The True Cost of Non-Compliance

Violating the GDPR can incur significant penalties. In January 2021, the total reported fines more than doubled to $332 Million. The goal, of course, is to ensure businesses take compliance seriously — rather than ignoring it or writing off the expense as a cost of doing business.

Here’s how it breaks down:

• There are two tiers of GDPR fines, with lowest tier fines up to $11.03 Million or two percent of the company’s annual revenue, whichever is greater.
• Higher tier fines are up to $22.07 Million or four percent of the company’s annual revenue, whichever is greater.

The different tiers are based on how egregious the disclosure is and the types of compromised data.

Regulatory Fines Continue to Grow

Since the turn of the century, various corporate breaches, accounting fraud, and privacy violations have generated a long list of new regulations, including Sarbanes-Oxley (SOX), PCI-DSS, HIPAA, JSOX, UK SOX, GDPR, NERC-CIP, FedRAMP, and others. In 2002, following corporate fraud scandals at Enron, SOX regulations targeted information technology general controls (ITGCs) specifically aimed at access. These regulatory initiatives place the onus on organizations to proactively comply. Violating any of these regulations is costly, and there is a solid track record of enforcement. Here are some recent data points to consider: 

• In 2020 alone, banks were fined $14.2 Billion for non-compliance, with the United States accounting for 78% of issued fines.
• In August 2020, consumer credit reporting agency Equifax paid $575 Million in penalties and settlement costs for poor data security. 
• JP Morgan was fined $125 Million in 2021 for failing to implement compliance controls.
  
  

The principles of least privilege, Separation of Duties (SoD) controls — and now steamrolling towards Zero Trust controls — are the lowest common denominators for all of the various regulatory initiatives that companies must comply with today. You’d be hard-pressed to find one that doesn’t require adequate controls around access. Effective management starts with getting your arms around who has access to what and the risk that comes with that access. 

Healthcare Non-Compliance Costs Can Be Sickening

The Health Insurance Portability and Accountability Act (HIPAA) guarantees patients access to their data and limits who can see it — protecting patient privacy in the process. These privacy limitations are augmented with security as they restrict the dissemination of the patient’s data to non-providers.

Failure to ensure HIPAA compliance is costly to healthcare organizations, with significant fines and costs for remediation.

• In 2018 Anthem was assessed a $16 Million fine for multiple violations.
• Individual penalties for HIPAA violations are up to $50,000 per violation.
• In 2021, the average breach costs for healthcare organizations increased by 29.5% to $9.32 Million. 

Ineffective Compliance is as Costly as Non-Compliance

Even when companies have controls in place, highly complex application ecosystems can put an immense strain on personnel and can hinder an organization’s ability to stay ahead of threats or be compliant. 

As the number of platforms and resources keeps growing, automated controls that reduce the burden of manual controls on the business are a must. Otherwise, security professionals have to spend their days manually testing and monitoring for misconfigurations, inappropriate access, and SoD violations. The stakes are high — organizations with a high level of system complexity faced an average breach cost that was $2.15 Million higher than those with low levels of complexity. 

Maintaining Compliance Pays Off

Your organization will find that the cost of maintaining compliance is far easier to bear than the expense of dealing with non-compliance issues. Not only can organizations avoid costly fines and reputation damage, but by creating a solid compliance program, they can avoid future security incidents. 

When implementing compliance initiatives, it’s worth noting that larger organizations benefit from economies of scale. In comparison, smaller organizations can expect to spend more per person to achieve the same level of compliance. Enterprises may spend more as a whole, but per employee, the savings are dramatic.

• Organizations with over 5000 employees spend $700 per person.
• Smaller organizations spend $2000 per person.
• Organizations save 2.71 times what they spend by implementing compliance programs.

Taking Control and Practicing Continuous Compliance

As the saying goes, “the best offense is a good defense.” Being proactive in your compliance program goes a long way. Your organization will realize significant cost savings by implementing compliance programs before violations occur. Not only will you avoid hefty penalties and productivity slowdowns to remediate findings, but you’ll also avoid one of the top drivers of reputation risk. Here are four steps to take control of your compliance program:

1. Implement an Identity Governance and Administration (IGA) solution to manage access throughout your IT ecosystem. 
2. Identify and remediate potential or actual access violations before they damage compliance with Application Access Governance (AAG) controls.
3. Apply risk-based controls based on applicable control frameworks to meet compliance requirements. 
4. Track the application of these controls. Organizations can show evidence of continuous compliance and streamline audit processes.