Does FFIEC require phishing simulation?

The FFIEC IT Examination Handbook (Information Security booklet) calls for ongoing security awareness training and explicitly references social engineering testing as part of a sound program. Examiners look for documented phishing simulation evidence at most institutions, even when the handbook language is high-level. Community banks and credit unions in particular have seen MRA (Matters Requiring Attention) cite the absence of a phishing program.

What does GLBA Safeguards Rule say about phishing training?

The amended FTC Safeguards Rule (16 CFR 314) requires regulated financial institutions to provide security awareness training to personnel and to verify the effectiveness of those efforts. Phishing simulation is the standard mechanism for satisfying the verification requirement. The qualified individual designated under the rule typically owns simulation cadence and reporting.

How does NYDFS 23 NYCRR Part 500 treat phishing training?

Section 500.14 requires regular cybersecurity awareness training that includes social engineering. The 2023 amendment tightened expectations: training must be 'effective' and documented, board-level reporting is annual and the CISO certification on file with DFS implicitly attests that simulation programs exist. Examiners have begun citing absent or perfunctory programs.

What's the highest-loss phishing scenario in financial services?

Wire transfer fraud via business email compromise (BEC). FBI IC3 reports BEC losses exceeding $2.7 billion annually, with the financial services sector both targeted directly (impersonated counterparties) and as the rails for fraudulent transfers from other industries. Simulating fraudulent payment instruction lures and out-of-band verification policy reinforcement is the single highest-leverage exercise for finance.

How often should banks run phishing simulations?

Monthly is the cadence most regional banks, community banks and credit unions have moved to in the last three years. Quarterly is the floor that examiners will accept without comment; anything less invites questions about whether the program is effective. Wire and treasury staff often receive an additional layer of higher-difficulty simulations specific to payment-fraud scenarios.

Financial Phishing Training: FFIEC, GLBA

Financial Services Phishing Awareness Training (FFIEC, GLBA)

By The Bait & Phish Team
Financial Services, FFIEC, GLBA

Banks have always been the canonical phishing target. The blunt reason is that the money is closer - a credential at a regional bank or a credit union opens a path that does not require crossing into a different industry to monetize. The more strategic reason is that financial services workforces are conditioned to act on email instructions involving money, and the wire-out window is short. Examiners, brokers and regulators all know this and the supervision posture has hardened accordingly.

This post is for the CISO, the BISO, the SVP of operational risk and the qualified individual under the GLBA Safeguards Rule. It walks through the regulatory frame, the phishing scenarios that produce the highest losses in the sector, what a credible program looks like for a community bank versus a multi-state regional or a broker-dealer and the documentation examiners want to see.

The regulatory stack

Three frameworks set the floor:

FFIEC IT Examination Handbook - the Information Security booklet treats security awareness training as a component of a sound information security program and references social engineering testing. The Cybersecurity Assessment Tool (CAT), still widely used, scores institutions on whether training is "ongoing," "tracks completion," and "tests employees with social engineering exercises."
GLBA Safeguards Rule (16 CFR 314) - the amended rule requires non-bank financial institutions to designate a qualified individual, document a written information security program and provide security awareness training with verification of effectiveness. Phishing simulation is the standard verification mechanism.
NYDFS 23 NYCRR Part 500 - Section 500.14 requires regular awareness training including social engineering. The CISO's certification of compliance is filed annually with DFS and the senior governing body.

Layer onto that the SEC's Regulation S-P amendments for broker-dealers and RIAs, FINRA Rule 4530 incident reporting expectations, the NCUA's letter to credit unions on cybersecurity and the OCC's heightened standards for large national banks. The point isn't that any one rule says "run phishing simulations." The point is that the absence of one is increasingly cited across all of them.

The threat model that actually loses money

Phishing in financial services divides cleanly into two loss categories: theft and fraud.

Credential-theft phishing targets workforce identity. The successful click yields access to email, the core banking system, the loan origination platform, the trading desk or the customer database. The downstream incidents are data breach (GLBA notification, state laws, regulator letters) and ransomware (operational outage, insurance claim, examiner attention). Banking operations staff, retail branch employees and IT admins are the highest-frequency targets.

Wire fraud BEC targets workforce judgment. The attacker impersonates an executive, a vendor, an attorney closing a transaction, a title company or a counterparty bank and induces a wire transfer that clears before anyone catches it. FBI IC3 reports BEC as one of the largest single dollar-loss categories in cybercrime. The targets are CFOs, controllers, AP staff, treasury operations and at broker-dealers and RIAs, the wire desk.

A serious phishing program runs simulations across both categories. The Verizon DBIR has consistently shown the human element involved in the substantial majority of breaches across financial services.

