This article was updated with fresh statistics in August 2023.
Data security compliance is beginning to be understood as one of the foundational elements of a successful business. The demand for compliance officers, IT security professionals, and data protection officers are growing, spending on compliance programs is increasing, and businesses are treating compliance as a key part of their overall strategy.
Some compliance professionals are still struggling to secure the resources and personnel needed to build a robust and proactive compliance program. Getting executive buy-in and changing processes to address compliance risks are still very real struggles for compliance teams. Communicating the importance of a compliance program can be difficult, especially when you’re working with startup founders who see their businesses as too small to be at risk or executives whose businesses haven’t been affected by a major data breach yet.
We’ve compiled a list of 50 plus important compliance statistics that you can cite to educate your leadership team and other key business stakeholders about the importance of compliance. These statistics will also help you as you build out your own compliance program and begin planning for 2020.
Individually, these statistics speak to the importance of compliance, the risks associated with data breaches, the cost of non-compliance, and trends in compliance and cybersecurity. As a group, they paint a picture of what businesses should focus on to continue growing and thriving in today’s complex environment.
The cost of compliance
- The estimate for regulatory compliance and economic effects of federal intervention is $1.9 trillion annually. If the cost of federal regulations were a country, it would be the 9th largest, behind India and just ahead of Canada.
- Businesses in the U.S. on average spent $10,000 per employee on regulatory costs
- The average compliance cost for organizations across all industries worldwide is $5.47 million
- The financial services industry has some of the highest compliance costs, with the average cost of compliance equalling $30.9 million
- Companies spend the most on specialized technology, with incident response and audits and assessments coming in second and third
- GDPR is considered the most difficult framework to for businesses to achieve compliance
- Most companies conduct one or more compliance audits each year
- It pays to invest in compliance: if companies spend more on compliance activities, such as audits, enabling technologies, training and expert staffing, it would be less costly than if they were in non-compliance with data protection regulations.
The cost of non-compliance
- Non-compliance costs businesses on average $4,005,116 in revenue losses
- Non-compliance costs more than twice the cost of maintaining compliance
- Spending on incident response has almost doubled since 2011
- Incident response costs businesses an average of $1 million
- Business disruption is the most costly consequence of non-compliance, with businesses losing $5,107,206 on average
- Fines and penalties are the least costly consequences of a data breach
- A recent study found that for companies trading on the NASDAQ that experienced a data breach, their share price was an average of 13% lower than the Index three years after the incident.
- Between January 2019 and July 2019, 3,813 data breaches were reported, exposing over 4.1 billion records
- 3.2 billion of the 4.1 records exposed in the first six months of 2019 were exposed by just eight breaches
- Compared to 2018, midyear reports of data breaches in 2019 went up 54%
- 2019 saw three of the ten largest data breaches of all time
- The majority of breaches exposed less than 10,000 records, showing that no business is too small to be the target of a breach
- The average data breach costs a business $3.86 million
- The average cost per lost or stolen record in a data breach is $148
- Companies that identify a data breach in less than 100 days saved as much as $1 million as compared to companies who took more than 100 days to identify a breach
- 48% of data breaches are caused by hackers and criminal insiders
- Businesses that lost less than 1% of their customers as a result of a data breach lost on average $2.8 million; those that lost 4% or more of their customers lost $6 million
Leading Causes of Data Breaches
- Osano reported that hackers were responsible for the highest number of data breaches, and hacker-caused data breaches on average exposed 17 times more records than other breach types (unintended internet disclosure, unintended physical disclosure, inside jobs).
- 48% of data breaches are caused by hackers and criminal insiders
- Many companies fail to understand the complex their data is used by their vendors. A study from Cisco reveals that the average company shares its data with 730 different vendors and third-parties.
- The Internal Auditors Research Foundation found that third-party vendors were responsible for two out of every three data breaches.
