Regulatory Compliance Costs: It Pays To Be Secure4:00 PM EST Tue. May. 03, 2011
Sometimes it pays to be cautious.
That finding was revealed in a collaborative study The True Cost Of Compliance, conducted by the Ponemon Institute and security company Tripwire, incorporating extensive conversations with 160 business leaders across 46 multinational companies in various vertical markets.
Many organizations are facing the daunting task of meeting regulatory compliance requirements with evolving and increasingly stringent laws and policies, while budgeting in new sophisticated technologies in order to do so. But while the endeavor is often time-consuming and expensive, the compliance costs are nothing compared to the harm an organization could suffer if a data breach were to occur from non-compliance.
These and other findings are included in the following slides.
Overall, the Ponemon study identified six areas of compliance costs associated with protecting data. By far the biggest expense for organizations was in the area of adopting new technology, costing on average around $1.03 million per company.
On a per company basis, technology costs were followed by expenses around remediation, averaging $775,000, compliance monitoring at $636,000 and program management at $441,000. The areas of Communications and Policy came in last, each averaging $343,000 and $297,000 respectively.
Meanwhile, the study illuminated four vital costs of non-compliance associated with protecting data, significantly affecting an organization's bottom line.
The biggest non-compliance cost was due to overall business disruption, which averaged $3.3 million, followed by employee productivity loss at $2.4 million, possibly attributed to employees using company time to peruse Facebook or YouTube or shop online, for example. Others costs were related to company revenue loss, at $2.2 million followed by fines, penalties and other costs, which altogether averaged about $1.4 million.
One of the biggest revelations in the study was that the cost of non-compliance tended to far outweigh the expense of investing in compliance technologies and activities. When compounded, non-compliance costs added up to almost $9.3 million compared to compliance costs that totaled around $3.5 million, representing a difference of about $5.8 million.
Perhaps not surprisingly, the nature of the industry and the size of the organization impacted the resulting costs of both compliance and non-compliance. Determined from a pool of 46 benchmarked organizations, those with more than 75,000 employees incurred the highest expenses, averaging around $17.82 million for non-compliance and $9.85 million for compliance costs. The smallest organizations, those with less than 1,000 employees, averaged around $2.02 million or non-compliance and $530,000 for compliance costs.
Interestingly, the study found that the smaller the gap between compliance and non-compliance costs, the lower the occurrence of compromised records for an organization.
Perhaps as expected, secure organizations indicated by a higher security effectiveness score -- typically those that have invested in adequate security infrastructure -- reaped the rewards by experiencing lower non-compliance costs.
In the same way that regular visits to the doctor help with prevention and early detection of diseases, ongoing audits were found to reduce the total cost of compliance. Why? More than likely because regularly scheduled assessments were able to more rapidly detect threats on the network, enabling IT administrators to effectively eradicate them and shore up security vulnerabilities.
According to the Ponemon study, per-capita non-compliance costs appeared to be inversely related to the frequency of compliance audits. And the reverse appeared to be true as well -- companies that failed to conduct regular compliance audits in general experienced higher compliance costs.
According to the Ponemon study, 86 percent of organizations deemed Payment Card Industry Data Security Standard the most important compliance regulation while almost half (47 percent) viewed it as the most difficult to comply with.
Organizations ranked individual U.S. state data breach laws -- effective in 46 states -- second in terms of importance, followed by the federal Sarbanes-Oxley, the EU Privacy Directive and the health-care industry's HIPAA, regulating the disclosure of health-related information.
Those same regulations were given the same order in terms of difficulty to achieve, with PCI DSS being perceived as the most difficult, followed by state data breach laws, Sarbanes Oxley, EU Privacy Direction and HIPAA.