88 million. The same report found that organizations with high levels of security training and awareness programs had breach costs significantly below that average.

But here's the part that should keep you up at night: the Verizon 2024 Data Breach Investigations Report found that 68% of breaches involved a human element — social engineering, credential theft, or simple errors. Training isn't just a compliance checkbox. It's the single most cost-effective control you can deploy against the majority of attack vectors.

When I consult with organizations after a breach, the pattern is almost always the same. They had a training policy on paper. They ran it once a year. Nobody tracked who completed it. Nobody measured whether it changed behavior. And when the phishing email that started the whole mess arrived, an employee clicked it because they'd never seen a realistic phishing simulation in their life.

How to Build a Cybersecurity Training Compliance Program That Actually Holds Up

I've helped organizations across healthcare, finance, and government build training programs that survive audits and reduce incidents. Here's the framework I use.

Step 1: Map Your Regulatory Obligations

Start with a simple spreadsheet. List every regulation, contract clause, and framework your organization must comply with. For each one, document the specific training requirements — frequency, topics, documentation needs. This becomes your compliance matrix. Most organizations skip this step and end up with a program that satisfies some requirements but misses others.

Step 2: Establish a Baseline

Before you train anyone, measure where you are. Run an initial phishing simulation to establish click rates. Survey employees on basic security concepts. Document this baseline because you'll need it to demonstrate improvement to auditors. A strong phishing awareness training program designed for organizations will include built-in baselining and reporting tools.

Step 3: Deploy Ongoing, Role-Based Training

Build a training calendar that includes at least quarterly formal training modules and monthly phishing simulations. Tailor content to roles: your finance team needs to understand invoice fraud and business email compromise. Your IT team needs training on supply chain attacks and zero trust architecture. Your executives need to understand the legal liability landscape — because as the Drizly case showed, regulators are naming names.

Step 4: Document Everything

Every completion, every test score, every simulation result, every remediation action. Store these records according to your retention policy. When an auditor asks for evidence of your cybersecurity training compliance program, you should be able to produce a comprehensive report within minutes, not days.

Step 5: Measure and Improve

Track phishing simulation click rates over time. Monitor security incident reports. Review helpdesk tickets related to suspicious emails. These metrics tell you whether your program is changing behavior. If click rates aren't declining after six months, your training content isn't working and needs to be refreshed.

What Happens When You Fail a Cybersecurity Training Compliance Audit?

This is the section I wish more organizations would read before they need it. The consequences are real and escalating.

HIPAA violations related to insufficient training have resulted in settlements ranging from hundreds of thousands to millions of dollars. The HHS Office for Civil Rights enforcement page publishes these for the world to see.

Under PCI DSS, failing Requirement 12.6 can result in increased transaction fees, mandatory forensic audits at your expense, and in severe cases, losing the ability to process credit cards entirely.

For federal contractors, CMMC assessment failure means you don't get the contract. Period. Your competitors will.

And beyond regulatory penalties, there's the civil litigation angle. After a data breach, plaintiff attorneys routinely subpoena training records. If they find your program was inadequate or non-existent, it becomes exhibit A in a negligence claim.

Multi-Factor Authentication Is Not a Substitute for Training

I hear this constantly: "We deployed MFA, so we don't need as much training." That's dangerously wrong. MFA is critical — it's a core component of any zero trust strategy. But threat actors have adapted. MFA fatigue attacks, adversary-in-the-middle proxy tools, and SIM swapping all bypass MFA. The CISA cybersecurity best practices page makes clear that technical controls and human training work together. Neither replaces the other.

Your employees are the last line of defense when technical controls fail — and they will fail. Training ensures your people recognize the attack that got past your filters, your MFA, and your endpoint detection.

Start Building Your Program Today

If your organization needs to establish or strengthen its cybersecurity training compliance program, the hardest part is starting. I've seen too many security leaders delay because they're waiting for budget approval, a vendor evaluation, or the "right time." Meanwhile, phishing emails keep landing and regulators keep auditing.

You can begin building a solid foundation right now with a comprehensive cybersecurity awareness training program that covers the core topics regulators look for — social engineering, credential theft, ransomware, safe browsing, and incident reporting.

The organizations that survive audits and avoid breaches aren't the ones with the biggest budgets. They're the ones that treat training as a continuous, measurable, documented discipline — not an annual inconvenience. That's what cybersecurity training compliance actually means. And in 2026, regulators are making sure you understand the difference.