What Cyber Insurers Ask About Phishing Training (2026 Renewal)
Carriers tightened underwriting again. The 9 questions on every 2026 renewal application, how to answer them and the documentation that lowers premiums.
[ READ → ]
Blog
Phishing simulation, compliance, cyber insurance and security awareness training
Cyber Insurance
Cyber Insurance Phishing Training Discount: How It Works
Brokers report typical premium reductions of 5-15% for organizations with continuous phishing simulation programs. Here is how the discount math actually works.
[ READ → ]
How to Reduce Your Cyber Insurance Premium with Phishing Training
Concrete moves that have moved real renewal numbers: cadence shifts, multi-channel coverage, board reporting and the documentation that proves the program runs.
[ READ → ]
Documenting Phishing Training for Cyber Insurance Audits
What carriers and brokers want in a single PDF before they sign your renewal - and the dashboard exports that produce it in one click.
[ READ → ]
Cyber Insurance Application: The Security Awareness Section Walkthrough
A line-by-line read of the security awareness subsection on the modern cyber insurance application, with the answers underwriters actually want to see.
[ READ → ]Compliance
SOC 2 Phishing Simulation Requirements: 2026 Guide
How the AICPA Trust Services Criteria CC1.4 and CC2.2 map to a defensible phishing simulation program - and what auditors look for in evidence.
[ READ → ]
HIPAA Security Awareness Training Compliance Checklist
HHS OCR audits, the §164.308(a)(5) administrative safeguard, and how phishing simulation evidence holds up under enforcement review.
[ READ → ]
PCI DSS 4.0 Phishing Training: What's Required
Requirement 12.6 is no longer a checkbox. The 4.0 changes around continuous testing and what the QSA wants in your annual ROC.
[ READ → ]
Mapping Phishing Simulation to NIST CSF 2.0
How a phishing program maps to PR.AT (Awareness and Training), PR.PS (People), and DE.CM (Continuous Monitoring) under the new CSF 2.0 categories.
[ READ → ]
ISO 27001 Phishing Awareness Training Requirements
Annex A.6.3, A.7.2, and the phishing-related controls auditors flag during stage-2 certification audits.
[ READ → ]
GDPR Article 32 and Phishing: Compliance Guide
How EU regulators interpret Article 32 "appropriate technical and organisational measures" when a phishing-driven breach is reported under Article 33.
[ READ → ]
NIS2 Directive: EU Phishing Training Requirements
The 2024 NIS2 transposition added explicit awareness training obligations for in-scope entities. Here is what changed and what to put in place.
[ READ → ]
Phishing Training Compliance Comparison: 7 Frameworks Side-by-Side
SOC 2, HIPAA, PCI DSS, NIST CSF, ISO 27001, GDPR, NIS2 - clauses, expected cadence, audit posture and documentation, all in one table.
[ READ → ]
CMMC Phishing Simulation & Awareness Training Requirements
CMMC 2.0 enforcement is the biggest DoD-supplier compliance shift in a generation. The four AT-family controls translated to a working phishing simulation program - and what evidence a C3PAO assessor wants.
[ READ → ]
FFIEC Phishing Awareness Training Requirements
What FFIEC actually expects for phishing simulation in banks and credit unions. Information Security Booklet citations, CAT cybersecurity-assessment-tool maturity ladder and what bank examiners want in workpaper evidence.
[ READ → ]
HITRUST CSF Phishing Awareness Training Requirements
HITRUST is what hospital procurement actually says - more than HIPAA. Control 02.e mapping, e1/i1/r2 assessment paths and what an accredited HITRUST Validated Assessor wants in MyCSF evidence at all 5 tiers.
[ READ → ]
NYDFS Part 500 Phishing Training Requirements
The 2023 Section 500.14(a)(3) Second Amendment made phishing-attack training explicit for NYDFS-licensed entities (banks, insurers, MSBs operating in NY). Calendar-year evidence, examiner posture and the dual-supervision overlap with FFIEC.
[ READ → ]
HHS 405(d) HICP Phishing Training: Voluntary Healthcare Cybersecurity Practices
HHS 405(d) HICP names phishing as Threat Vector #1. Voluntary framework but documented adoption produces HIPAA enforcement-discount alignment under the 2021 HITECH Amendment. Volume 1 (small) vs Volume 2 (medium and large) program design plus how to document for OCR.
