What documentation does a cyber insurer want for phishing training?

Carriers consistently ask for: a 12-month campaign log with dates and targets, click-through rate trend, training completion percentages and time-to-remediation, evidence of automated remediation training assignment, coverage breakdown including executives and contractors, multi-channel sample reports for SMS and voice phishing where applicable, the written awareness policy and reporting samples to leadership. Most modern simulation platforms can export this as a single PDF.

How long should I retain phishing simulation records?

The practical retention floor is the longer of three years or the regulatory retention period applicable to your sector. Three years covers most cyber insurance policy lookback windows for post-claim review, and aligns with SOC 2, ISO 27001 and PCI DSS retention expectations for awareness records. Healthcare and financial services may have longer mandated retention; check your sector regulation.

What happens at a post-claim audit if my phishing records are incomplete?

After a phishing-led claim, carriers may review whether the controls described on the application were actually operational at the time of the loss. Material misrepresentations on the application - describing a continuous program when one was not in place - can trigger coverage disputes. Incomplete records make it difficult to demonstrate the program ran as described and can complicate the claim handling process even where coverage is not contested.

Does my phishing platform need to produce a single PDF report?

It does not technically need to, but in practice having a single export is the difference between a clean broker submission and a messy one. Underwriters reviewing dozens of submissions appreciate not having to reconstruct the program from a stack of CSV files. Platforms that export an integrated PDF - campaign log, trend charts, training completion, policy reference - produce noticeably smoother quote and renewal experiences.

Can the same evidence satisfy SOC 2, ISO 27001 and cyber insurance audits?

Largely yes. The phishing simulation artifacts that satisfy SOC 2 CC1.4 and CC2.2, ISO 27001 A.6.3, and NIST CSF PR.AT are structurally the same as those carriers request for cyber insurance audits. Most teams running a continuous program produce one set of evidence and reuse it across frameworks during assessment prep, with minor formatting changes for the audience.

Documenting Phishing Training for Cyber Insurance Audits

Cyber insurance audits happen in three contexts, and the documentation expectations differ in each. At quote, the underwriter wants enough evidence to score the application accurately. At renewal, they want trend data and proof the program is still operational. After a claim, especially a phishing-led one, the carrier's claim adjuster may review whether the controls described on the application were actually in place at the time of the loss. The same documentation set serves all three audiences, but the stakes shift dramatically: a thin evidence package costs you a few percentage points at quote and can complicate a multi-million-dollar claim post-loss.

This post is the practical documentation checklist for keeping a phishing training program audit-ready year-round, in the order carriers actually request artifacts, with retention and packaging guidance.

The three audit contexts

Understanding which audit you're preparing for shapes how you package the evidence:

Quote audit (new business). Underwriter is scoring your application for the first time. They want to verify your "yes" answers and place you in a credit band. Speed matters; a clean PDF wins versus three CSVs.
Renewal audit. Underwriter is comparing your current program to last year and to peer organizations. Trend data is the primary asset; "we've held flat" reads worse than "we've added smishing coverage and our click rate is down."
Post-claim audit. Claim handler is verifying that the program described on the application was actually operating at the time of the loss. Date-stamped artifacts are critical; reconstructed evidence reads as reconstructed.

The evidence set is largely identical across the three; the difference is how much scrutiny each artifact receives.

The core documentation set

Eight artifacts cover roughly 95% of carrier requests. Keep them current and exportable on demand:

Campaign log (12 months minimum). One row per campaign with date, target population, template category, difficulty level and high-level results. This is the foundational document - every other artifact references it.
Click-through rate trend chart. Per-campaign click rate over time, with the trend line clearly visible. Annotate notable inflection points (a difficulty change, a new vector added).
Training completion data. Percentage of users assigned remediation training who completed it, and median time-to-completion. Expressed as a percentage and an absolute count.
Remediation flow evidence. A screenshot or workflow diagram showing automated assignment of remediation training when a user clicks. Manual processes do not score as well; demonstrate the automation.
Coverage statement. Total headcount, in-scope headcount and explicit inclusion of executives, IT, finance and contractors. State any exclusions and the rationale.
Multi-channel evidence. At least one SMS phishing (smishing) campaign report and one voice phishing (vishing) campaign report if applicable. 2026 underwriting frequently asks about this by name.
Written awareness policy. Signed and dated, with management approval evidence and a version history. The policy should be consistent with the campaign log - frequency in the policy should match what actually happened.
Reporting sample. A redacted board deck slide or risk-committee report showing how the program is communicated to leadership. Programs reported only inside IT score lower than programs reported to executive risk committees.

Retention: how long to keep records

Three years is the practical floor for most organizations:

Cyber insurance policy lookback windows for post-claim review typically span the active policy period and prior periods if there were prior policies.
SOC 2 Type II audit windows are 12 months; ISO 27001 surveillance audits look back at the past audit cycle; PCI DSS Report on Compliance scope looks back at the past assessment year.
Sector-specific regulations (HIPAA, FFIEC, GLBA) may impose longer retention. In healthcare and financial services, six years or longer is common.

