For many companies, especially those in highly regulated industries such as financial services and healthcare, ensuring compliance with a growing number of government and industry regulations can be a nuisance and a drain on already strained resources.
The costs of not complying can be extremely steep, however. Recent research indicates that failure to comply has become more costly than ever for organizations, far exceeding the costs of compliance. In other words, it makes good business sense to ensure compliance with all relevant regulations.
Based on a recent report by research firm the Ponemon Institute and security company GlobalScape, the annual cost of non-compliance to businesses now runs an average of $14.8 million, a 45% increase since 2011. The range can be anywhere from $2.2 million to $39.2 million. The cost of compliance, on the other hand, was found to average $5.5 million, up 43% from 2011.
Non-compliance costs 2.71 times the cost of maintaining or meeting compliance requirements. The non-compliance costs come from the expenses associated with business disruption, productivity losses, fines, penalties, and settlement costs, among others.
As part of the study, “The True Cost of Compliance with Data Protection Regulations,” the companies looked at a representative sample of 53 multi-national organizations based in the United States. An earlier study was completed in 2011 and those findings are compared with the more recent results.
The research covers compliance with industry and government regulatory mandates such as global privacy, data integrity, data loss and credit cardholder protection, as well as self-enforced regulatory frameworks such as the International Organization for Standardization (ISO), National Institute of Standards and Technology (NIST), etc.
Ponemon Institute said it obtained information about each organization’s data compliance costs using an activity-based costing method and a proprietary diagnostic interviewing technique involving 237 functional leaders. This research captured information about direct and indirect costs associated with compliance activities during a 12-month period. Ponemon defines a compliance activity as one that organizations use to meet the specific rules, regulations, standards, policies, and contracts that are intended to protect information assets.
The benchmarking efforts also captured the direct, indirect, and opportunity costs associated with non-compliance events during a 12-month period. Ponemon defines non-compliance cost as the cost that results when a company fails to comply with rules, regulations, policies, contracts, and other legal obligations.
Companies are not spending enough on maintaining or meeting compliance, as spending only accounts for an average of 14% of the IT department’s budget, according to the report. To meet compliance mandates, organizations employ a number of methods that can factor into the total costs. These might include administration overhead, consultant services, training, and communication and technology, among others. Data security has the highest average compliance cost for organizations, at $2 million a year.
Organizations annually spend about $1.3 million on compliance-related platforms, $1 million on incident response, and $750,000 on audit and assessments. This investment does ultimately pay off, according to the survey results, as companies conducting regular audits had a reduced overall compliance cost. More than two audits a year can significantly reduce this cost. Companies might find themselves paying $14 million if they run more than two audits, compared with $27 million for one or two audits a year.
The cost of compliance can vary by industry. For example, media organizations average $7.7 million annually to comply with regulations and policies, while financial services companies face more than $30.9 million annually in compliance costs. These costs vary widely based on the amount of sensitive or confidential information a particular industry handles and is required to secure.
A large majority of the organizations (90%) think compliance with the upcoming General Data Protection Regulation (GDPR) will be difficult to achieve, even though enforcement of the rules does not begin until May 25, 2018. GDPR is considered by respondents to be the most challenging among other data compliance regulations such as Health Insurance Portability and Accountability Act (HIPAA), Gramm-Leach-Bliley Act (GLBA) and Federal Information Security Management Act (FISMA).
More than half (55%) think the Payment Card Industry Data Security Standard (PCI-DSS) is a challenge, the second highest among all regulations.
Data protection regulations are increasingly complex in nature, the study notes, due to the increased value and sensitivity of personal or proprietary data. As data becomes more valuable, the risk of data breaches, data loss, cyber attacks or insider threats becomes an urgent issue. The enforcement of regulations such as GDPR demonstrates the new era of complex policies developed to protect data at an individual level from increasingly sophisticated cyber attacks, the report says.
More data protection regulations and frameworks such as GDPR are expected to be developed and implemented from other areas of the world, including China and Australia.