Previous All Posts

Three New Compliance Training Courses Launched: 2026 SAT, CPA Firm Mastery, and FTC Compliance

Posted: December 31, 1969 to Compliance.

The training landscape changed on May 13, 2024. That date marked the effective start of the FTC's amended Safeguards Rule breach-notification requirement, which forces non-banking financial institutions to report security events affecting 500 or more consumers to the Federal Trade Commission within 30 days. The reports go on a public database. The era of quietly handling a breach is over for any business that touches consumer financial data — from CPA firms to auto dealers to mortgage brokers to debt collectors.

At the same time, the threat landscape has shifted. Adversaries are running AI-assisted phishing, vishing with voice clones, and business-email-compromise campaigns at speeds and scale that rules-based filters cannot keep up with. Annual once-a-year "click-through" security awareness training is no longer enough — and in many regulated industries, it never was. To meet this moment, the Petronella Training Academy has just launched three new courses written for 2026 conditions, AI-era threats, and the actual frameworks our clients are audited against.

What's in the 2026 Security Awareness Training

The 2026 Security Awareness Training is the annual baseline every employee in a regulated business should complete. Six modules, twelve lessons, ninety minutes, beginner-friendly, and it satisfies the documented annual training requirement under multiple frameworks at once. Course URL: petronellatech.com/training/courses/2026-security-awareness-training.

What learners walk away with:

  • How to recognize modern phishing — including AI-generated email, smishing, and voice-clone vishing — and what to do in the first sixty seconds.
  • Password hygiene, MFA, and passkey adoption in plain language, with the threat models that justify each control.
  • Safe handling of sensitive data: PII, PHI, payment data, CUI — what each is, who regulates it, and how to keep it inside policy.
  • Remote-work and BYOD risk: home network, public Wi-Fi, screen privacy, and physical security of mobile devices.
  • Social engineering beyond email: pretext calls, vendor impersonation, deepfake meeting requests, and the human-firewall response.
  • Incident reporting: how to report a suspected event without fear, and why early reporting is the single highest-leverage thing an employee can do.

Frameworks satisfied: annual security awareness training requirements under GLBA Safeguards Rule, HIPAA Security Rule, CMMC Level 1 and Level 2 (AT family), PCI-DSS, NYDFS Part 500, and SOC 2 (CC1/CC2). Price: $99 per seat per year.

What's in the CPA Firm Cybersecurity & Compliance Course

The CPA Firm Cybersecurity & Compliance course is purpose-built for the people inside a tax or accounting practice — partners, managers, staff accountants, admin, IT, and the firm's designated information security lead. Six modules, twelve lessons, four hours of focused content. Course URL: petronellatech.com/training/courses/cpa-firm-cybersecurity-compliance.

What it covers:

  • IRS Publication 4557 — the "Safeguarding Taxpayer Data" guide every paid tax preparer is supposed to be following, broken down into concrete controls.
  • IRS Written Information Security Plan (WISP) — what a WISP must contain, who owns it, how to keep it living, and what the IRS actually looks for if your firm is reviewed.
  • FTC Safeguards Rule as it applies to tax-prep firms — the Rule treats tax preparers as "financial institutions," and most CPA firm leaders are still surprised to hear it.
  • Tax-season fraud patterns: stolen-identity refund fraud, EFIN compromise, fraudulent e-file, and the early warning signs your firm should be watching during the busy season.
  • Breach response — the 30-day FTC notification clock, IRS Stakeholder Liaison contact, state AG notification, and client communication templates.
  • SOC 2 readiness — for firms that are being asked by lenders, audit clients, or private-equity owners to show a SOC 2 report.

Frameworks satisfied: IRS Pub 4557, IRS WISP, FTC Safeguards Rule (16 CFR Part 314), state AG breach laws, and SOC 2 Trust Services Criteria. Price: $499. For firms running an internal compliance program, see also our vCISO services and compliance audit offerings.

What's in the FTC Compliance Mastery Course

This is the broadest of the three, and probably the most under-served. The FTC Compliance Mastery course covers the full footprint of Federal Trade Commission rules that apply to private-sector businesses outside of banking. Six modules, twelve lessons, three and a half hours. Course URL: petronellatech.com/training/courses/ftc-compliance-mastery.

It is built for the businesses that the FTC actually enforces against:

  • Auto dealers — in scope for the Safeguards Rule the moment they arrange financing or leasing.
  • Mortgage brokers and lenders — non-bank originators are squarely under FTC jurisdiction.
  • Debt collectors and debt buyers — FDCPA plus Safeguards plus Section 5.
  • Independent financial advisors and tax preparers — Safeguards Rule applies regardless of size in many cases.
  • Retailers offering financing, layaway, or buy-now-pay-later — financing-adjacent activities pull merchants into Safeguards scope.
  • Marketing teams at any company — CAN-SPAM, the Telemarketing Sales Rule, COPPA for child-directed services, and Section 5 unfair-or-deceptive practices.

Topics include the full Safeguards Rule control set, the Privacy Rule and consumer notices, Section 5 of the FTC Act (unfair or deceptive practices), CAN-SPAM, the Telemarketing Sales Rule (TSR), COPPA for any business with under-13 audiences, and the May 13, 2024 breach-notification amendment in operational detail. Price: $399.

