Financial services organizations operate under some of the most stringent cybersecurity regulations in any industry. The SEC Cybersecurity Risk Management Rule (2023), FINRA Rule 3110 and Regulatory Notice 21-18, and PCI DSS v4.0 all include requirements for security awareness training and testing that directly implicate phishing simulation programs. At the same time, financial institutions are among the most targeted sectors for phishing: the Verizon 2025 DBIR found that financial services experienced the second-highest rate of social engineering attacks, with business email compromise (BEC) causing the largest financial losses of any attack type.
What Are the SEC Cybersecurity Requirements?
The SEC's Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure Rule requires registered investment advisers and broker-dealers to implement policies and procedures to address cybersecurity risks, including human-layer risks. While the rule does not prescribe specific training methods, SEC examination staff have consistently cited inadequate security awareness programs as deficiencies during compliance examinations. Organizations should maintain documented evidence that their training program addresses phishing, BEC, and social engineering risks specific to financial services, that the program is reviewed and updated based on emerging threats, and that all personnel with access to customer data or financial systems complete the training within prescribed timeframes.
How Do FINRA Requirements Apply to Phishing Simulation?
FINRA Regulatory Notice 21-18 explicitly addresses phishing risks and recommends that member firms implement phishing simulation as part of their cybersecurity program. FINRA expects firms to conduct regular phishing simulations to test employee susceptibility, provide targeted training to employees who fail simulations, track and report simulation metrics to senior management, and adjust simulation complexity based on the evolving threat landscape. FINRA examination teams review phishing simulation records during routine and cause examinations, and firms that cannot demonstrate a consistent simulation program may face regulatory findings. The expectation is not perfection but continuous improvement: firms should show declining click rates and increasing report rates over time.
What Does PCI DSS v4.0 Require?
PCI DSS v4.0 Requirement 12.6 mandates security awareness training for all personnel with access to the cardholder data environment (CDE). New in v4.0 is Requirement 12.6.3.1, which specifies that training must include awareness of threats and vulnerabilities that could impact the security of the CDE, including phishing and social engineering. Requirement 12.6.3.2 requires that training is reviewed at least once every 12 months and updated as needed. While PCI DSS does not explicitly require phishing simulation, assessors increasingly treat simulation as a best practice that demonstrates compliance with the spirit of the training requirements. Organizations that rely solely on slide-deck training without behavioral testing may receive qualified assessment findings.
How Should Financial Institutions Design Simulations?
Phishing simulations for financial services should reflect the specific threats the industry faces. Prioritize scenarios that mirror real financial services attacks: wire transfer fraud, account verification phishing, client data exfiltration pretexts, regulatory impersonation (fake SEC or FINRA communications), and vendor payment redirect schemes. Segment simulations by role: trading floor staff, wealth management advisors, back-office operations, and IT teams face different attack profiles. Run elevated-frequency simulations for roles with direct access to wire transfer systems or customer account data. Document all campaigns with timestamps, scope, templates, and results for regulatory examination readiness.
How Do You Build a Regulatory-Ready Evidence Package?
Financial services organizations should maintain a compliance evidence package that can be produced on short notice for SEC examinations, FINRA audits, or PCI DSS assessments. Include a formal security awareness policy that references phishing simulation, 12 months of monthly simulation summary reports, individual completion and remediation records, evidence of program review and content updates, and a mapping document that connects your simulation program to each applicable regulatory requirement. Automate as much evidence generation as possible to reduce the compliance burden and ensure consistency. For additional compliance frameworks applicable to financial services, see our guides on SOC 2 requirements and NIST CSF 2.0 mapping.