Cost, and concerns, of cybersecurity non-compliance grows
The cost of non-compliance with government cybersecurity regulations has significantly increased over the past few years, and the issue could grow more serious, according to a recent report by research firm Ponemon Institute and security company GlobalScape Inc.
For the report, the companies surveyed 53 multinational organizations located in the U.S., and found that the average cost of compliance increased 43 percent from a similar 2011 survey, and totals around $5.47 million annually. However, the average cost of non-compliance increased 45 percent from 2011, and adds up to $14.82 million annually.
A large majority of organizations (90 percent) think compliance with the upcoming General Data Protection Regulation (GDPR) would be difficult to achieve. GDPR is considered by respondents to be the most challenging among data compliance regulations such as Health Insurance Portability and Accountability Act (HIPAA), Gramm-Leach-Bliley Act (GLBA) and Federal Information Security Management Act (FISMA).
Non-compliance costs 2.71 times the cost of maintaining or meeting compliance requirements, the report said. Non-compliance costs come from the costs associated with business disruption, productivity losses, fines, penalties, and settlement costs, among others.
The cost of compliance varies by industry, with media organizations averaging $7.7 million annually to comply with regulations and policies while financial services companies face more than $30.9 million annually in compliance costs. These costs widely vary based on the amount of sensitive or confidential information a particular industry handles and is required to secure.
“The findings from both the 2011 and 2017 studies provide strong evidence that it pays to invest in compliance,” said Larry Ponemon, chairman and founder at Ponemon Institute. “With the passage of more data protection regulations that can result in costly penalties and fines, it makes good business sense to allocate resources to such activities as audits and assessments, enabling technologies, training and in-house expertise.”