Three Common Misconceptions About the FTC Safeguards Rule

Across hundreds of intake conversations, the same three misconceptions show up almost every week. They are worth calling out before any business assumes it is in the clear.

Misconception 1: "We're an auto dealer (or repair shop, or used-car lot). The FTC doesn't regulate us."

It does. The FTC defines "financial institution" under the Gramm-Leach-Bliley Act in functional terms, not by what is on the company's sign. The moment a dealership arranges financing, leasing, or even refers customers to a captive lender, it is a financial institution for Safeguards Rule purposes. The FTC has been explicit about this in enforcement guidance, and dealer associations have been telling their members the same thing for years. If a business arranges credit, it is in scope.

Misconception 2: "We're small. The carve-out covers us."

The Safeguards Rule has a narrower carve-out than most small businesses think. Companies that maintain customer information on fewer than five thousand consumers are exempt only from a small set of provisions — specifically the written risk assessment, the qualified individual designation, the continuous monitoring, the incident response plan, and the annual report to the board. They are not exempt from the rest of the Rule, and they are not exempt from the breach-notification amendment. Many small firms read "under 5,000" as "we are exempt from everything," and that is not the law.

Misconception 3: "We encrypt everything, so we're fine."

Encryption is necessary. It is not sufficient. The Safeguards Rule requires nine specific elements in the security program: a qualified individual, a written risk assessment, access controls, an inventory of customer data, encryption in transit and at rest, secure development practices, MFA for any system with customer information, secure disposal, change management, monitoring and logging, training, vendor oversight, an incident response plan, and an annual written report. A business that has done only the encryption box is missing twelve of the thirteen required pieces. And on the breach-notification amendment, encryption only excuses notification if the encryption keys were not also acquired — a fact most ransomware actors take pains to defeat by exfiltrating credentials before they encrypt.

How to Start

All three courses are live and self-enroll today. Direct course pages with full curricula:

For larger teams, the courses are available on a per-seat basis with reporting and completion certificates. If your organization is being asked for documentation of annual security awareness training as part of a CMMC assessment, a HIPAA risk analysis, a SOC 2 audit, or a cyber insurance renewal, these courses generate the artifact you need.

If you would prefer to talk through which course (or which combination) fits your business before you buy seats, we hold short advisory office hours each week. Email support@petronellatech.com or call 919-348-4912 and we will get you scheduled. For broader managed compliance, see our IT services overview or schedule a discovery call directly through the site.

Compliance is a moving target in 2026. The training that is on your shelf from two years ago does not cover deepfake vishing, the 30-day FTC notification clock, or the AI-era pretext call. These courses do.

Need help implementing these strategies? Our cybersecurity experts can assess your environment and build a tailored plan.
Get Free Assessment
Explore Our Services
Cybersecurity AI Services Compliance HIPAA CMMC Managed IT

Related Articles

NIST CSF 2.0 for Boards: Your Practical Cyber Roadmap NIST CSF 2.0 for Boards: Your Practical Cyber Roadmap Best CMMC Compliance Consultants 2026: Verified RPOs NIST SP 800-50 Awareness Training Blueprint NIST SP 800-50 Awareness Training Blueprint HIPAA Violation Penalties 2026: Fines and Enforcement HIPAA Violation Penalties 2026: Fines and Enforcement

About the Author

Craig Petronella, CEO and Founder of Petronella Technology Group
CEO, Founder & AI Architect, Petronella Technology Group

Craig Petronella founded Petronella Technology Group in 2002 and has spent 20+ years professionally at the intersection of cybersecurity, AI, compliance, and digital forensics. He holds the CMMC Registered Practitioner credential issued by the Cyber AB and leads Petronella as a CMMC-AB Registered Provider Organization (RPO #1449). Craig is an NC Licensed Digital Forensics Examiner (License #604180-DFE) and completed MIT Professional Education programs in AI, Blockchain, and Cybersecurity. He also holds CompTIA Security+, CCNA, and Hyperledger certifications.

He is an Amazon #1 Best-Selling Author of 15+ books on cybersecurity and compliance, host of the Encrypted Ambition podcast (95+ episodes on Apple Podcasts, Spotify, and Amazon), and a cybersecurity keynote speaker with 200+ engagements at conferences, law firms, and corporate boardrooms. Craig serves as Contributing Editor for Cybersecurity at NC Triangle Attorney at Law Magazine and is a guest lecturer at NCCU School of Law. He has served as a digital forensics expert witness in federal and state court cases involving cybercrime, cryptocurrency fraud, SIM-swap attacks, and data breaches.

Under his leadership, Petronella Technology Group has served hundreds of regulated SMB clients across NC and the southeast since 2002, earned a BBB A+ rating every year since 2003, and been featured as a cybersecurity authority on CBS, ABC, NBC, FOX, and WRAL. The company leverages SOC 2 Type II certified platforms and specializes in AI implementation, managed cybersecurity, CMMC/HIPAA/SOC 2 compliance, and digital forensics for businesses across the United States.

CMMC-RP NC Licensed DFE MIT Certified CompTIA Security+ Expert Witness 15+ Books
Related Service
Achieve Compliance with Expert Guidance

CMMC, HIPAA, NIST, PCI-DSS - we have 80% of documentation pre-written to accelerate your timeline.

Learn About Compliance Services
Previous All Posts
Free cybersecurity consultation available Schedule Now