For practical purposes, retain phishing program records for the longer of three years or the longest applicable regulatory window. Storage cost is trivial; the cost of not having the record when an adjuster asks is not.

Format: PDF, CSV or both

The format underwriters and claim handlers prefer is a single integrated PDF for the executive view, with raw CSVs available as supporting data on request. The PDF should:

Open with a one-page program summary: scope, frequency, channels, key metrics.
Include the trend chart on the second page.
Include the campaign log as a clean table in the body.
Reference the policy by version and date in the appendix.

Bait & Phish exports this format natively, which is one of the more frequent compliments customers report after their first renewal cycle on the platform.

What to do at quote: 7-day, 30-day and 90-day plays

The cleanest position at quote is having 12 months of trend data already in hand. If you don't, three timeline options:

7 days out. Pull whatever you have and submit it cleanly. Even one campaign with results is materially better than no documentation. Note in the cover letter that the program is being expanded.
30 days out. Run two campaigns at different difficulty levels, generate the export and include the policy. Two data points is not a trend, but it demonstrates the program is operational.
90 days out. Run monthly campaigns across multiple template categories, including at least one SMS phishing scenario. By submission you have a quarter of trend data and multi-channel evidence.

What to do at renewal

Renewal preparation should be a 60-day discipline, not a 7-day scramble:

60 days out: Pull the prior renewal package, identify any data gaps versus what carriers asked for last cycle and fill them now.
30 days out: Run an additional campaign if needed for a clean trend line through the renewal date, and update the policy version if anything has changed.
14 days out: Generate the export, share it with your broker and flag any program upgrades (new channels, expanded coverage) so the broker can highlight them in the submission.

What to do at post-claim audit

Post-claim is where weak documentation hurts most. The claim handler is reviewing whether the program described on the application was operational at the time of the incident. The audit-ready position is:

Date-stamped campaign records that pre-date the application by at least the period the application covered.
Training completion records that match the application's claimed remediation cadence.
Policy version control showing the policy was in place during the relevant period.
Reporting samples from the period in question, not reconstructed for the audit.

Records reconstructed after a claim look different from records retained in real time. Maintain audit-readiness as a normal operating practice.

Common documentation gaps and how to close them

Five gaps account for the majority of evidence weaknesses uncovered during cyber insurance audits:

Missing executive coverage. Campaign log shows only general staff. Fix: include executives in every campaign at appropriate difficulty (BEC and whaling-tier templates), and report executive results separately to the risk committee.
Manual remediation assumed but undocumented. Remediation reportedly happens but no records exist. Fix: switch to a platform that auto-assigns training and produces a timestamped completion record for every clicked simulation.
Policy version drift. Policy says "monthly," campaign log shows quarterly. Fix: update the policy to match actual practice, or change practice to match policy. Reconcile before submission.
No multi-channel evidence. Email-only program in a 2026 application. Fix: run a single SMS phishing campaign and a single voice phishing campaign per quarter at minimum, even if smaller in scope than email campaigns.
Reporting only inside IT. No board or risk-committee reference. Fix: add a one-page quarterly summary to the enterprise risk packet.

Each fix is a one-quarter exercise; doing them in parallel during a 90-day pre-renewal window converts a thin evidence package into a strong one.

Evidence-format conventions that auditors prefer

Beyond what is in the package, how the evidence is laid out affects how cleanly it reads:

Date headers on every page. Quarterly reports should have unambiguous reporting periods at the top of the document.
Trend chart on the second page, not buried. The chart is what most auditors look at first; lead with it.
Anonymized but not aggregated user data. Per-user click and completion records can be redacted to user IDs but should not be collapsed entirely; auditors sometimes need to verify a sampled user.
Version-controlled policy with signature page. The signature page should appear with the policy, not in a separate file.
Cover letter or executive summary. One page summarizing scope, frequency and key metrics, even if your platform exports a longer document. The cover supports the broker's submission narrative.

Cross-framework evidence reuse

Most of the documentation in this checklist is also exactly what SOC 2, ISO 27001, NIST CSF, HIPAA and PCI DSS auditors request. Programs that operate against framework requirements as a baseline produce evidence the cyber insurance market is increasingly aligned with. Our companion guides on what cyber insurers ask about phishing training and how the phishing training discount works cover the parallel questions on the underwriting side.

Where Bait & Phish fits

Bait & Phish has been running phishing simulation and security awareness training programs since 2010, and the platform's reporting was built around the questions auditors and underwriters actually ask. The single-PDF export covers the eight core artifacts above, and SMS phishing, voice phishing and AI-generated email templates feed into the same report alongside traditional email simulations.

If your renewal is approaching and you want to see the export format in your own environment, the free trial covers up to 25 users with no credit card. Pricing for production deployments is on the pricing page, and the team can walk through audit-ready report packaging with your broker or compliance lead - start at contact. For broader context, the blog index covers compliance and insurance topics in depth.

This post is informational and does not constitute insurance, legal or compliance advice. Carrier and assessor expectations vary; consult your broker and qualified counsel for guidance specific to your situation.

12jan