[ READ → ]Industry & Vertical
Healthcare Phishing Simulation: A HIPAA-Compliant Approach
EHR vendor lures, patient portal credential theft, BAA scope considerations and phishing programs that hold up under HHS 405(d) HICP review.
[ READ → ]
Financial Services Phishing Awareness Training (FFIEC, GLBA)
Wire-fraud BEC, GLBA Safeguards Rule, NYDFS Part 500 - the phishing program shape that satisfies bank examiners.
[ READ → ]
School District Phishing Training: K-12 and Higher Ed Guide
FERPA, CIPA, parent-impersonation lures, SIS vendor compromises and program funding via E-Rate and SLCGP grants.
[ READ → ]
Manufacturing and OT Phishing Risks: A CISA-Aligned Program
IT/OT seam attacks, vendor invoice fraud, NERC CIP-004 requirements and CMMC-aligned training for the defense industrial base.
[ READ → ]
Law Firm Phishing Simulation: ABA Cybersecurity Best Practices
ABA Model Rule 1.6, Formal Opinion 483, closing-wire fraud and phishing programs aligned to outside counsel guidelines.
[ READ → ]
State and Local Government Phishing Training Requirements
CJIS Section 5.2, IRS Pub 1075, election infrastructure protections and CISA SLTT resources for SLED phishing programs.
[ READ → ]
Energy and Utility Phishing Simulation: NERC CIP, TSA, EPA, AWIA Compliance
Critical infrastructure phishing program design for electric utilities, water systems, oil and gas. NERC CIP-004 personnel training, TSA pipeline directives, AWIA, CISA cross-sector. Plus the OT/control-room exclusion problem (most common audit finding) and utility-specific lure categories.
[ READ → ]
Retail and E-commerce Phishing Simulation: PCI, Gift-Card Fraud, Holiday Spike
Retail-specific phishing program design - gift-card BEC (the dominant retail attack pattern), PCI DSS 4.0 cardholder-data scope, Q4 holiday-season volume spike, POS-staff vs corporate-IT differentiated cohort scoping, and loyalty/customer-data lures.
[ READ → ]
SaaS Startup Phishing Simulation: SOC 2-Ready in 30 Days
Series A-C startup phishing program design - the SOC 2 procurement-driven buying motion, engineer-heavy workforce considerations, GitHub/npm/AWS-targeted lures, founder-impersonation BEC, and 30-day rollout that ships SOC 2 evidence without burning engineering time.
[ READ → ]
MSP and MSSP Phishing Simulation: Multi-Tenant, Resold, White-Label
MSP / MSSP / vCISO buyer-archetype guide - multi-tenant architecture requirements, reseller margin economics, white-label vs resold, SLA expectations from end-customers, compliance pass-through patterns and vCISO subset.
[ READ → ]Comparison & Buyer Guides
KnowBe4 Alternatives: 2026 Phishing Simulation Comparison
An evaluation framework for buyers who have outgrown a pilot or need a leaner platform than KnowBe4 - without the procurement overhead.
[ READ → ]
KnowBe4 vs Bait & Phish: A Feature-by-Feature Comparison
A direct head-to-head: campaign creation, training assignment, multi-channel coverage, reporting depth and time-to-first-campaign for both platforms.
[ READ → ]
Proofpoint Security Awareness Training Alternatives
How to pick a SAT platform when you are unbundling from a Proofpoint email-security stack and the Wombat-era contract is up.
[ READ → ]
Cofense PhishMe Alternatives for SMB and Mid-Market
When Cofense is the right answer (large SOC, deep Reporter integration) and when a leaner platform fits better.
[ READ → ]
Hoxhunt vs Traditional Phishing Simulation: Which Wins
Continuous AI-personalized simulation vs scheduled campaigns: different shapes for different operating models. Which one matches yours.
[ READ → ]
Best Phishing Simulation Software for SMBs in 2026
For 20-500 employee organizations: self-serve trial, transparent pricing, no salesperson dance, fast time-to-first-campaign.
[ READ → ]Definitions & Buyer Education
What Is Simulated Phishing? Definition, Examples, ROI
Simulated phishing in plain language - what it is, how it works and the measurable risk reduction documented in independent research.
