19 Compliance Frameworks Requiring Security Awareness Training

Ensuring you meet compliance requirements is important.

Many regulatory frameworks explicitly require organizations to implement security awareness training (SAT) as part of their compliance obligations (we'll be diving deep into the specifics of this below).

Failure to comply with these training requirements can result in pretty hefty financial penalties, fines, and legal repercussions.

Under GDP, even less severe infringements could result in fines of up to €10 million (or 2% of the firm's worldwide annual revenue, depending on which number is larger).

This guide provides an overview of major standards and regulations that require awareness training.

The purpose of this guide is to identify some of the most common standards, regulations, and frameworks that require security awareness programs.

Note: We do not consider this list fully comprehensive, as new standards are constantly being developed with many specific to certain countries or industries. 

‍

Why is security awareness training required by compliance frameworks?

Security awareness training is an essential aspect of many compliance frameworks.

Why? Because its playing a crucial role in helping your organization protect sensitive data, meet regulatory requirements, and mitigate risks.

And how does it do this?

By directly addressing one of the most significant vulnerabilities in any organization: human error.

The human factor in cybersecurity

Human error remains one of the leading causes of security breaches.

A 2024 study by Stanford University and Tessian found that human error is responsible for 88% of data breaches.

But according to an IBM Security study, that number could be even be closer to 95%.

Regardless of how advanced your technical filters are, employees can still make mistakes - whether that be inadvertently clicking on phishing links, mishandling sensitive data, or failing to follow security protocols.

Incident response and preparedness

Security awareness training (when done right) prepares employees to respond effectively in the event of a security incident.

They'll learn how to report suspicious activities, follow incident response protocols, and minimize the impact of a breach.

If your employees are trained effectively, they'll be able to recognize and respond to threats more quickly.

After a year of using Hoxhunt's security awareness training, for example, 60% of users actively report both real and simulated threats.

And the fastest 10% of them report a threat in just 55 seconds. (Hoxhunt internal data, 2023)

The faster you can spot and contain security incidents, the less damage they'll cause.

Protecting sensitive data

Many compliance frameworks focus on the protection of sensitive data (things like personal information, financial data, or healthcare records).

Security awareness training teaches employees how to handle and protect this data appropriately, to reduce the likelihood of it being exposed to unauthorized access or breaches.

Keeping up with the latest threats

The cybersecurity landscape is constantly evolving, with new threats emerging regularly.

Security awareness training keeps employees informed about the latest tactics used by attackers.

Regular, ongoing education is how you stay ahead of potential risks.

This is why compliance frameworks often require continuous training and updates to ensure that employees' knowledge remains current.

‍

Which compliance frameworks require security awareness training?

1. ISO 27001 

What is the ISO 27001 regulation? 

ISO 27001 is an international standard that outlines best practices for an Information Security Management System (ISMS).

Developed and published by the International Organization for Standardization (ISO), it is a controls-based framework for organizations to manage and protect their information assets.

It is part of a larger series of documents known as 27000.

In many cases 27001 is optional, but you must pay for a copy of the document. 

Why does it require SAT?

ISO 27001 requires security awareness training as part of its broader focus on ensuring that all personnel understand and adhere to the organization’s information security policies and procedures.

The standard explicitly states that employees should receive regular training on security policies, their roles in maintaining security, and the importance of compliance with these policies to protect the organization’s data and assets.

This training helps ensure that the security standards and culture is embedded across the organization.

Where is this mentioned?

ISO 27001 Annex A 6.3: "Personnel of the organization and relevant interested parties shall receive appropriate information security awareness, education and training and regular updates of the organization's information security policy, topic-specific policies and procedures, as relevant for their job function." 

‍

2. CIS Controls 

What is CIS regulation? 

The Center for Internet Security (CIS) Controls is a set of best practices for cybersecurity.

Originally known as the SANS Critical Security Controls, these guidelines are designed to help organizations defend against common cybersecurity threats.

The CIS Controls consist of 18 top-level controls, covering areas such as asset management, access control, and incident response.

The controls are prioritized to guide organizations in implementing the most effective security measures first - helping them improve their cybersecurity posture systemically.

Why does it require SAT?

The controls emphasize that employees must be aware of security risks and trained to recognize, report, and respond to potential threats.

Human errors are hard to avoid, but awareness training will help prevent mistakes that could lead to security breaches.

