Security awareness training is a mandatory component of all cybersecurity insurance risk assessment questionnaires. This means it is mandatory now. Further, phishing training is NOT phishing testing. You need both. It is also important that this information be tracked in a learning management system so that the IT security manager, as well as the HR manager, are aware of who has successfully completed what training and when. Who is falling prey to phishing emails? You need to know this so you can have them do more training, even one-on-one.