[ READ → ]
What Is a Phishing Simulation Platform? 2026 Buyer's Guide
The architecture of a modern phishing simulation platform - campaign engine, training delivery, reporting, integrations - and what to look for.
[ READ → ]
What Is Security Awareness Training? Complete 2026 Guide
How security awareness training works, what regulators expect and how to choose between annual computer-based and continuous behavior-based programs.
[ READ → ]
What Is Smishing? SMS Phishing Explained with Real Examples
Smishing has overtaken email phishing for some attack categories. How SMS-based attacks work, how they evade filtering and how to train against them.
[ READ → ]
What Is Vishing? Voice Phishing Attacks Explained
Voice phishing is back with deepfake voice cloning and AI-driven script generation. How vishing works in 2026 and what defenders are doing.
[ READ → ]
What Is Spear Phishing? How Targeted Attacks Work
Generic phishing casts a net; spear phishing crafts the lure for one person. The reconnaissance, the personalization and the defense.
[ READ → ]
What Is Whaling? Executive-Targeted Phishing Explained
Whaling targets the C-suite specifically - and the loss-per-incident is the highest in the entire phishing taxonomy.
[ READ → ]
What Is BEC (Business Email Compromise)?
BEC is the highest-loss-category cyber crime by FBI IC3 measurement. How the wire-fraud variant, vendor-invoice variant and payroll-divert variant each work.
[ READ → ]Operations & Setup
How to Run Your First Phishing Simulation in 30 Minutes
Walk through the actual setup: groups, users, template, campaign, schedule. No sales call required.
[ READ → ]
Free Phishing Test for Up to 25 Users (No Credit Card)
A real campaign against 25 of your employees, in your own tenant, in your name. No credit card. The free trial walk-through.
[ READ → ]
Auto-Assigned Training: Behavior-Triggered Just-in-Time Learning
Why training assigned at the moment a user clicks a phish lands harder than the same content delivered at quarterly all-hands.
[ READ → ]
Phishing Email Templates That Actually Trick People
The 5 categories and 3 difficulty levels that match real-world attack distribution, with guidance on the ethical floor for template design.
[ READ → ]
Easy, Regular, Hard: Phishing Test Difficulty Levels Explained
What separates the difficulty tiers - typos, sender mismatch, social engineering depth, executive impersonation - and which mix to run.
[ READ → ]
Bulk-Importing Employees from CSV for Phishing Campaigns
CSV format, dedup rules, manager-mapping and how the auto-training-assignment works against an imported list.
[ READ → ]
Multilingual Phishing Simulation: Running Campaigns Across Languages
Why English-only programs produce noise on global teams, what regulators expect under GDPR and NIS2 and what to evaluate when picking a multilingual phishing platform.
[ READ → ]
Clicked a Phishing Link? The First-60-Minutes Runbook
Tactical incident-response runbook for the first 60 minutes after a confirmed phishing click. Triage by what was clicked, containment ordering, communication patterns and what to bake into the program afterward.
[ READ → ]
Phishing Simulation Maturity Model: 5-Tier Framework
A 5-tier maturity model adapted from FFIEC CAT - Baseline through Innovative. Per-tier criteria across 6 operational dimensions, target tier by org profile, common plateau patterns and how to advance one tier in 6-12 months.
[ READ → ]Reporting & Metrics
Phishing Click-Through Rate Benchmarks by Industry (2026)
First-year programs run 25-35%. Mature programs trend below 5%. Where to set expectations and how to read the trend.
[ READ → ]
How to Measure Security Awareness ROI
A four-input ROI model that survives CFO scrutiny: avoided breach loss, premium reduction, audit savings, program cost.
[ READ → ]
Phishing Simulation Metrics That Actually Matter to Executives
The four KPIs the board cares about (and the vanity metrics to drop from the slide deck).
[ READ → ]
How to Report Phishing Test Results to the Board
A four-page board packet template: executive summary, cohort heatmap, top findings, forward roadmap. With talking points.
[ READ → ]
Building Your Phishing Simulation Dashboard: vCISO's Guide
Multi-client dashboard architecture for fractional CISOs running phishing programs across 5+ tenants.
[ READ → ]Threat Education
Top 10 Phishing Email Examples in 2026 (with Screenshots)
The 10 lure categories driving the highest click rates this year, described in policy terms with recognition cues for users.
