Compliance Stats Every CISO Should Know
Failing to meet regulatory compliance standards costs organizations billions — and the financial impacts continue to rise.
The fallout isn’t just fines and sanctions. It’s the actual damage caused by business disruption and loss of productivity. By taking a continuous compliance approach, your organization can dodge these monetary bullets, improve information security, and lock down data privacy.
Let’s look at how different regulations can impact your business and how you can address compliance before it becomes a problem.
What is the True Cost of Non-Compliance?
The potential costs of non-compliance are staggering and extend far beyond simple fines. For starters, organizations lose an average of $5.87 Million in revenue due to a single non-compliance event. But this is only the tip of the iceberg — the financial impact goes far beyond your bottom line. To understand the true cost of a non-compliance event, you have to consider some hidden costs that come from business disruption and damage to your company’s reputation.
The total cost of non-compliance exceeds $14 Million and comes from:
- Fines, penalties, and other fees
- Business disruption
- Revenue loss
- Productivity loss
- Reputation damage
Reputation damage can be more challenging to measure — but its impact is just as significant. Deloitte ranks security as one of the top drivers of reputation risk. Concerns about how your business protects data can manifest in the loss of customers — or potential customers (and sometimes partners). According to a 2021 IBM report, lost business due to downtime or diminished reputation accounts for 38% of the overall cost of a breach.
Breaking Down the Consequences of Non-Compliance
The International Price is High
General Data Protection Regulation (GDPR) is a personal data privacy regulation from Europe, created to protect the privacy of European citizens. The European Union passed it in response to corporate abuses in sales and disclosure of user information for marketing and research.
Violating the GDPR can incur significant penalties. In January 2021, the total reported fines more than doubled to $332 Million. The goal, of course, is to ensure businesses take compliance seriously — rather than ignoring it or writing off the expense as a cost of doing business.
Here’s how it breaks down:
- There are two tiers of GDPR fines, with lowest tier fines up to $11.03 Million or two percent of the company’s annual revenue, whichever is greater.
- Higher tier fines are up to $22.07 Million or four percent of the company’s annual revenue, whichever is greater.
Regulatory Fines Continue to Grow
Since the turn of the century, various corporate breaches, accounting fraud, and privacy violations have generated a long list of new regulations, including Sarbanes-Oxley (SOX), PCI-DSS, HIPAA, JSOX, UK SOX, GDPR, NERC-CIP, FedRAMP, and others. In 2002, following corporate fraud scandals at Enron, SOX regulations targeted information technology general controls (ITGCs) specifically aimed at access. These regulatory initiatives place the onus on organizations to proactively comply. Violating any of these regulations is costly, and there is a solid track record of enforcement. Here are some recent data points to consider:
- In 2020 alone, banks were fined $14.2 Billion for non-compliance, with the United States accounting for 78% of issued fines.
- In August 2020, consumer credit reporting agency Equifax paid $575 Million in penalties and settlement costs for poor data security.
- JP Morgan was fined $125 Million in 2021 for failing to implement compliance controls.
The principles of least privilege, Separation of Duties (SoD) controls — and now steamrolling towards Zero Trust controls — are the lowest common denominators for all of the various regulatory initiatives that companies must comply with today. You’d be hard-pressed to find one that doesn’t require adequate controls around access. Effective management starts with getting your arms around who has access to what and the risk that comes with that access.
Healthcare Non-Compliance Costs Can Be Sickening
The Health Insurance Portability and Accountability Act (HIPAA) guarantees patients access to their data and limits who can see it — protecting patient privacy in the process. These privacy limitations are augmented with security as they restrict the dissemination of the patient’s data to non-providers.
Failure to ensure HIPAA compliance is costly to healthcare organizations, with significant fines and costs for remediation.
- In 2018 Anthem was assessed a $16 Million fine for multiple violations.
- Individual penalties for HIPAA violations are up to $50,000 per violation.
- In 2021, the average breach costs for healthcare organizations increased by 29.5% to $9.32 Million.
Ineffective Compliance is as Costly as Non-Compliance
Even when companies have controls in place, highly complex application ecosystems can put an immense strain on personnel and can hinder an organization’s ability to stay ahead of threats or be compliant.
As the number of platforms and resources keeps growing, automated controls that reduce the burden of manual controls on the business are a must. Otherwise, security professionals have to spend their days manually testing and monitoring for misconfigurations, inappropriate access, and SoD violations. The stakes are high — organizations with a high level of system complexity faced an average breach cost that was $2.15 Million higher than those with low levels of complexity.
Maintaining Compliance Pays Off
Your organization will find that the cost of maintaining compliance is far easier to bear than the expense of dealing with non-compliance issues. Not only can organizations avoid costly fines and reputation damage, but by creating a solid compliance program, they can avoid future security incidents.
When implementing compliance initiatives, it’s worth noting that larger organizations benefit from economies of scale. In comparison, smaller organizations can expect to spend more per person to achieve the same level of compliance. Enterprises may spend more as a whole, but per employee, the savings are dramatic.
- Organizations with over 5000 employees spend $700 per person.
- Smaller organizations spend $2000 per person.
- Organizations save 2.71 times what they spend by implementing compliance programs.
Taking Control and Practicing Continuous Compliance
As the saying goes, “the best offense is a good defense.” Being proactive in your compliance program goes a long way. Your organization will realize significant cost savings by implementing compliance programs before violations occur. Not only will you avoid hefty penalties and productivity slowdowns to remediate findings, but you’ll also avoid one of the top drivers of reputation risk. Here are four steps to take control of your compliance program:
- Implement an Identity Governance and Administration (IGA) solution to manage access throughout your IT ecosystem.
- Identify and remediate potential or actual access violations before they damage compliance with Application Access Governance (AAG) controls.
- Apply risk-based controls based on applicable control frameworks to meet compliance requirements.
- Track the application of these controls. Organizations can show evidence of continuous compliance and streamline audit processes.