Non-Compliance Costs Far More Than Strict Compliance

By in

blue dollarNon-compliance costs organizations almost three times as much as compliance with information security regulations and standards, according to a new study by the Ponemon Institute and Tripwire.

Based on a survey of 160 businesspeople at 46 multinational companies in a range of industries, the True Cost of Noncompliance report found that compliance with regulations and standards, such as the Sarbanes-Oxley Act, the Health Insurance Portability and Accountability Act (HIPAA), and the PCI Data Security Standard (PCI DSS), costs companies $3.5 million, while non-compliance costs a total of $9.4 million.

Non-compliance costs are broken down into four areas: fines and penalties, revenue loss, data breach costs, and lost productivity costs, explained Rekha Shenoy, vice president of strategy at Tripwire.

“Companies are not investing enough in compliance” with data protection regulations, Shenoy told Infosecurity.

Data protection and enforcement activities ranked among the most expensive compliance activities, and business disruption and loss of productivity were found to be the most significant expenses for companies that did not achieve or maintain compliance.

Total cost of compliance varies by industry, ranging from $6.8 million for education and research to more than $24 million for the energy sector. The cost of compliance versus non-compliance also varies by industry, with energy showing the smallest difference at ($2 million) and technology showing the largest ($9.4 million).

While security effectiveness is unrelated to compliance cost, a higher percentage of compliance spending relative to the overall IT budget indicates that investment in compliance reduces the negative consequences and costs associated with non-compliance, the study found.

“Having good security actually helps you in lowering your non-compliance costs”, Shenoy observed. “Everyone is spending more money on compliance, but the ones that are getting more secure actually do reap business benefits and save the company money in the context of non-compliance costs. We thought this was really important, especially for [chief information officers, chief information security officers], and other security champions who are trying to prove to the business that investing in security is good for the company.”

The report also found that 28% of those surveyed did not conduct internal compliance audits, and only 11% conducted more than five internal audits each year. Organizations that conduct three to five internal compliance audits each year have the lowest per capita compliance cost ($154), while those that did not conduct internal audits had the highest compliance cost ($341).

“For those who do not do internal audits, the total cost of compliance is higher. They are likely doing manual work to get to ‘check-box’ compliance….They are doing the bare minimum and, when the external audit is over, they are back to business as usual and their systems are no longer in a compliance state, which makes them just as vulnerable as they were before the audit, so the cost of compliance is high”, Shenoy said.

The report recommended that organizations employ a combination of compliance activities related to process, people and technology to limit risks. By investing resources in compliance activities, businesses can avoid falling victim to consequences such as cyber fraud, business disruption, and data and revenue loss, the report concluded.