In October 2024, the FTC finalized a settlement with Marriott International and its subsidiary Starwood Hotels over data breaches that exposed the personal information of 344 million customers. Among the FTC's requirements: Marriott had to implement a comprehensive information security program — including mandatory employee training. That wasn't a suggestion. It was a legal order.

If you think cybersecurity training compliance is just a checkbox exercise, Marriott's experience should change your mind. Regulators at every level — federal, state, and industry-specific — now expect documented, recurring security awareness training for every employee who touches sensitive data. And they're enforcing it with real penalties.

This post breaks down exactly what regulators require, which frameworks demand training, and how to build a program that actually satisfies auditors while reducing your risk of a data breach.

Why Cybersecurity Training Compliance Is Non-Negotiable in 2025

The Verizon 2024 Data Breach Investigations Report found that 68% of breaches involved a human element — phishing, credential theft, social engineering, or simple errors. That number hasn't budged much in years, and regulators have noticed.

Here's the logic: if humans cause the majority of breaches, then organizations that fail to train their humans are negligent. That's the reasoning behind nearly every enforcement action I've tracked over the last five years. Regulators don't just want you to buy firewalls. They want proof that your people know what a phishing email looks like.

And it's not just about avoiding fines. The average cost of a data breach hit $4.88 million in 2024, according to IBM's Cost of a Data Breach Report. Training is the cheapest mitigation you have against the most common attack vector. When compliance and cost savings align this clearly, there's no excuse for inaction.

Which Regulations Require Security Awareness Training?

One of the most common questions I get is: does my organization actually need cybersecurity training to be compliant? The short answer is almost certainly yes. Here's where the requirements live.

HIPAA (Healthcare)

The HIPAA Security Rule (45 CFR § 164.308) explicitly requires covered entities and business associates to implement a "security awareness and training program for all members of its workforce." The Office for Civil Rights (OCR) has cited inadequate training in multiple enforcement actions. This isn't vague — it's a documented administrative safeguard.

PCI DSS 4.0 (Payment Card Industry)

PCI DSS 4.0, which became mandatory in March 2025, strengthened training requirements under Requirement 12.6. Organizations must deliver security awareness training upon hire and at least annually. Requirement 12.6.3.1 now specifically requires training to address threats like phishing and social engineering. If you process credit card transactions, your auditor will ask for proof.

FTC Act (Section 5)

The FTC doesn't have a single "training rule," but it uses Section 5 to enforce "reasonable security practices." In consent orders — like those against Marriott, Chegg, and Drizly — the FTC has consistently required comprehensive employee training programs. If the FTC comes knocking, "we didn't think training was required" won't fly.

GLBA Safeguards Rule (Financial Services)

The updated FTC Safeguards Rule (16 CFR Part 314), which went into effect in 2023, requires financial institutions to provide security awareness training. This applies to a surprisingly broad range of businesses — tax preparers, auto dealers, mortgage brokers, and more.

State Privacy Laws

At least a dozen states have enacted privacy or data protection laws that reference employee training. New York's SHIELD Act, for example, requires "reasonable safeguards" that include training for employees who handle private information. Massachusetts 201 CMR 17.00 explicitly requires ongoing security education. Your state likely has something similar.

NIST Cybersecurity Framework

NIST CSF 2.0, released in February 2024, addresses awareness and training under the Govern function (GV.AT). While NIST isn't a regulation, it's the framework that most federal agencies and government contractors reference. If your organization touches federal contracts, NIST compliance — including training — is effectively mandatory. You can review the full framework at NIST.gov.

What Does "Compliant" Training Actually Look Like?

Here's where most organizations stumble. They send one training email per year, collect a signature, and call it done. That won't survive an audit — and it definitely won't change employee behavior.

Based on my experience reviewing audit findings and enforcement actions, compliant cybersecurity training programs share these characteristics:

  • Regular cadence: At minimum, annual training. Best practice is quarterly reinforcement with monthly phishing simulations.
  • Role-based content: A developer handling source code needs different training than a receptionist. Regulators increasingly expect tailored content.
  • Documented completion: You need records showing who completed training, when, and what topics were covered. No records means no proof.
  • Current threat coverage: Training must address current attack methods — phishing, ransomware, credential theft, business email compromise, and social engineering. Generic "don't share your password" modules from 2018 won't cut it.
  • Measurable outcomes: Can you show your phishing simulation click rate dropped from 30% to 8%? That's the kind of data auditors love.

If your current program doesn't check all five boxes, you have a gap. And gaps become findings.

The $4.88M Lesson Most Organizations Learn Too Late

I've seen this pattern dozens of times. An organization suffers a breach caused by a phishing email. During the investigation, regulators or plaintiffs' attorneys ask one question: what training did this employee receive?