If you can successfully build a security-aware culture, you'll significantly reduce your organization's vulnerability to cybersecurity risks.

Where is this mentioned?

CIS 14.1: "Establish and maintain a security awareness program to influence behavior through awareness and skills training."

‍

3. NIST Cybersecurity Framework 

What is the NIST framework? 

The NIST Cybersecurity Framework is a set of guidelines developed by the National Institute of Standards and Technology (NIST) to help organizations manage and reduce cybersecurity risks.

It provides a common language and systematic approach for organizations to identify, protect, detect, respond to, and recover from cyber threats.

The framework is composed of five core functions - Identify, Protect, Detect, Respond, and Recover.

These are designed to improve cybersecurity practices across diverse industries and organizations, regardless of size or sector.

Why does it require SAT?

The NIST Cybersecurity Framework includes security awareness training as a key element within its "Protect" function.

This requirement essentially states that organizations should educate all personnel ( that means employees and third parties) about their cybersecurity responsibilities.

The goal is to cultivate a culture of security awareness, so that that individuals are aware of potential threats and how to actually mitigate cybersecurity incidents.

Where is this mentioned?

NIST PR.AT-01 & PR.AT-02: Organizations must ensure that: "All users are informed and trained. Users are made aware of the roles they play in protecting the organization’s information and the potential risk."

‍

4. NIS 2 

What is the NIS 2 framework?

The NIS 2 Directive (Network and Information Systems Directive 2) is a framework established by the European Union to enhance cybersecurity across member states.

It updates the original NIS Directive, expanding its scope to cover more sectors, including energy, transport, health, and digital infrastructure.

The directive aims to improve the cybersecurity resilience of critical entities by setting stricter security requirements, enhancing incident reporting protocols, and promoting cooperation between member states.

NIS 2 also introduces more stringent enforcement measures and higher penalties for non-compliance.

Why does it require SAT?

The NIS 2 Directive requires security awareness training to ensure that employees are well-informed about cybersecurity risks and their roles in mitigating these risks.

The directive mandates that organizations implement comprehensive security measures, which include regular training and awareness programs for staff to minimize the risk of human errors that can lead to security incidents.

Where is this mentioned?

NIS 2 Article 20: "Member States shall ensure that the members of the management bodies of essential and important entities are required to follow training, and shall encourage essential and important entities to offer similar training to their employees on a regular basis, in order that they gain sufficient knowledge and skills to enable them to identify risks and assess cybersecurity risk-management practices and their impact on the services provided by the entity."

*Note: Article 20 is achieved through minimum application of the measures outlined in 21 (2)

‍

5. PCI-DSS 

What is the PCI-DSS framework?

The Payment Card Industry Data Security Standard (PCI DSS) is a set of security standards designed to ensure that all companies that process, store, or transmit credit card information maintain a secure environment.

The framework, developed by the PCI Security Standards Council, aims to protect cardholder data from breaches and fraud.

It includes requirements for security management, policies, procedures, network architecture, and software design, covering areas like encryption, access control, and regular monitoring and testing of networks.

Compliance with PCI DSS is mandatory for organizations handling credit card information.

Why does it require SAT?

The PCI DSS framework requires security awareness training to ensure that all employees understand the importance of protecting cardholder data and their specific role in maintaining security.

This training helps prevent human errors that could lead to security breaches (like mishandling sensitive data or falling for phishing attacks).

Regular training ensures that employees stay informed about security policies and practices, which is crucial for maintaining compliance with the PCI DSS requirements.

Where is this mentioned?

PCI-DSS requirement 12.6: states that organizations must: "Implement a formal security awareness program to make all personnel aware of the importance of cardholder data security."

‍

6. GDPR

What is GDPR?

The General Data Protection Regulation (GDPR) is a comprehensive data protection law enacted by the European Union that governs how personal data of individuals within the EU is collected, processed, and stored.

Implemented in May 2018, GDPR aims to give individuals greater control over their personal data, ensuring transparency, security, and accountability in data handling.

The regulation imposes strict requirements on organizations, including obtaining explicit consent for data processing, allowing data access and deletion requests, and reporting data breaches within 72 hours.

Why does it require SAT?

The GDPR necessitates security awareness training to ensure that employees involved in processing personal data are well-informed about data protection principles.

This training is vital to ensure staff stay compliant with GDPR's strict data security requirements.

