Regulatory compliance

The compliance requirements of the different industry and government standards can demand a high degree of effort from organizations and in many cases it is a great challenge. The complexity involved means that we limit ourselves to complying with the requirement without taking into account the real background.

All regulations emphasize the importance of including people when managing risk. Therefore, it is essential to have solutions focused on the human element.

Kymatio offers a cybersecurity awareness program focused on people and fully automated, which provides insights and risk reports of the human element, evolution of the level of awareness and alertness, based on real data from the organization to meet the requirements global information security regulations.

ISO/IEC 27001 y 27002

We find prominent elements in the ISO 27001 security standard which, by way of summary, requests in its section A.7.2.2 related to information security awareness, education and training that all employees and relevant contractors must receive the education and adequate awareness training to do their job correctly and safely, as well as receive regular updates on organizational policies and procedures along with a good understanding of the applicable legislation that affects them in the role.


CobiT makes clear references to the need for staff training, providing employees with proper guidance and ongoing training to maintain their knowledge, skills, internal controls and security awareness at the level required to achieve organizational goals. Ensure user compliance with policies and procedures. Employees should be trained on ethical conduct and system security awareness and practices.


In its latest revision, the EOIPA launches the guidelines on governance and security of information and communication technologies (ICT) (October 2020) that address the guidelines on ICT and security risk management, ICT within the governance system and its strategy, security risks within the risk management system, and guidelines for the information security function. Reference is made in multiple sections to the need to incorporate human cyber risk, not only as a line of awareness, but as a risk system that contemplates human cyber risk.


The purpose of the National Security Scheme is to establish the security policy in the use of electronic media and is made up of basic principles and minimum requirements that allow adequate protection of information. Security must be considered an integral process, made up of all the human, technical, organizational and material elements linked to the system. Above all, people's awareness will be taken into account. Risk management. Risk analysis and management is a fundamental aspect within the security process and it is necessary that it be continuously updated. Risk management will keep the environment in check, reducing risks to acceptable levels.


The Payment Card Industry Data Security Standard or PCI DSS makes the following references. Need to implement a formal security awareness program to make all staff aware of the importance of cardholder data security. Train staff immediately upon hire and at least once a year. Require personnel to make, at least annually, a statement that they have read and understand the company's security policy and procedures. Screen potential staff before hiring to minimize the risk of attacks from internal sources. Adequately train staff on security breach response responsibilities.

European Banking Authority (EBA)

It highlights the classification and risk assessment requirements that institutions must meet in terms of criticality, for which they must, at a minimum, consider the requirements of confidentiality, integrity and availability. It focuses on risk mitigation, based on risk assessments, as well as defining and implementing measures to mitigate security and ICT risks. Protect information assets according to their classification. The section on information security training and awareness is especially relevant. Emphasizing that financial institutions should establish a training program, including regular security awareness programs, for all staff and contractors to ensure they are trained to perform their duties and responsibilities in accordance with policies and relevant security procedures to reduce human error, theft, fraud, misuse or loss and how to address risks related to information security.

NISTIR 8286A. Identifying and Estimating Cybersecurity Risk for Enterprise Risk Management (ERM)

The document complements NIST Interagency/Internal Report 8286, Integrating Cybersecurity and Enterprise Risk Management (ERM), by providing additional detail regarding risk guidance, identification, and analysis. The documentation describes scenarios based on the potential impact of threats and vulnerabilities on company assets. Documenting the probability and impact of various threat events through cybersecurity risk logs integrated into an enterprise risk profile enables prioritization and communication of enterprise cybersecurity risk monitoring and response. This framework describes a set of activities that consider the five functions:

Explicit reference is made
PR.AT Awareness and Training / Awareness and training:
•All personnel have been trained in physical and information security practices.
•Internal user
You may fall victim to an email phishing attack due to lack of sufficient training.

