December 14, 2017 By Douglas Bonderud 2 min read

Security compliance isn’t cheap. A recent Ponemon study found that compliance expenses have increased 43 percent since 2011, costing companies more than $5 million each year.

According to Bloomberg, meanwhile, U.S. and European banks are spending $20 billion to meet compliance requirements for the revamped Markets in Financial Instruments Directive (MiFID II).

As a result, opting out — choosing not to spend upfront and hoping for ideal outcomes — is now a consideration for enterprises faced with shrinking budgets and burgeoning consumer expectations. The problem is that, while skimping offers short-term savings, it also leads to massive long-term costs.

Rolling the Dice on Security Compliance

Dark Reading reported that many companies expect to invest more than $1 million toward General Data Protection Regulation (GDPR) readiness, and this number could increase as the new legislation’s rules around personal and corporate data are put to the test.

For small and midsized enterprises, this is a huge line item, especially if they don’t conduct much business overseas. What’s more, average costs almost never align with actual spending. Implementation and training costs, along with costs to keep compliance policies up to date, drive up the price.

According to Infosecurity Magazine, while the average cost of compliance now totals almost $5.5 million each yeah, the cost of noncompliance comes in at $14.82 million — almost triple the amount spent on meeting regulatory expectations. Although the bulk of noncompliance costs often stem from data breaches, other issues, such as vendor noncompliance and improper auditing procedures, also impact the bottom line.

Reputation plays a role as well. Noncompliant enterprises face challenges from consumers frustrated that their data wasn’t properly protected and increased scrutiny from regulatory agencies. Once governing bodies discover an organization hasn’t done its due diligence, proving compliance becomes a major stumbling block.

Not spending on compliance upfront is like rolling the dice: If the wrong number comes up, enterprises could lose it all.

Controlling Costs

Companies are spending just over 14 percent of their IT budgets on compliance, according to Infosecurity Magazine, but this likely won’t be enough to meet MiFID II and GDPR compliance expectations. Add in the emerging need for Internet of Things (IoT) regulation, and it’s a safe bet that businesses will need to up their spending significantly to avoid both the upfront and downstream impacts of noncompliance.

The good news is that there are ways to better manage compliance spending, such as:

  • Implementing automation. As noted by Professional Adviser, it’s possible to manage security compliance costs with automated tools that monitor the expiry of client data consent and set specific retention periods for documents. While these solutions require upfront spending, the potential savings are substantial.
  • Accountable culture. Training is a large component of compliance expense. Employees must have the knowledge and tools available to ensure that data is properly handled. By extending these efforts to create a culture of inherent accountability, enterprises can reduce the costs associated with piecemeal compliance efforts.
  • Vendor expectations. Vendors play a critical role in the compliance equation. For example, if a third-party cloud provider that handles client data isn’t compliant, the responsibility lies with the organization that owns the data, not the vendor. Enterprises can reduce their total compliance budget by including specific expectations and documentation in their requests for proposal.

Security compliance is costly and new regulations are driving up the price. This creates a simple choice: Spend now, or pay later.

More from

How to craft a comprehensive data cleanliness policy

3 min read - Practicing good data hygiene is critical for today’s businesses. With everything from operational efficiency to cybersecurity readiness relying on the integrity of stored data, having confidence in your organization’s data cleanliness policy is essential.But what does this involve, and how can you ensure your data cleanliness policy checks the right boxes? Luckily, there are practical steps you can follow to ensure data accuracy while mitigating the security and compliance risks that come with poor data hygiene.Understanding the 6 dimensions of…

2024 roundup: Top data breach stories and industry trends

3 min read - With 2025 on the horizon, it’s important to reflect on the developments and various setbacks that happened in cybersecurity this past year. While there have been many improvements in security technologies and growing awareness of emerging cybersecurity threats, 2024 was also a hard reminder that the ongoing fight against cyber criminals is far from over.We've summarized this past year's top five data breach stories and industry trends, with key takeaways from each that organizations should note going into the following…

Black Friday chaos: The return of Gozi malware

4 min read - On November 29th, 2024, Black Friday, shoppers flooded online stores to grab the best deals of the year. But while consumers were busy filling their carts, cyber criminals were also seizing the opportunity to exploit the shopping frenzy. Our system detected a significant surge in Gozi malware activity, targeting financial institutions across North America. The Black Friday connection Black Friday creates an ideal environment for cyber criminals to thrive. The combination of skyrocketing transaction volumes, a surge in online activity…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today