Where is this mentioned?

GDPR Article 39: states that one of the tasks of a Data Protection Officer (DPO) is to "raise awareness and train staff involved in processing operations."

‍

7. NIST SP800-53 

What is NIST SP800-53?

NIST Special Publication 800-53 (NIST SP 800-53) is a comprehensive set of guidelines developed by the National Institute of Standards and Technology (NIST) for federal information systems and organizations.

It provides a catalog of security and privacy controls designed to protect the confidentiality, integrity, and availability of information systems against various threats.

These controls are intended to help organizations meet the requirements of federal laws and regulations, such as the Federal Information Security Management Act (FISMA).

Why does it require SAT?

NIST SP 800-53 requires security awareness training as part of its "Awareness and Training" (AT) control family.

This control family states the need to ensure that all personnel are aware of the security risks associated with their activities and are equipped with the knowledge and skills to mitigate those risks.

Where is this mentioned?

NIST SP800-53 AT-2: "The organization provides basic security awareness training to information system users (including managers, senior executives, and contractors) as part of initial training for new users, when required by information system changes, and periodically thereafter."

‍

8. Gramm-Leach-Bliley Act 

What is The Gramm-Leach-Bliley Act?

The Gramm-Leach-Bliley Act (GLBA) (also known as the Financial Services Modernization Act of 1999), is a U.S. federal law that requires financial institutions to protect the privacy of consumer financial information.

The act mandates that these institutions explain their information-sharing practices to customers and safeguard sensitive data.

It includes three primary components:

• The Financial Privacy Rule: which regulates the collection and disclosure of private financial information
• The Safeguards Rule: which requires institutions to implement security measures
• The Pretexting provisions: which protect against fraudulent access to private information.

Why does it require SAT?

GLBA requires financial institutions to implement security awareness training as part of its Safeguards Rule.

This rule mandates that institutions develop a written information security plan to protect customer data.

As part of this plan, organizations must ensure that employees are trained on security practices, making them aware of the risks and their responsibilities in safeguarding sensitive financial information.

Where is this mentioned?

GLBA does not explicitly mandate security awareness training in the Act itself.

However, the Act requires financial institutions to implement a comprehensive information security program, which typically involves elements like security training as part of broader compliance efforts.

‍

9. FTC Safeguards 

What is the FTC Safeguards Rule?

The FTC Safeguards Rule is part of the Gramm-Leach-Bliley Act (GLBA) and requires financial institutions to develop, implement, and maintain a comprehensive information security program to protect consumer information.

This program must include administrative, technical, and physical safeguards to ensure the security, confidentiality, and integrity of customer data. T

he rule also mandates regular assessments of risks, employee training, and the management of third-party service providers to ensure they maintain appropriate security measures.

Why does it require SAT?

Section 314.4 of the Safeguards Rule requires covered financial institutions to develop, implement, and maintain an information security program with administrative, technical, and physical safeguards designed to protect customer information.

This rule includes 9 elements, including but not limited to: "providing personnel with security awareness training that is updated as necessary to reflect risks identified by the risk assessment." 

Where is this mentioned?

FTC Safeguards 314.4 (e) (1): "Implement policies and procedures to ensure that personnel are able to enact your information security program by providing your personnel with security awareness training that is updated as necessary to reflect risks identified by the risk assessment."

‍

10. NERC CIP

What is NERC CIP?

North American Electric Reliability Corporation Critical Infrastructure Protection (NERC CIP) is a set of standards designed to secure the assets that are critical to the operation of North America's bulk electric system.

These standards address various aspects such as safeguarding physical and cyber assets, ensuring personnel are trained, and preparing for incident response and recovery.

The overarching goal is to secure the electric grid from potential cyber threats and ensure its reliability.

Why does it require SAT?

NERC CIP requires security awareness training to ensure that all personnel involved in the protection and operation of critical electric infrastructure are well-informed about security risks and protocols.

This training ensures that employees understand how to safeguard both physical and cyber assets, prevent unauthorized access, and respond effectively to potential security threats.

Where is this mentioned?

NERC CIP CIP-004-5.1 Table R1: Requires "security awareness that, at least once each calendar quarter, reinforces cybersecurity practices."

‍

11. HIPAA

What is HIPAA

Health Insurance Portability and Accountability Act (HIPPA) is a U.S. law enacted in 1996 to protect sensitive patient health information.