If the answer is "a 20-minute video during onboarding three years ago," that organization is in serious trouble. The breach itself is expensive. The regulatory penalty for inadequate safeguards makes it worse. And the litigation discovery showing you knew training was required but didn't invest in it? That's where the real damage happens.

Consider what happened with Drizly. In 2022, the FTC took action after a breach exposing 2.5 million customers' data. The FTC's complaint specifically cited Drizly's failure to implement adequate security training. The consent order required the company to implement a comprehensive security program — with training as a core component.

This is the pattern. Breach, investigation, training gap discovered, enforcement action. You can break the pattern by building the program before the breach happens.

How to Build a Cybersecurity Training Compliance Program That Works

Let me walk through the practical steps. This isn't theory — it's what I recommend to organizations that need to pass audits and actually reduce risk.

Step 1: Identify Your Regulatory Requirements

Map every regulation that applies to your organization. Don't guess. If you handle health data, HIPAA applies. Credit cards? PCI DSS. Consumer financial data? GLBA. Government contracts? NIST. Most mid-size organizations fall under at least two frameworks. Document them.

Step 2: Establish a Training Baseline

Every employee needs foundational cybersecurity awareness training covering phishing, social engineering, password hygiene, multi-factor authentication, data handling, and incident reporting. This baseline should be delivered during onboarding and refreshed at least annually.

Step 3: Layer in Phishing Simulations

Classroom training alone doesn't change behavior. You need to test employees with realistic phishing simulations — and track the results. Monthly simulations with immediate feedback for employees who click are the gold standard. A dedicated phishing awareness training program for organizations gives you both the simulation capability and the documentation auditors expect.

Step 4: Customize by Role and Risk

Your finance team is a prime target for business email compromise. Your IT admins face credential theft attacks. Your executives get whale-phished. Tailor supplemental training to these specific threat actors and scenarios. One-size-fits-all training leaves your highest-risk employees under-prepared.

Step 5: Document Everything

Maintain records of every training session, every simulation, every completion certificate, and every remedial action. Store them for at least six years — some regulations require longer. When an auditor asks "show me your training records for Q3," you need to produce them in minutes, not days.

Step 6: Review and Update Quarterly

Threat actors evolve. Your training must evolve with them. Review your program quarterly against current threats identified by CISA's threat advisories and update content accordingly. A program that hasn't been updated in 12 months is already stale.

What Auditors Actually Look For

I've sat through enough compliance audits to know exactly what auditors check. Here's their real checklist — not the marketing version:

  • Written policy: A formal policy requiring security awareness training, signed by leadership.
  • Training records: Completion logs with dates, employee names, and topic summaries.
  • Frequency evidence: Proof that training happens on a regular schedule, not just once.
  • Phishing simulation results: Click rates, report rates, and trend data over time.
  • Remediation process: What happens when an employee fails a simulation? Is there additional training?
  • Content relevance: Is the training material current? Does it address threats like ransomware, credential theft, and business email compromise?
  • Coverage: Were all employees included — including executives, contractors, and part-time staff?

If you can produce evidence for all seven items, you'll pass. If you're missing any, expect a finding — and a corrective action requirement.

Does Cybersecurity Training Compliance Reduce Breach Risk?

This is the featured-snippet question everyone searches. Here's the direct answer:

Yes. Organizations with mature security awareness programs experience significantly fewer successful phishing attacks. The 2024 Verizon DBIR showed that organizations running regular phishing simulations reduced click rates to under 5%, compared to industry averages above 20%. NIST identifies awareness training as a critical control in reducing human-factor breaches. And the FBI IC3's 2023 Internet Crime Report documented $2.9 billion in business email compromise losses alone — attacks that training directly mitigates.

Compliance is the floor. Actual risk reduction is the ceiling. A well-designed program delivers both.

Zero Trust Starts With Trained Humans

The security industry talks a lot about zero trust architecture — the principle that no user or device should be automatically trusted. But zero trust isn't just a network concept. It's a human concept.

A trained employee who questions an unusual email, verifies a wire transfer request by phone, and reports a suspicious link is practicing zero trust at the human layer. No firewall or endpoint tool can replicate that judgment. Multi-factor authentication stops credential theft after the password is compromised. Training stops the compromise from happening in the first place.

Your cybersecurity training compliance program isn't a regulatory burden. It's the most cost-effective security control you can deploy. The regulators know it. The threat actors know it. Now your organization needs to act on it.

Start Building Your Program Today

If your organization needs to establish or upgrade its training program, start with a structured cybersecurity awareness training course that covers the foundational topics every framework requires. Then add targeted phishing awareness training with simulation capabilities that give you the documentation and metrics auditors demand.

Regulators aren't waiting. Neither are threat actors. The only question is whether your training program is ready when either one shows up.