GlobalSCAPE, Inc. and Ponemon Study Finds Data Protection Non-Compliance Expenses Up 45 Percent, Costing an Average $14 Million
GlobalSCAPE, Inc. (NYSE American: GSB), a worldwide leader in the secure movement and integration of data, and the Ponemon Institute released the results of a new study analyzing the cost of complying and not complying with industry or government data protection regulations. According to the report, the cost of non-compliance has significantly increased over the past few years, and the issue could grow more serious. A vast majority of organizations (90 percent) believe that compliance with the upcoming General Data Protection Regulation (GDPR) would be difficult to achieve. GDPR is considered by respondents to be the most challenging among other data compliance regulations such as Health Insurance Portability and Accountability Act (HIPAA), Gramm-Leach-Bliley Act (GLBA) and Federal Information Security Management Act (FISMA).
The new report, “The True Cost of Compliance with Data Protection Regulations,” looks at the economic effects of organizations’ compliance activities, including people, processes and technologies. Within this study, compliance covers industry and government regulatory mandates such as global privacy, data integrity, data loss and credit cardholder protection, as well as self-enforced regulatory frameworks like International Organization for Standardization (ISO), National Institute of Standards and Technology (NIST), etc.
Key findings from the report include:
- The average cost of compliance increased 43 percent from 2011, and totals around $5.47 million annually. However, the average cost of non-compliance increased 45 percent from 2011, and adds up to $14.82 million annually.(1)
- Non-compliance costs 2.71 times the cost of maintaining or meeting compliance requirements. Non-compliance costs come from the costs associated with business disruption, productivity losses, fines, penalties, and settlement costs, among others.
- The cost of compliance can vary by industry: media organizations average $7.7 million annually to comply with regulations and policies, while financial services companies face more than $30.9 million annually in compliance costs. These costs widely vary based on the amount of sensitive or confidential information a particular industry handles and is required to secure.
- Among the individual regulations, survey respondents found that GDPR is the most difficult to achieve compliance, even though enforcement for GDPR doesn’t start until May 25, 2018. 90 percent of respondents felt that GDPR would be difficult, while only 55 percent felt that the Payment Card Industry Data Security Standard (PCI-DSS) was a challenge, the second highest amongst all regulations.
- Companies are not spending enough on maintaining or meeting compliance, as it only accounts for an average of 14.3 percent of the IT department’s budget.
Data protection regulations are increasingly complex in nature, due to the increased value and sensitivity of personal or proprietary data. As data becomes more valuable, the risk of data breaches, data loss, cyberattacks or insider threats becomes a grave and urgent issue. The enforcement of regulations like GDPR demonstrates the new era of complex policies developed to protect data at an individual level from increasingly sophisticated cyberattacks. More data protection regulations and frameworks like the EU’s GDPR are expected to be developed and implemented from other areas of the world, including China and Australia.
Source of Compliance Costs
To meet compliance mandates, organizations employ a number of methods that can factor into the total cost. These could include administration overhead, consultant services, training, and communication and technology, among others. Data security has the highest average compliance cost for organizations, averaging $2 million a year.
When looking at the top three technologies already in use to maintain compliance, of the companies surveyed, organizations annually spend around $1.34 million on compliance-related platforms, $1 million on incident response, and $750,000 on audit and assessments. This investment does ultimately pay off, according to the results, as companies conducting regular audits had a reduced overall compliance cost. More than two audits a year can significantly reduce this cost: companies might find themselves paying $14 million if they run more than two audits versus $27 million for one or two audits a year.
Breaking Down Non-Compliance Expenses
The report also shows that companies are not spending nearly enough on compliance, and therefore the costs associated with non-compliance are 2.71 times higher. While the average annual cost of non-compliance is $14.82 million, the range could be anywhere from $2.2 million to $39.22 million.