[ READ → ]
AI-Generated Phishing: How Attackers Use ChatGPT
LLMs eliminated the bad-grammar tell. What replaces it, what defenders are doing and why behavior-based training matters more than ever.
[ READ → ]
Deepfake Vishing: Voice Cloning Phishing Defense
Voice cloning from earnings calls and social media is real and operational. Callback verification, code words and vishing simulation as countermeasures.
[ READ → ]
QR Code Phishing (Quishing): Detection and Defense
QR phishing bypasses email gateway scanning by hiding the URL inside an image. How to train, how to scan and how to simulate.
[ READ → ]
Holiday Season Phishing Patterns and Defense
Black Friday through New Year is the peak phishing volume window. The seasonal lure categories and the simulation calendar that matches.
[ READ → ]
Five Phishing Email Red Flags Every Employee Should Catch
Five recognizable patterns - copy-paste-friendly for internal distribution - covering urgency, sender mismatch, generic salutation, link/attachment mismatch and unusual requests.
[ READ → ]
Microsoft 365 Phishing Attacks: A Defense Guide for IT Teams
Consent phishing, OAuth grant abuse, AiTM proxies, fake Sign-In pages, Teams and SharePoint lures - what makes M365 the most-targeted platform and how training programs should reflect that.
[ READ → ]
Google Workspace Phishing Attacks: Defense Guide for IT Teams
OAuth consent abuse, AiTM proxies, fake Google sign-in pages, Drive share lures and Google Voice vishing - the Workspace counterpart to the M365 piece, with Google-specific defense recommendations.
[ READ → ]
MFA Bypass Phishing: The 5 Attack Patterns That Defeat Multi-Factor Auth
Standard MFA is necessary but no longer sufficient. The five phishing patterns that bypass it - AiTM, consent grants, push fatigue, SIM swap, session-cookie theft - and the phishing-resistant controls that actually defeat each.
[ READ → ]
Phishing as a Service (PhaaS): The Subscription Crime Model
PhaaS turned sophisticated phishing into rented infrastructure. The major platforms (Tycoon, EvilProxy, Greatness), what is bundled (AiTM, anti-detection, template libraries) and the defense pattern against commoditized phishing.
[ READ → ]
Callback Phishing (TOAD): The Zero-Link Attack That Bypasses Email Gateways
Telephone-oriented attack delivery puts a phone number in an email instead of a malicious link. Every URL scanner misses it. Why the attack works, the pretext patterns (fake renewals, fraudulent invoices, fake refunds) and the program design that catches it.
[ READ → ]
Slack & Microsoft Teams Phishing: Collaboration-Tool Attack Patterns
Email gateways do not see Slack and Teams traffic. Five attack patterns - external chat, Slack Connect abuse, in-product file lures, malicious app installs, DM impersonation - and how phishing simulation programs should cover them.
[ READ → ]
Ransomware Phishing: How One Click Becomes a Full Network Encryption
Phishing is the #1 initial-access vector for ransomware. The 5-stage chain (delivery -> credential -> authentication -> lateral movement -> encryption) explained, plus the defense layers that break each stage and why training is the highest-leverage one.
[ READ → ]
Phishing Trends 2026: What Changed This Year and What It Means
Annual roundup. Seven phishing-attack trends that defined 2026 - AiTM commoditization, AI-generated lure quality, collaboration-tool phishing, ransomware dwell-time compression, MFA-bypass mainstreaming, voice cloning, quishing - with what each means for security programs.
[ READ → ]
Phishing Simulation Industry Report 2026
Synthesis report: click-rate benchmarks by industry, AiTM commoditization, AI-generated lure trends, compliance-driven adoption, cyber-insurance underwriting shifts and program-design implications for 2026. Synthesized from Verizon DBIR, IBM CODB, Sophos, FBI IC3, CrowdStrike, Mandiant, CISA.
[ READ → ]
DMARC, DKIM, SPF: Email Authentication for Phishing Defense
The three email-auth pillars (SPF, DKIM, DMARC) explained as a layered phishing defense, with deployment walkthrough, policy-level progression (none/quarantine/reject) and the common mistakes that produce a "deployed but not enforced" state.
[ READ → ]
Phishing-Resistant MFA: What FIDO2 and Passkeys Actually Stop
Phishing-resistant MFA explained: what FIDO2 and passkeys defeat cryptographically, what they do NOT stop, hardware-key vs platform-passkey trade-offs, deployment progression and how a phishing simulation program should refocus after rollout.
