Download our guide for employee cyber risk prevention  

Regulatory compliance

The compliance requirements of different industry and government standards can demand a high degree of effort from organizations and in many cases is a great challenge. The complexity involved means that we limit ourselves to meeting the requirement without considering the real background.

All regulations emphasize the importance of including people when managing risk. So, it is essential to have solutions focused on the human element.

Kymatio offers a fully automated, people-focused cybersecurity awareness program that provides insights and reports on human element risk, evolution of the level of awareness and alertness, based on real time data from the organization to meet the requirements global information security regulations.

ISO/IEC 27001 y 27002

We find prominent elements in the ISO 27001 security standard which, as a summary, requests in its section A.7.2.2 regarding information security awareness, education, and training that all relevant employees and contractors should receive education and adequate awareness training to do their job correctly and safely, as well as receive regular updates of organizational policies and procedures along with a good knowledge of the applicable legislation that affects them in the position.


CobiT makes clear references to the need for staff training, providing employees with adequate guidance and ongoing training to maintain their knowledge, skills, internal controls, and security awareness at the level required to achieve organizational goals. Ensure user compliance with policies and procedures. Employees should be trained on ethical conduct and system security awareness and practices.


In its latest revision, the EOIPA launches the guidelines on governance and security of information and communication technologies (ICT) (October 2020) that address the guidelines on ICT and security risk management, ICT within the governance system and its strategy, security risks within the risk management system and guidelines for the information security function. Reference is made in multiple sections to the need to incorporate human cyber risk, not only as a line of awareness, but as a risk system that considers human cyber risk.


The purpose of the National Security Scheme is to establish the security policy in the use of electronic media and is made up of basic principles and minimum requirements that allow adequate protection of information. Security should be considered a comprehensive process, made up of all the human, technical, organizational, and material elements linked to the system. It will consider, above all, the awareness of people. Risk management. Risk analysis and management is a fundamental aspect of the security process, and it needs to be continuously updated. Risk management will keep the environment under control, reducing risks to acceptable levels.


The Data Security Standard for the Payment Card Industry or PCI DSS makes the following references. Need to implement a formal security awareness program so that all staff are aware of the importance of cardholder data security. Train staff immediately upon hire and at least once a year. Require staff to make, at least once a year, a statement that they have read and understood the company's security policy and procedures. Screen potential staff prior to hiring to minimize the risk of attacks from internal sources. Adequately train personnel on the responsibilities of responding to security breaches.

European Banking Authority (EBA)

It highlights the classification and risk assessment requirements that institutions must meet in terms of criticality, for which they must, as a minimum, consider the requirements of confidentiality, integrity, and availability. It focuses on risk mitigation, based on risk assessments, as well as defining and implementing measures to mitigate security and ICT risks. Protect information assets according to their classification. Of relevance is the section on information security training and awareness. Where it is emphasized that financial institutions should establish a training program, including periodic security awareness programs, to all personnel and contractors to ensure they are trained to perform their duties and responsibilities in accordance with relevant security policies and procedures to reduce human error, theft, fraud, misuse or loss and how to address risks related to information security. NISTIR 8286A. Identifying and Estimating Cybersecurity Risk for Enterprise Risk.

NISTIR 8286A. Identifying and Estimating Cybersecurity Risk for Enterprise Risk Management (ERM)

The document supplements NIST's Interagency / Internal Report 8286, Integrating Cybersecurity and Enterprise Risk Management (ERM), providing additional details regarding guidance, identification, and risk analysis. The documentation describes scenarios based on the potential impact of threats and vulnerabilities on company assets. Documenting the likelihood and impact of various threat events through cybersecurity risk logs embedded in an enterprise risk profile enables business cybersecurity risk monitoring and response to be prioritized and communicated. This framework describes a set of activities that consider the five functions:

Explicit reference is made
PR.AT Awareness and Training / Awareness and training:
• All personnel have been trained in physical and information security practices.
• Internal user
You may be the victim of an email phishing attack due to lack of sufficient training.

