In January of 2011, the Ponemon Institute LLC conducted a study of 46 multinational companies to determine both the costs of Compliance and Non-Compliance. This was “the first study to use empirical data to estimate the full costs of the organizations compliance efforts, including the cost of non-compliance with laws, regulations, and policies. Here are some highlights from the study:
Costs of Compliance vs Non Compliance
- The average cost of Compliance for the 46 companies was 3.5 million- or about $220.00 per employee per year.
- The average cost of Non-Compliance for the 46 companies was 9.3 million- or about $820.00 per employee per year
- On average, the cost of Non-Compliance is about 2.65 the cost of Compliance for the 46 companies.
- In all but 2 cases, Non-Compliance costs outweighed Compliance costs.
Security Strategy and Non-Compliance Costs
- The study used a well known indexing method called the Security Effectiveness Score (SES). They found that;
- The SES had no relation to Compliance costs.
- The SES is inversely related to Non-Compliance costs
- Outcome: When an organization spends more money on SES costs, Non-Compliance costs go down.
Breakdown of Non-Compliance Costs
- 43% of Non-Compliance Costs are Indirect Costs. Indirect costs include data center downtime, diminished employee productivity, or administrative overhead.
- 30% of Non-Compliance Costs are Opportunity Costs. Reduced potential, lost business opportunities that result from compliance infractions, or a companies reduced reputation are all opportunity costs.
- 27% of Non-Compliance Costs are Direct Costs. Direct costs from non-compliance include loss in customers or revenue loss.