[ READ → ]
OAuth Consent Phishing: The Attack FIDO2 Doesn't Stop
OAuth consent phishing routes around the credential ceremony entirely - phishing-resistant MFA does not block it. What the attack is, what scopes attackers go after, M365 and Workspace consent-policy hardening, simulation pattern.
[ READ → ]
AI-Generated Phishing Defense: Why Detection Fails, What Works
AI-generated phishing in 2026 is grammatically clean, hyper-personalized and tuned past spam filters. The broken-English tell is dead. Why content detection cannot be load-bearing and the structural defenses (FIDO2, OAuth policy, sandbox detonation, behavior analytics, AI-template simulation) that actually work.
[ READ → ]
Whaling: Executive-Targeted Phishing Defense
Whaling is loss-asymmetry phishing - the attacker invests in personalization because the higher-authority target authorizes higher-dollar actions. The 5 named whaling patterns, 6 documented historical losses (Ubiquiti $46.7M, Pathé $21M, Crelan $75M, FACC $61M, Mattel attempted $3M, Save the Children $1M), and the 6-layer executive defense framework.
[ READ → ]
BIMI Deployment Playbook: VMC, DNS Setup, Mailbox Provider Verification
Practical BIMI rollout from DMARC-ready to live brand-logo display in Apple Mail, Gmail and Yahoo. Verified Mark Certificate procurement through DigiCert or Entrust ($1,200-$2,000/year), SVG Tiny PS conversion, default._bimi DNS record format, and how BIMI deployment functions as a forcing function for completing DMARC enforcement.
[ READ → ]
Phishing Report Rate: Why It Matters More Than Click Rate
Report rate is the active-detection signal click rate alone misses. Calculation, 30-50% benchmark at 12 months, 50%+ at 24, channel mechanics (one-click add-in vs phishing@ mailbox), why cyber-insurance underwriters now require paired click-rate AND report-rate trends, and the program-design choices that move the number.
[ READ → ]
90-Day Phishing Program Rollout Plan: Day-by-Day Playbook
The day-by-day plan that takes an organization from no phishing simulation program to a steady-state operating function in 90 days. Days 0-30 foundation (sponsor, policy, platform, baseline test), Days 30-60 first three campaigns at staircased difficulty, Days 60-90 threshold playbook and four-page board packet that doubles as broker submission and SOC 2 evidence.
[ READ → ]
Phishing Simulation Whitelisting Guide 2026: Microsoft 365, Exchange & Google Workspace
Three documented whitelisting methods (IP-based, email-header, SPF-record) across Microsoft 365 + Exchange 2013/2016 + Google Workspace. Office 365 ATP bypass for link-rewriting and attachment processing. Junk-folder bypass. Single admin session vs days of transport-rule trial-and-error.
[ READ → ]
How to Migrate from KnowBe4: 2026 Migration Guide
Practical 2026 KnowBe4 migration playbook: 90-day timeline, 5 essential data exports, multi-vendor whitelisting transition, parallel-run consistency protocol, cyber-insurance broker conversation framework, day-90 continuity packet for board / broker / SOC 2 audit consumption.
[ READ → ]
AI Voice-Clone Phishing Defense Playbook: 2026 Vishing Defense for Executives
Defense playbook for AI voice-clone CEO impersonation wire fraud. Pre-shared code-word protocol, two-person approval thresholds, six real-time detection signals, incident response when a wire was already authorized, and the SEC 4-business-day breach-notification math.
[ READ → ]
Browser Isolation as Phishing-Defense Layer: 2026 Playbook
Browser isolation (RBI / DBI) as a phishing-defense layer in 2026. Architecture patterns, what it stops versus what it does not, 2026 vendor landscape (Cloudflare / Menlo / Zscaler / Talon-Palo Alto / Garrison), deployment cost considerations and the simulation-allowlist configuration that keeps the training program operational.
[ READ → ]Older posts
Phishing Emails: The Complete Overview
A foundational read on phishing as a category - its economics, its targets and why awareness training matters.
[ READ → ]
Unmasking the Latest Trends in Phishing
A look at how phishing tactics have evolved with AI and remote-work trends.
[ READ → ]