Templates that map to the workflow

Wire instruction change - "Updated wire details for the closing tomorrow." Targets treasury, AP, real-estate transaction support.
Executive impersonation - CEO-to-CFO request for a "confidential" transfer. Targets controllers and finance.
Counterparty bank impersonation - correspondent banking lures, SWIFT messaging language. Targets back-office operations.
Core banking vendor lures - Fiserv, FIS, Jack Henry password reset and incident notice templates. Targets ops and IT.
Regulatory notice impersonation - fake FDIC, OCC, NCUA or DFS notices. Targets compliance and exec assistants.
Customer escalation lures - "Customer complaint requires immediate review." Targets retail and call center.
Vendor invoice fraud - generic AP fraud, often the easiest entry point at smaller institutions.

Mix difficulty tiers: easy templates for baseline measurement, regular for cadence, hard scenarios specifically for treasury, wire and exec-adjacent roles. Multi-channel coverage - including SMS smishing of mobile-banking lures and voice vishing impersonating an examiner or vendor - is now expected on examination as well.

Cadence by institution size

Community bank or credit union (under $1B assets) - monthly campaigns, with treasury and wire staff getting an additional quarterly hard-difficulty payment-fraud scenario.
Regional ($1B-$50B) - monthly all-hands plus role-specific waves for treasury, capital markets, lending and IT admin. Annual board reporting at minimum.
Broker-dealer / RIA - monthly all-hands; the wire desk and operations require additional simulation against customer-impersonation lures.
Mortgage and title - biweekly during peak closing volume; wire-fraud loss frequency in this segment justifies the extra cadence.

Auto-assigned remediation is now the standard

The most consequential platform behavior in financial services is what happens when a user clicks. Manual remediation - "we'll talk to them" - does not survive examiner review or insurance underwriting. Automated, just-in-time training assignment closes the loop and produces the documented evidence both audiences expect. Auto-assigned training the moment a user fails a simulation has become table stakes.

Documentation packet for examination

Build the packet once and keep it current. Examiners and insurance brokers ask for the same things:

Campaign log: dates, target population, template category, difficulty tier
Click-through and reporting rates with 24-month trend, broken down by department
Training completion rate per campaign, with median time-to-completion after click
Coverage report: % of headcount, exclusions and rationale, contractor inclusion
Multi-channel evidence: sample SMS or voice campaign reports
Written security awareness policy approved by management or board, version-controlled
Board / risk-committee reporting cadence and sample report
Phishing-related incident log for the past 24 months with remediation

The same packet handles your cyber insurance renewal questionnaire with no rework.

Mistakes specific to financial services

Excluding the wire desk because "they already know." Wire desk staff fail simulations at the same rate as everyone else when the lure is well-crafted. They are the highest-loss cohort and need the most rigorous testing, not the least.
Training that doesn't reinforce the out-of-band verification policy. The single control that breaks BEC is calling the requester back on a known number. If your training doesn't drill that specifically, it isn't doing the job.
Reporting only click rate. Examiners and brokers also want reporting rate (the % of users who reported the simulation). A high reporting rate plus a low click rate is the signal of a healthy program.
Static templates year over year. If the same lure appears every March, the muscle memory is to ignore it; that doesn't transfer to the real attack.
Excluding the trust department, capital markets or treasury management. These cohorts hold the highest-value access in the institution and frequently get carve-outs that don't survive a post-incident review.
Letting the core processor's "training module" stand in for simulation. Core processor training modules are knowledge content, not behavioral testing. They do not satisfy examiner expectations on their own.

Mapping to FFIEC CAT and the FFIEC Authentication Guidance

The FFIEC Cybersecurity Assessment Tool maps controls to maturity levels - Baseline, Evolving, Intermediate, Advanced, Innovative. Phishing-program evidence directly supports the Cyber Risk Management and Oversight domain at the Intermediate and Advanced levels. The FFIEC authentication guidance (most recently expanded in 2021) elevated expectations for layered security and awareness; institutions cited in MRA findings have frequently been able to demonstrate compliance gaps at the awareness-training layer rather than at the technical authentication layer.

For credit unions, the NCUA's Information Security Examination (ISE) and the cybersecurity examination procedures align closely with the FFIEC handbook. The same simulation evidence packet supports both NCUA and state credit union examiner reviews.

Where Bait & Phish fits

Bait & Phish has been running phishing simulation and security awareness training programs for community banks, credit unions, regional banks, broker-dealers, RIAs, mortgage and title companies and other financial-services BAs for more than 15 years. Our platform supports the cadence and documentation supervisory expectations now require: monthly multi-channel campaigns (email, SMS, voice), wire-fraud and BEC-specific template categories, auto-assigned remediation training, role-segmented reporting and one-click exports formatted for examination and insurance.

If you're standing up a program ahead of an upcoming exam or replacing one that's been flagged, start a free trial covering up to 25 users - no credit card - or talk to us about institution pricing. For more on the documentation flow into your insurance renewal, see what cyber insurers ask about phishing training. Pricing details are on the pricing page.

This post is informational and does not constitute legal, regulatory or compliance advice. Examination expectations vary by primary regulator and institution profile; consult counsel and your supervisory team for guidance.

Related industry guides

17jun