The Problem
Most institutions have a security awareness training program in some form. A vendor platform pushes out an annual course, employees click through the modules, pass a short quiz, and a completion report gets filed. The box is checked, and the program is considered done for another year.
Examiners know this is the norm — and they are increasingly skeptical of it. Human error remains the leading cause of security incidents at regulated institutions. Phishing, pretexting, and social engineering succeed not because employees are careless, but because awareness programs often don’t give them the tools to recognize and respond to real threats. A click-through completion report proves employees finished a course. It doesn’t prove they know what to do when a suspicious email lands in their inbox.
What Regulators Require
The GLBA Safeguards Rule requires covered institutions to train and test staff to implement the information security program. The FFIEC Information Security Booklet expands on this, calling for training that is role-specific, updated to reflect current threats, and tied to the institution’s actual risk profile. NCUA guidance for credit unions carries parallel expectations.
None of these frameworks specify a particular delivery method or frequency beyond “at least annually.” That flexibility is a double-edged sword: it gives institutions latitude to design programs that fit their operations, but it also means examiners use professional judgment when evaluating quality. A compliance-minimum program will satisfy the letter of the requirement. It may not satisfy the examiner reviewing it.
What a Strong Program Looks Like
Role-Based Content
A teller, a loan officer, and an IT administrator face different threats and have different responsibilities. Generic training treats everyone the same. An effective program delivers content relevant to each employee’s actual job functions — wire transfer fraud for operations staff, social engineering for front-line employees, privileged access risks for IT personnel. Examiners will ask whether training is tailored to roles, and “everyone gets the same course” is an increasingly weak answer.
Phishing Simulations
Simulated phishing campaigns are now a mainstream element of security awareness programs and are increasingly expected by examiners. Running periodic simulations — varying the pretext, urgency cues, and sender spoofing techniques — gives you real data on employee susceptibility and identifies individuals or departments that need additional attention. Document the simulation results, the follow-up training provided to employees who clicked, and any trend data over time. This documentation is what examiners want to see.
Current Threat Content
Security threats evolve faster than annual training cycles. A program that still devotes significant time to password hygiene basics while glossing over business email compromise or deepfake voice fraud is fighting last year’s battle. Incorporate threat intelligence relevant to your institution’s size and sector. FS-ISAC alerts, FBI IC3 advisories, and CISA bulletins are all free sources that can inform timely training supplements between annual cycles.
New Hire and Role-Change Training
Security awareness shouldn’t wait for the annual cycle when a new employee starts or an existing employee moves into a role with elevated access or new responsibilities. Onboarding training should cover the basics before a new hire has access to customer data. Role-change training should address the specific risks of the new position. Examiners will ask whether training is ongoing or strictly annual — new hire and role-change training is an easy way to demonstrate that it is.
Tracking, Completion Records, and Follow-Up
Completion tracking is table stakes. What distinguishes a mature program is what happens after training. Are employees who fail phishing simulations required to complete remedial training? Are departments with high click rates flagged for targeted follow-up? Is training completion tied to performance reviews or system access provisioning? These program elements signal to examiners that training is taken seriously at an organizational level, not just as a compliance exercise.
Practical Checklist
Use this checklist to evaluate your current security awareness program:
- Annual training completed by all employees with documented completion records
- Training content updated within the last 12 months to reflect current threats
- Role-specific modules delivered to staff with elevated access or specialized risk exposure
- New hire security training completed before or immediately upon system access being granted
- Phishing simulations conducted at least twice per year with results documented
- Remedial training provided to employees who fail phishing simulations, with follow-up documented
- Board and senior management included in training (and documented separately if applicable)
- Training program reviewed and approved as part of the annual information security program review