- The 2019 Internet Threat Report from Symantec found that 70 million data records were stolen or leaked in 2018 due to poorly configured AWS S3 cloud storage buckets.
- Lax data access practices is key reason that so much sensitive data is left exposed. The 2019 Global Data Risk Report from Varonis found that 53% of organizations leave 1,000 or more files with sensitive data open to all employees, whether the employees actually need access to the data or not.
The Link Between Privacy Practices and Data Breaches
Osano, a leading data privacy platform, found a direct relationship between an organization’s privacy practices and their likelihood of experiencing a data breach. Osano’s team evaluated the data privacy practices of more than 11,000 websites by analyzing each site’s privacy notice. Incorporate over 160 factors, the Osano team developed Osano Privacy Scores for each company. This study released in 2020 revealed the following facts:
- Approximately 2.77% of companies reported a data breach over the past fifteen years.
- Companies with the least rigorous privacy practices are nearly twice as likely to suffer a data breach than companies with excellent data stewardship.
- Companies with the least rigorous privacy practices lose seven times the number of data records when they are breached.
- Companies in the bottom 25% of Osano Privacy Scores lost, on average, 53.4 million records during a data breach.
- For organizations that weren’t in the bottom quartile of Privacy Scores, each data breach resulted in an average loss of 7.7 million records.
Compliance and security technology
- Data breaches cost, on average, $1.55 million less for companies that have fully deployed automated security technology than for businesses who have no deployed automated security
- Businesses spend, on average, $1.34 million on specialized compliance or security technology
- Companies that enabled compliance technology saved an average of $1.45 million in compliance costs
- Of organizations that are currently using Governance, Risk, and Compliance (GRC) technology, 61% of them plan to increase their spending on GRC platforms in the next three years
- Only 69% of businesses are utilizing technology to support their compliance programs
- Only 18% of organizations have automated processes for IT risk data collection and reporting, despite it being the most effective way to mitigate risk
- Appointing a c-level compliance leader saves businesses $1.25 million in compliance costs on average
- Having a dedicated incident response team saves businesses an average of $14 per record lost or stolen
Twelve best practices that reduce total compliance costs
In a survey conducted by Globalscape and the Ponemon Institute, they identified twelve best practices that reduce compliance costs. And while many of these practices require an investment up front, that investment will pay off and ultimately save your business money. If your management team, compliance team, and IT department are willing to be consistent with these practices, you can potentially save your company millions of dollars by implementing these twelve best practices:
- A centralized data governance program saved the businesses surveyed an average of $3.01 million.
- Regular compliance audits saved businesses $2.86 million on average.
- A corporate data security training program saved businesses an average of $2.54 million.
- Hiring and utilizing in-house legal expertise saved businesses $2.27 million on average.
- Integrating data security with their security and privacy functions saved businesses $2.03 million on average.
- Developing a formal incident response process saved businesses an average of $1.89 million.
- Enabling governance, risk, and compliance technologies saved businesses $1.43 million on average.
- Appointing a C-level compliance leader to make decisions and lead company-wide compliance efforts saved businesses an average of $1.25 million.
- CEO and board-level reporting on compliance efforts and issues saved businesses $1.08 million on average.
- Implementing regulatory monitoring to ensure they were keeping up with regulatory changes saved businesses $1.03 million on average.
- Program certifications saved businesses $820,000 on average.
- Putting a formal compliance charter in place saved businesses $520,000 on average.
These changes, and the savings that come with them, won’t happen overnight, but with a concerted effort, you’ll be able to save your company from having to suffer the high costs of non-compliance.
Using these compliance statistics to move forward
The compliance landscape is constantly changing, and developing a compliance program that can adapt to those changes is one of the key challenges compliance professionals are facing. Understanding where other companies are struggling, and where they are succeeding, will help you be better prepared to avoid security breaches and other regulatory infractions . Using the statistics we’ve provided, you can determine where your compliance program may be lacking as compared to others and develop a plan for shoring up your program to meet the challenges of the coming year.