It establishes national standards for the security and privacy of health data, requiring healthcare providers, insurance companies and their business associates to safeguard medical information.

HIPAA also grants patients rights over their health information, including the right to access and request corrections to their records.

Non-compliance with HIPAA can result in significant fines and penalties.

Why does it require SAT?

HIPAA calls for security awareness training to help protect patient health information.

Under the HIPAA Security Rule, covered entities and their business associates must implement a security awareness and training program for all members of their workforce.

This training is to make sure that employees understand how to safeguard electronic protected health information (ePHI) from unauthorized access, breaches, and other security threats.

Where is this mentioned?

HIPPA § 164.308 (5) (i): Under the Act, an organization must: "Implement a security awareness and training program for all members of its workforce (including management)."

‍

12. COBIT

What is COBIT?

Control Objectives for Information and Related Technologies (COBIT) is a framework for IT management and governance developed by ISACA (Information Systems Audit and Control Association).

It provides organizations with a set of best practices, tools, and guidance to help align IT operations with business goals, ensure effective risk management, and meet regulatory compliance requirements.

COBIT focuses on managing and optimizing IT processes, improving information security, and ensuring that IT investments deliver value to the organization.

Why does it require SAT?

COBIT emphasizes the need for security awareness training as part of its broader IT governance framework.

This'll help employees understand and adhere to information security policies and procedures, helping to mitigate risks associated with human error.

Where is this mentioned?

COBIT PO7: "Ensure that personnel possess the skills and competencies necessary to perform their roles"

And organizations must be: "establishing and maintaining a framework for competency development."

‍

13.Australian Government InfoSec Manual 

What is ISM?

Australian Government InfoSec Manual (ISM) is a framework designed to assist government agencies in protecting their information and systems from cyber threats.

It provides guidelines and controls for securing data, ensuring system integrity, and maintaining confidentiality.

The ISM covers a wide range of topics, including access control, risk management, and incident response, and is regularly updated to address emerging threats and technologies.

Why does it require SAT?

ISM mandates security awareness training to ensure that all employees are knowledgeable about their responsibilities in protecting sensitive information and systems.

Training is essential for reducing human error and for ensuring that staff are aligned with the ISM’s security requirements.

Where is this mentioned?

ISM-02522; Revision: 7: "Agencies must ensure that all users are provided with appropriate information security training and education to enable them to fulfill their information security responsibilities."

‍

14. PAS 555 Cyber Security Risk: Government and Management 

What is PAS 555?

PAS 555 is a specification for cyber security risk management that provides a framework for managing and governing cybersecurity risks within an organization.

It emphasizes a holistic, outcomes-focused approach to cybersecurity, integrating risk management with business processes.

PAS 555 is designed to help organizations understand their cyber risk exposure, establish effective governance, and implement robust security controls.

It covers areas such as leadership responsibilities, risk assessment, incident management, and continuous improvement.

Why does it require SAT?

Security awareness training as a critical component of effective cybersecurity risk management.

It requires organizations to ensure that all employees are aware of cyber risks and understand their role in mitigating these risks.

By integrating security awareness into daily operations, PAS 555 helps organizations strengthen their overall cybersecurity posture.

Where is this mentioned?

PAS 555 doesn’t actually specify actions. Instead, it defines what effective cyber security looks like.

It advocates for organizations to ensure that all personnel are informed about cybersecurity risks and understand their roles in managing these risks.

‍

15. Digital Operational Resilience Act (DORA) 

What is DORA?

The Digital Operational Resilience Act (DORA) is a regulation proposed by the European Union to strengthen the digital operational resilience of the financial sector.

It aims to ensure that financial entities, such as banks, insurers, and investment firms, can withstand, respond to, and recover from all types of ICT-related disruptions and threats.

DORA establishes requirements for risk management, incident reporting, and third-party ICT risk management, ensuring that the financial system remains robust in the face of increasing cyber threats and digital dependencies.

Why does it require SAT?

Security awareness training is needed to stay complaint with DORA to ensure that employees in the financial sector can effectively recognize, respond to, and manage ICT-related risks and threats.

Where is this mentioned?

DORA Article 13 (6): "Financial entities shall develop ICT security awareness programmes and digital operational resilience training as compulsory modules in their staff training schemes. Those programmes and training shall be applicable to all employees and to senior management staff, and shall have a level of complexity commensurate to the remit of their functions."