Health Insurance Portability & Accountability Act (HIPAA)

The Health Insurance Portability and Accountability Act (HIPAA) of 1996 was created to protect millions of workers and members of their families in the United States with medical conditions. Its main requirements include implementing a safety training and awareness program for all members of the workforce (including management).

Federal Information Security Management Act (FISMA)

The Federal Information Security Management Act (FISMA) is a framework designed to protect the United States government against cybersecurity attacks and natural disasters that put sensitive data at risk. It requires obtaining training and awareness in cybersecurity and informing personnel, including contractors and other users of the information systems that support the operations and assets of the agency, of the information security risks associated with its activities, as well as your responsibilities in complying with agency policies and procedures designed to reduce these risks.

FACTA – FTC Red Flags Rule

The Fair and Accurate Credit Transaction Act (FACTA) is an amendment to the Fair Credit Reporting Act (FCRA) and includes the Red Flag Rule, implemented in 2008. Red Flags requires financial institutions and creditors to implement red flags to detect and prevent identity theft. Institutions must have a written Identity Theft Prevention Program (ITPP) to govern their organization and protect their consumers. FACTA amends the Fair Credit Reporting Act, the FTC created the Red Flag Rule, which requires training as part of an identity theft prevention program. Employees should be trained on the various red flags to watch out for and / or any other relevant aspect of the organization's identity theft prevention program.

Gramm-Leach Bliley Act

The Gramm-Leach-Bliley Act (GLBA), also known as the Financial Services Modernization Act of 1999, (Pub.L. 106-102 (text) (pdf), 113 Stat. 1338, enacted November 12, 1999) is an act of the 106th Congress of the United States (1999-2001).

Describes how in compliance with the policy in subsection (a) of this section, each agency or authority described in section 6805 (a) of this title shall establish appropriate standards for financial institutions. Subject to its jurisdiction in relation to administrative, technical and physical safeguards:

• Ensure the security and confidentiality of customer records and information;
• To protect against anticipated threats or dangers to the security or integrity of such records;
• To protect against unauthorized access or use of such records or information that could result in substantial harm or inconvenience to any customer.

Sarbanes-Oxley (SOX)

The SOX Act has regulated various controls in the United States to improve the quality of financial information, based on accounting standards, internal control, corporate governance, independence of audits, and increased penalties for financial crimes.

North American Electric Reliability Corporation (NERC) Critical Infrastructure Protection Standard

The North American Electric Reliability Corporation (NERC) Critical Infrastructure Protection Standard determines that the Responsible Entity shall establish, document, implement and maintain a security awareness program to ensure that personnel with authorized cyber access or authorized physical access (without escort) to Critical Cyber Assets receive continuous reinforcement in strong security practices.

The program will include a security awareness boost at least quarterly using mechanisms such as:
• Direct communications (eg, emails, memos, computer training, etc.);
• Indirect communications (eg posters, intranet, brochures, etc.);
• Management support and reinforcement (for example, presentations, meetings, etc.).

US State Privacy Laws

In the United States, we find multiple states that have their own individual privacy laws, as examples of interest include:

• Texas Health Privacy Law: Texas's Health Privacy Law, HB No. 300 § 181.101 (Texas Health Privacy Law), requires employees to be trained in both state law and HIPAA. The penalties for not complying with Texas law are very high, equivalent to HIPAA.
Massachusetts Data Security Law: Call 201 CMR 17.03, requires training to maintain a comprehensive information security program.
• Federal Guidelines for the Sentencing of Organizations.
• SEC Cybersecurity Examination Initiative Guidance.

Basel III

Basel III is a set of internationally agreed measures that the Basel Committee on Banking Supervision has developed in response to the financial crisis of 2007-09. The objective of these measures is to strengthen the regulation, supervision and risk management of banks.

Solvency II

The regulatory framework of the Solvency II directive helps to better understand the risks of the insurance sector, in a world that is increasingly complex and globalized and with risks of greater dimensions and closely interconnected.

Download your guide for employee cyber risk prevention