An organization’s security posture can also vastly increase or decrease the cost of compliance or non-compliance. Even established regulations such as HIPAA or PCI-DSS now include requirements specific to data security or data breach responses. Organizations that do not have an effective or strong security ecosystem in place face up to an average of $25 million in annual costs to meet compliance.
Organizations that implement centralized data governance also stand to save the most, as they could reduce their compliance costs by $3 million.
Dr. Larry Ponemon, Chairman and Founder at Ponemon Institute
“The findings from both the 2011 and 2017 studies provide strong evidence that it pays to invest in compliance. With the passage of more data protection regulations that can result in costly penalties and fines, it makes good business sense to allocate resources to such activities as audits and assessments, enabling technologies, training and in-house expertise.”
Peter Merkulov, Chief Technology Officer at Globalscape
“It’s not surprising that the overall cost of compliance has risen so drastically over the past six years. Data is a precious commodity for individual consumers and multinational organizations alike. And the threat posed by cyberattacks is only growing exponentially. Understanding where your data travels, resides, and how to best protect it is no longer an option for companies, especially as their businesses’ livelihood is also at stake. Organizations have a responsibility to their customers, partners and vendors to protect data, which also means being constantly vigilant with compliance mandates or regulations such as GDPR or PCI DSS. Whether that protection comes as a result of investment in technologies like data loss prevention, managed file transfer, data classification, or governance, risk, and compliance solutions, or better enforcement of current data protection policies, the risks and reward from a cost perspective is pretty clear.”
Ponemon Institute and Globalscape conducted “The True Cost of Compliance with Data Protection Regulations” to determine the full economic impact of compliance activities for a representative sample of 53 multinational organizations. An earlier study was completed in 2011 and those findings are compared to this year’s results.
The key findings are based on the benchmark analysis of 53 multinational organizations located in the United States. Ponemon Institute obtained information about each organization’s data compliance costs using an activity-based costing method and a proprietary diagnostic interviewing technique involving 237 functional leaders. These research methods captured information about direct and indirect costs associated with compliance activities during a 12-month period. Ponemon defines a compliance activity as one that organizations use to meet the specific rules, regulations, standards, policies and contracts that are intended to protect information assets.
The organization’s benchmarking efforts also captured the direct, indirect and opportunity costs associated with non-compliance events during a 12-month period. Non-compliance cost is defined as the cost that results when a company fails to comply with rules, regulations, policies, contracts, and other legal obligations.
For more information or to download the report, please visit: https://www.globalscape.com/resources/whitepapers/data-protection-regulations-study.
About Ponemon Institute
Ponemon Institute© is dedicated to advancing responsible information and privacy management practices in business and government. To achieve this objective, the Institute conducts independent research, educates leaders from the private and public sectors and verifies the privacy and data protection practices of organizations in a variety of industries.
GlobalSCAPE, Inc. (NYSE American: GSB) is a worldwide leader in the secure movement and integration of data. Through Globalscape’s powerful yet intuitive technology, organizations can accelerate their digital transformation and maximize their potential by unleashing the power of data. For more information, visit www.globalscape.com or follow the blog and Twitter updates.
Safe Harbor Statement
This press release contains forward-looking statements within the meaning of Section 27A of the Securities Act of 1933 and Section 21E of the Securities Exchange Act of 1934. The words "would," "exceed," "should," "anticipates," "believe," "steady," "dramatic," “expect,” and variations of such words and similar expressions identify forward-looking statements, but their absence does not mean that a statement is not a forward-looking statement. These forward-looking statements are based upon the Company’s current expectations and are subject to a number of risks, uncertainties and assumptions. The Company undertakes no obligation to update any forward-looking statements, whether as a result of new information, future events or otherwise. Among the important factors that could cause actual results to differ significantly from those expressed or implied by such forward-looking statements are risks that are detailed in the Company’s Annual Report on Form 10-K for the 2016 fiscal year, filed with the Securities and Exchange Commission on March 27, 2017.
(1): The percentage net change calculation is defined as follows: (FY2017−FY2011) ÷ [(FY2017+FY2011)×½]