‍

16. EBA Guidelines on ICT and security risk management 

What the EBA Guidelines?

The EBA Guidelines on ICT and security risk management - issued by the European Banking Authority (EBA) - provide guidance for financial institutions on how to manage and mitigate risks associated with ICT and security.

These guidelines set out requirements for risk management frameworks, incident reporting, business continuity, and governance to ensure that institutions can withstand, respond to, and recover from ICT disruptions and cyber threats effectively.

Why does it require SAT?

The EBA Guidelines on ICT and security risk management mention security awareness training as part of it's wider goal of ensuring that financial institutions effectively manage ICT and security risks.

Where is this mentioned?

EBA 3.4.7 (49): "Financial institutions should establish a training programme, including periodic security awareness programmes, for all staff and contractors to ensure that they are trained to perform their duties and responsibilities consistent with the relevant security policies and procedures to reduce human error, theft, fraud, misuse or loss and how to address information security related risks."

‍

17. SWIFT Customer Security Program Requirements 

What are the CSP Requirements?

The SWIFT Customer Security Program (CSP) Requirements are a set of mandatory security controls for helping financial institutions protect their SWIFT-related infrastructure against cyber threats.

The program focuses on securing the environment, knowing and managing access, and detecting and responding to security incidents.

Compliance with these requirements is essential for maintaining the integrity of the global financial messaging network and ensuring that institutions are resilient against cyberattacks.

Why does it require SAT?

Security awareness training is required as part of the controls to ensure that all personnel involved in managing SWIFT-related infrastructure are aware of potential threats and their role in safeguarding the system.

Implementing training will prevent human errors, which could compromise the security of financial transactions.

It'll also make sure employees are equipped to recognize/report suspicious activities and strengthen overall security of the SWIFT network.

Where is this mentioned?

SWIFT 7.2: The guidelines require that: "Annual security awareness sessions are conducted for all staff members with access to Swift-related systems. All staff with privileged access maintain knowledge through specific training or learning activities when relevant or appropriate (at management’s discretion)."

‍

18. EIOPA Guidelines 

What are the EIOPA Guidelines?

The EIOPA Guidelines are a set of recommendations issued by the European Insurance and Occupational Pensions Authority (EIOPA) to ensure sound governance and risk management specifically within the insurance and pensions sectors across the EU.

These guidelines cover areas such as system governance, outsourcing, product oversight, and cybersecurity, helping institutions comply with EU regulations and maintain financial stability.

They aim to enhance transparency, protect consumers, and ensure that firms manage their risks effectively.

Why does it require SAT?

Security awareness training is vital for protecting sensitive data, maintaining compliance with regulatory requirements, and safeguarding the overall integrity of the insurance and pensions sectors.

Where is this mentioned?

EIOPA 13 (41): "Undertakings should establish and implement periodic security awareness programmes to educate their staff, including the AMSB, on how to address information security related risks."

‍

19. SCORM

The Sharable Content Object Reference Model (SCORM) is a set of technical standards for e-learning software products.

It governs how online learning content and Learning Management Systems (LMS) communicate and ensure compatibility.

SCORM allows for the creation of reusable learning content that can be easily shared across different systems.

It tracks learner progress and performance and supports the sequencing of learning activities, making it a widely used standard in online education and training programs.

Why does it require SAT?

SCORM is a technical standard for e-learning and not a regulatory or compliance framework.

This means that it doesn't inherently require security awareness training.

However, if SCORM-compliant e-learning courses are used to deliver security awareness training within an organization, then the content and structure of the training would have to adhere to SCORM standards and be compatible across various Learning Management Systems.

This makes it easier to track employee progress in mandatory security awareness training programs.

‍

How to maintain security awareness training compliance?

Understand the requirements

Thoroughly review what is actually included in each framework

Conduct a detailed analysis of each compliance framework and its regulatory requirements to identify the specific training requirements related to security awareness.

Ensure you understand the nuances of each framework:

• How frequent does it need to be?
• What should content include?
• What kind of documentation do you need?

Consult experts if needed

If in doubt, you can always reach out to legal or compliance experts to clarify any ambiguities and ensure that your interpretation of the requirements is accurate.

Develop a comprehensive training program

Tailor content to your specific needs

Make sure that your training address the specific security risks and regulatory requirements outlined in each framework.

