Virtual learning, a key component of most cybersecurity awareness training programs, uses web-based platforms to allow employees to complete their training anytime, anywhere in the world.

Many regulatory bodies already mandate cybersecurity awareness training and require organizations to prove their staff has achieved competency to comply. This article will examine the most significant regulations and how organizations can comply.

NIST Cybersecurity Framework/FISMA

The National Institute of Standards and Technology (NIST) of the United States Department of Commerce is one of the most widely known and respected non-regulatory bodies on the planet and produces guidelines and standards to aid federal agencies in achieving Federal Information Security Management Act (FISMA) compliance.

FISMA is a U.S. legislation that defines a framework of guidelines and security standards to protect government information and operations. It applies to "federal agencies, contractors, or other sources that provide information security for the information and information systems that support the operations and assets of the agency." 

The NIST framework identifies cybersecurity awareness training as a crucial element of any cybersecurity program. It recommends that organizations ensure "personnel and partners are provided cybersecurity awareness education and are trained to perform their cybersecurity-related duties and responsibilities consistent with related policies, procedures, and agreements." 

Although the NIST framework is voluntary, FISMA is mandatory and requires organizations to provide "security awareness training to inform personnel, including contractors and other users of information systems that support; (A) the operations and assets of the agency information security risks associated with their activities; and (B) their responsibilities in complying with agency policies and procedures designed to reduce these risks."

Gramm-Leach-Bliley Act (GLBA)

The GLBA, also known as the Financial Modernization Act, is a U.S. legislation that applies to all U.S. financial institutions, governs the handling of private personal information, and holds executives personally accountable for non-compliance.

While the first version of GLBA did not mandate cybersecurity awareness training, lawmakers recently updated the regulation, requiring affected organizations to provide "personnel with security awareness training that is updated as necessary to reflect risks identified by the risk assessment" by June 9th, 2023.

Health Insurance and Accountability Act (HIPAA)

HIPAA is a U.S. legislation that regulates how companies that work with protected health information (PHI) implement and follow physical, process, and network security measures.

Signed into law by President Bill Clinton in 1996, the regulation requires relevant organizations to "implement a security awareness and training program for all members of its workforce (including management)."

Payment Card Industry Data Security Standard (PCI DSS)

PCI DSS is an information security standard regulating companies' processing, storing, transmitting, and maintaining credit card information. It was introduced in 2006 and applies to any organization that handles credit card data.

PCI DSS v4.0 requires relevant organizations to "implement a formal security awareness program. This program must ensure that all staff knows the organization's security policy and their role in protecting cardholder data."

National Association of Insurance Commissioners (NAIC) Data Security Law 

The NAIC Data Security Law requires insurers and other entities licensed by state insurance departments to develop, implement, and maintain an information security program that contains essential cybersecurity safeguards and management oversight. 

It requires relevant organizations to "provide its personnel with cybersecurity awareness training that is updated as necessary to reflect risks identified by the Licensee in the Risk Assessment."

General Data Protection Regulation (GDPR) 

GDPR is the world's most rigid privacy and security law and affects any organization that handles E.U. citizens' data. GDPR fines are some of the largest in the world, with non-complying organizations facing penalties of up to ten million euros or 2% of annual global turnover. It requires staff with permanent or regular access to personal data to receive data protection training.

E.U. Regulation 2019/1583

European Union (E.U.) Regulation 2019/1583 is an E.U. law that provides detailed measures for implementing the common basic standards on aviation security regarding cybersecurity measures.

It requires affected organizations to ensure that "persons having access to data or systems shall receive appropriate and specific job-related training commensurate with their role and responsibilities, including being made aware of relevant risks where their job function requires this." 

Cybersecurity awareness training is a fundamental component of some of the most stringent cybersecurity regulations in the world. However, any organization wanting to protect itself from cybercrime, prevent data loss, and avoid falling victim to social engineering scams must implement a cybersecurity awareness training program, even if it is not required by law.

Organizations seeking to purchase a cybersecurity awareness training solution should consult resources provided by the U.K.'s National Cyber Security Centre (NCSC).

Josh Breaker-Rolfe is a Content writer at Bora. He graduated with a degree in Journalism in 2021 and has a background in cybersecurity PR. . 

To learn more about how DP Solutions can help you on your compliance journey, click here.