Health Insurance Portability & Accountability Act (HIPAA)

The Health Insurance Portability and Accountability Act (HIPAA) of 1996 was created to protect millions of workers and their family members in the United States with medical conditions. Among its top requirements is implementing a security awareness and training program for all members of the workforce (including management).

Federal Information Security Management Act (FISMA)

The Federal Information Security Management Act (FISMA) is a framework designed to protect the United States government against cybersecurity attacks and natural disasters that put sensitive data at risk. Requires obtaining cybersecurity awareness and training and informing personnel, including contractors and other users of the information systems that support agency operations and assets, of the information security risks associated with their activities, as well as their responsibilities in complying with agency policies and procedures designed to reduce these risks.

FACTA – FTC Red Flags Rule

The Fair and Accurate Credit Transaction Act (FACTA) is an amendment to the Fair Credit Reporting Act (FCRA) and includes the Red Flags Rule, implemented in 2008. red flags requires financial institutions and creditors to implement red flags to detect and prevent identity theft. Institutions must have a written Identity Theft Prevention Program (ITPP) to govern their organization and protect their consumers. As FACTA amends the Fair Credit Reporting Act, the FTC created the Red Flags Rule, which requires training as part of an identity theft prevention program. Employees should receive training on the various red flags to look out for and/or any other relevant aspect of the organization's identity theft prevention program.

Gramm-Leach Bliley Act

The Gramm-Leach-Bliley Act (GLBA), also known as the Financial Services Modernization Act of 1999, (Pub.L. 106-102 (text) (pdf), 113 Stat. 1338, enacted November 12, 1999 ) is an Act of the 106th United States Congress (1999-2001).

Describes how in compliance with the policy in subsection (a) of this section, each agency or authority described in section 6805 (a) of this title shall establish appropriate standards for financial institutions. Subject to its jurisdiction in relation to administrative, technical and physical safeguards:

•Ensure the security and confidentiality of customer records and information;
•To protect against anticipated threats or jeopardy to the security or integrity of such records;
•To protect against unauthorized access or use of such records or information that could result in damage or substantial inconvenience to any customer.

Sarbanes-Oxley (SOX)

The SOX Law has regulated various controls in the United States to improve the quality of financial information, based on accounting standards, internal control, corporate governance, audit independence, and increased penalties for financial crimes.

North American Electric Reliability Corporation (NERC) Critical Infrastructure Protection Standard

The North American Electric Reliability Corporation (NERC) Critical Infrastructure Protection Standard determines that the Responsible Entity must establish, document, implement and maintain a security awareness program to ensure that personnel who have authorized cyber access or authorized physical access (without escort) to Critical Cyber Assets receive continued reinforcement in sound security practices.

The program will include security awareness reinforcement at least quarterly using mechanisms such as:
•Direct communications (eg, emails, memos, computer training, etc.);
•Indirect communications (for example, posters, intranet, brochures, etc.);
•Support and reinforcement of the management (for example, presentations, meetings, etc.).

US State Privacy Laws

In the United States we find multiple states that have their own individual privacy laws, as examples of interest include:

•Texas Health Privacy Law: Texas's Health Privacy Law, H.B. No. 300 § 181.101 (Texas Healthcare Privacy Act), requires employees to be trained in both state law and HIPAA. The penalties for not complying with Texas law are very high, equivalent to HIPAA.
Massachusetts Data Security Law: Called 201 CMR 17.03, it requires training to maintain a comprehensive information security program.
•Federal Guidelines for the Sentencing of Organizations.
•SEC Cybersecurity Examination Initiative Guidance.

Basilea III

Basel III is a set of internationally agreed measures that the Basel Committee on Banking Supervision has developed in response to the financial crisis of 2007-09. The objective of these measures is to strengthen the regulation, supervision and risk management of banks.

Solvencia II

The regulatory framework of the Solvency II directive helps to better understand the risks of the insurance sector as a whole, in a world that is increasingly complex and globalized and with larger and closely interconnected risks.

Find out how we can help you