Earlier this year, we explored the widening gap between email security and compliance. It’s a gap that exists not because the threats are unclear or the risks misunderstood, but because the language of regulation still struggles to catch up with the speed and subtlety of modern phishing and business email compromise (BEC) attacks. For CISOs, IT Directors, and MSP leaders, that gap is no longer theoretical—it’s where legal exposure lives.
Too many organizations still treat compliance and email security as separate priorities. The reality is that they are already intertwined. The question is whether your stack reflects that reality—or is just hoping to slide by unnoticed.
Regulatory bodies rarely call out phishing simulations, Security Awareness Training (SAT), or DMARC enforcement by name. Instead, they use broad language like “reasonable security practices” or “appropriate technical and organizational safeguards.” That’s the loophole many organizations use to justify minimal or outdated controls. But regulators, auditors, and cyber insurers are no longer impressed with vague claims of compliance.
When breaches occur—especially those involving social engineering or email impersonation—the aftermath often centers around one question: Did you do enough? And increasingly, “enough” includes having your employees trained, your domain authenticated, and your detection technology capable of stopping phishing emails in real time—not just scanning them in transit. For MSPs, that interpretation turns into legal and contractual risk if controls are missing or undocumented.
The Gramm-Leach-Bliley Act (GLBA), first passed in 1999 and updated through the Safeguards Rule in 2003, sets expectations for customer data protection within banks, credit unions, lenders, and insurance companies. It requires administrative, technical, and physical safeguards, which now must include controls to protect against phishing, spoofing, and email-based fraud. DMARC adoption is increasingly recognized as a critical technical safeguard, especially to prevent domain spoofing. At the same time, financial organizations must train staff to detect these threats, as human error remains the largest attack surface.
The FTC Safeguards Rule, updated with a firm enforcement deadline of June 9, 2023, brings much sharper focus to the role of email and end-user behavior. It mandates SAT for all employees, continuous security monitoring, and well-documented incident response plans. These updates effectively make phishing protection and real-time remediation table stakes for financial institutions—regardless of size.
The Health Insurance Portability and Accountability Act (HIPAA), enacted in 1996 and enforced through its Security Rule since 2005, applies to any covered entity handling Protected Health Information (PHI). HIPAA requires “ongoing security awareness training” and “technical safeguards” to prevent unauthorized access—language that increasingly demands more than antivirus and firewalls. Because most data breaches in healthcare begin with a phishing email, security awareness training and phishing simulation programs are not just best practices—they’re compliance requirements in all but name. Layering this with DMARC enforcement reduces impersonation risk and demonstrates due diligence in audits and breach investigations.
State privacy laws such as California’s CCPA (effective July 1, 2020) and the New York SHIELD Act (enforced March 21, 2020) mandate “reasonable security measures” for the handling of consumer and employee data. While these mandates don’t specify phishing simulations or DMARC, enforcement history suggests that failure to implement common protections could result in regulatory penalties, especially following a breach. SAT, phishing testing, and domain authentication have become informal benchmarks for what constitutes “reasonable.”
In Canada, PIPEDA (updated 2015) outlines similar responsibilities for private-sector organizations. Organizations must deploy safeguards appropriate to the sensitivity of the data they handle—again, implying email protection, phishing awareness training, and DMARC controls as core components of a defensible compliance posture.
The Consumer Privacy Protection Act (CPPA), still under review as of late 2025, would modernize Canada’s privacy framework by aligning it more closely with GDPR. While it has not yet passed, its structure suggests formal expectations around employee training and phishing prevention are coming. Smart organizations are preparing now.
The General Data Protection Regulation (GDPR), which came into effect on May 25, 2018, defines a broad requirement for “appropriate technical and organizational measures” to protect personal data. While it doesn’t specify SAT or DMARC, regulators have interpreted these as valid expectations—especially in post-breach investigations. A missed phish that leads to customer data exposure can result in fines and reputational fallout if training and email authentication weren’t in place.
The NIS2 Directive, enforced beginning October 2024, expands Europe’s security expectations across critical infrastructure, digital service providers, and essential business sectors. It mandates risk management measures that include security training and supply chain resilience—making phishing readiness and DMARC adoption a logical necessity for organizations seeking to demonstrate compliance.
In the UK, the Cyber Essentials Plus framework—while technically voluntary—has become a prerequisite for government contracts and is recommended by cyber insurers. Its requirements include anti-phishing controls, email filtering, and user awareness training. As with GDPR, the lack of specific technology language doesn’t reduce the pressure to deploy phishing-resistant email protection and SAT programs.
The Essential Eight framework, maintained by the Australian Cyber Security Centre, has quickly become a gold standard for cybersecurity resilience. While not mandated by law, it is widely adopted across government and private sectors. The framework explicitly calls for defenses against phishing and social engineering—including user training and email filtering controls. Platforms that combine adaptive threat detection with automated SAT align directly with several Essential Eight mitigation strategies.
The SMB1001 standard, designed for small and midsize businesses that serve government agencies, also emphasizes phishing remediation and awareness training. Email threat protection, SAT, and automation are recognized as low-overhead paths to compliance for MSPs supporting clients in this space.
New Zealand’s National Cyber Security Centre (NCSC) Framework promotes critical controls to reduce phishing and social engineering risks. Email-based attacks are directly addressed, with recommendations that include anomaly detection, user reporting, and phishing remediation. SAT and simulation capabilities are encouraged to build employee resilience and ensure organizational readiness.
Across regions, DMARC adoption is gaining traction—not just as a security best practice, but as an unofficial requirement. Whether it’s Google and Yahoo’s 2024 mandate for bulk senders to authenticate their email domains with SPF, DKIM, and DMARC, or industry-specific guidance from regulators and insurers, DMARC is becoming the standard. Yet, many organizations still operate with a policy set to “none,” offering visibility without enforcement.
This is a risk. Without DMARC in quarantine or reject mode, attackers can spoof your domain, impersonate your executives, and compromise your customers—without your stack stopping it. Regulatory compliance doesn’t require domain authentication yet, but failure to implement it is quickly becoming indefensible in both legal and insurance contexts.
Close the loop between “reasonable safeguards” and proof. Share the checklist below, align on responsibilities, and commit to reporting the metrics monthly. It’s practical, defensible, and tool-agnostic.
When you operationalize these controls and metrics across every tenant, codified in the MSA, backed by monthly evidence, and reviewed in each QBR, you shift email security from “best effort” to a defensible standard of care.
This consistency reduces legal exposure, clarifies accountability, and gives you a repeatable narrative when auditors, insurers, or counsel come calling: here is what we implemented, here is how we monitored it, and here is the proof it worked, or how we corrected it when it did not.