Your training will most likely need to cover core topics like data protection, phishing prevention, incident response, and privacy regulations.

Use interactive modules

Incorporate interactive elements such as quizzes, simulations, and case studies to engage employees and reinforce learning outcomes.

This helps ensure that the training is engaging and isn't just a box-ticking exercise.

Use SCORM-compliant content

Standardize your training content

Implement SCORM-compliant e-learning content to facilitate compatibility with various Learning Management Systems (LMS).

This standardization allows for consistent delivery, tracking, and reporting of training across different platforms.

Use customizable modules

Opt for SCORM content that can be easily updated or customized to reflect changes in compliance requirements or organizational policies, ensuring the training remains relevant and effective.

Regularly update your training

Stay on top of regulatory changes

Make sure you stay informed about updates to relevant compliance frameworks by subscribing to industry news, participating in webinars, and consulting with regulatory bodies.

Your training content will need to be aligned with any updates to key requirements.

Keep content up-to-date with the latest threats

Regularly review and refresh training content to address new threats.

The threat landscape is always evolving, so your training should be continuously updated to cover any new and emerging threats.

Make sure you have the necessary documentation and tracking in place

Don't forget about record-keeping

Keep detailed records of who has completed training, when it was completed, and what content was covered.

This documentation is crucial for demonstrating compliance during audits.

Set automated reminders

Set up automated reminders and notifications to ensure that employees complete their training on time.

‍

Stay compliant with Hoxhunt

Want to easily manage and customize your security awareness training based on your unique company policies?

Hoxhunt was purpose-built to cover your security awareness and compliance needs with modern and engaging training.

Boost security knowledge: Make training relevant by educating employees based on their role/location... and automatically trigger mandatory trainings for new joiners.

Up-to-date training library: Cover all your compliance and awareness needs with an always up-to-date training library. When unique needs arise, use our powerful generative AI to create content tailored to you.

Achieve compliance easily: Our training library contains ready-made and easily customizable training content packages to meet important regulatory requirements.

‍

Go beyond compliance and measurably change behavior

Effective security awareness programs do more than just meet compliance.

If you want to build a foundation of security-first practices, you'll need to engage, educate and reward employees to foster a culture genuinely committed to rigorous security standards.

This is why we designed Hoxhunt to tailor training to the unique needs of each employee segment.

Hoxhunt automatically customizes your content to align with employee roles, departments, and locations to maintain compliance and ensure your message resonates.

Embed your training into your employees’ workflow

Automatically train your employees during their workday with micro-training moments delivered in the workflow.

Multi-channel engagement

Enhance your security awareness with intuitive training that integrates directly into employees’ daily tools.

Activate Hoxhunt with a single click on platforms like Microsoft Office, Google Workspace, Slack, and Microsoft Teams.

Increase your training engagement

Create a self-reinforcing training experience by using reward-based incentives that motivate your employee participation.

Powerful dashboards to track your progress

Gain real-time visibility into your program performance with modern dashboards comprising next-level metrics.

Set your priorities with data-driven decisions and report to leadership with ease and confidence.

‍

Compliance frameworks for security awareness training FAQ

What are security compliance frameworks?

Security compliance frameworks are structured approaches that organizations use to ensure they meet industry standards and legal requirements like GDPR and NIST CSF.

These frameworks help in establishing internal controls, ethical business practices, and maintaining customer trust.

Why is security awareness training important for compliance?

Security awareness training is crucial for maintaining compliance with various regulatory standards.

It helps employees understand compliance policies, recognize potential compliance risks, and adhere to legal requirements, reducing the likelihood of legal penalties and loss of customer trust.

How does security awareness training align with industry standards like PCI DSS and HIPAA?

Training modules tailored to industry standards such as PCI DSS and HIPAA ensure that employees understand the specifics of handling sensitive data, such as cardholder and healthcare information.

This alignment is essential for compliance programs in healthcare organizations, financial institutions, and service organizations, particularly those dealing with cloud service providers and transaction monitoring.

What are the consequences of non-compliance?

Non-compliant organizations face heavy penalties, including civil and criminal penalties, loss of certification, and significant damage to customer trust.

In the context of cybersecurity programs, this can also mean substantial compliance costs due to ongoing improvement efforts and the need to implement proactive risk management measures.

‍

Sources