100+ Compliance Statistics You Should Know in 2024

Ayush Saxena

Ayush Saxena

Jan 08, 2024

Data security compliance is gaining momentum as one of the foundational elements of a successful business. The demand for IT security professionals, compliance officers, and data protection officers is growing, expenditure on compliance programs is increasing, and organizations are treating compliance as a key component of their overall strategy.

Some compliance professionals are still finding it difficult to secure the personnel and resources required to build a proactive and robust compliance program. Changing processes to address compliance risks and getting executive buy-in are still very real struggles for compliance teams. 

Did you know that 95% of businesses have established or are trying to build a culture of compliance as per Accenture’s 2022 Compliance Risk Study?

We’ve compiled a list of important compliance statistics that you can cite to bring awareness to your leadership team as well as other key business stakeholders about the importance of compliance. These statistics will also help you start out with your own compliance program and begin planning for 2023.

TL;DR: The following article will provide us with the latest insights and trends in the compliance industry to plan and prepare better in this ever-changing world of compliance while learning from gaps in the past.

Compliance Trends for 2023

The rapid pace of technological advancements is influencing compliance trends in 2023, presenting both opportunities and risks with emerging technologies such as artificial intelligence, the Internet of Things, blockchain,  and cloud computing. 

Organizations have been forced to rethink their operational resilience when it comes to the future of the compliance industry. Companies have seen first-hand the need for — and benefits of —with the disruption organizations continue to face due to the pandemic—a well-run risk and compliance management program.

We’ve compiled a few of the compliance trends compliance industry experts predict for the coming year. 

1. 93% of surveyed respondents in a compliance risk study conducted by Accenture agree that AI and cloud compliance tools remove human error, automate manual tasks, and prove to be more effective and efficient.

Source: Compliance Risk Study 2022 Report, Accenture

2. 90% of compliance leaders agree that there would be a 30% rise in the cost of compliance in the coming future, although 72% of respondents don’t foresee any changes in their allocated budget in the next couple of years.

3. 19% of the breaches are a result of supply chain attacks, and a supply chain breach takes an average of 26 days longer to identify and contain as compared to the global average. 

Source: IBM’s Cost of Data Breach 2022

4. The global cyber security market size is estimated to reach USD 500.70 billion by 2030, at a CAGR of 12.0% from 2022 to 2030, according to a new 

Source: Study by Grand View Research

5. Okta, a leading IAM  (identity and access management), in its 2022 report, shared that 52% of its surveyed respondents had a zero trust architecture in place for all the right reasons.

Source: The State of Zero Trust Security 2022, Okta

6. As per 6% of the respondents in the Accenture survey, a serious impediment to strengthening compliance is caused by a lack of sufficient organizational stature in the compliance structure.

7. The three areas of compliance that businesses plan to focus on in the future are enhancing internal compliance and regulatory assessments, improving employee awareness with more compliance training and elevating third-party compliance. 

Source:  State of Compliance Survey Report 2021, MetricStream

8. 62% of businesses expect more compliance involvement in cyber security in the coming years. 

Source: Thomson Reuter’s Cost of Compliance Report 2021

9. Half of the survey respondents expect the compliance professional’s personal liability to grow in the next 12 months, and 10% expect it to rise significantly. 

Source: Thomson Reuter’s Cost of Compliance Report 2021

10. 34% of businesses say that regtech solutions are influencing the management of compliance. 

Source: Thomson Reuter’s Cost of Compliance Report 2021

11. 1,100 compliance and GRC professionals, when surveyed, ranked their top priorities for 2022 as:

  • Advertising and Marketing
  • Privacy and Cybersecurity
  • ECG(Environmental, social, and governance). 

Source: ACA Virtual Fall Conference Report 2021

12. The total projected cost of financial crime compliance in the Canada and U.S. for 2021 is $49.9 billion, which is an 19% increase from 2020. 

Source: LexisNexis Risk Solutions’ 2021 True Cost of Financial Crime Compliance Study

13. Businesses are expected to adopt environmental, social, and corporate governance (ESG) practices and procedures over the coming decades due to climate-related disasters. Impacts from this will include supply chain management, operational and strategic decision-making, and investment decisions. 

Source: NavexGlobal Top Risk & Compliance Trends for 2021

14. 80% is the average compliance onboarding success rate. 

Source: (NorthRow).

15. On average, 25% of company revenue is spent on compliance costs. 18% of organizations estimated that more than 50% of their income is spent on compliance costs Source: (NorthRow)

The current state of compliance

New technologies are being introduced as the compliance industry evolves to streamline and improve processes. When organizations take a proactive approach to implementing and solidifying their compliance strategy, they save time and resources while improving their overall security posture. 

Here’s how the compliance industry has evolved in recent years. 

1. 86% of businesses surveyed agreed that innovative digital technologies have aided them in identifying financial crime. 

Source: Refinitiv’s Global Risk and Compliance Report 2021

2. The leading risk among businesses for 2021 was business interruption (41%), inclusive of supply chain disruptions. This was followed up closely by cyber incidents such as cybercrime,  fines and penalties, and data breaches at 40%.

Source: Statista

3. 70% of risk and compliance experts agree that the pandemic has scaled their reliance on technology to improve decision-making, risk management, and performance monitoring. Source: Thomson Reuter’s Fintech, Regtech and the Role of Compliance Report 2021

4. Organizations have identified the top five risk and compliance functions that can profit from technology as the following:

  • Regulatory reporting (24%)
  • Trade surveillance (32%)
  • Marketing reviews (41%)
  • Compliance policy/activity tracking (41%)
  • Vendor oversight (54%)

Source: ACA Key Trends and Forces Shaping Compliance and Risk Management in 2021

5. Vendors are being asked for strong cybersecurity practices. 44% of businesses say as part of a request for proposal (RFP), they are being asked for proof of cybersecurity. 

Source: ACA Key Trends and Forces Shaping Compliance and Risk Management in 2021

6. Risk and compliance programs are evolving. Navex Global established that the number of “mature and advanced” risk and compliance programs augmented by 29%, while the number of “reactive and basic” ones decreased by 35%. 

Source: Navex Global’s 2021 Definitive Risk & Compliance Benchmark Report

7. 34% of businesses outsource part or all of their compliance functionality. 

Source: Thomson Reuters’ Cost of Compliance Report 2021

8. If compliance were a country, U.S. regulation would be the eighth-largest economy globally. 

Source: CEI Ten Thousand Commandments 2021

9. When security professionals and CISOs are asked how to improve their company’s overall security posture, the top answer is upgrading security tools (67%). This is an effort which security professionals also report is being thwarted by a lack of expertise, integration difficulties, and the sheer number of tools to manage. 

Source: Netenrich’s Global 2021 Survey of IT and Security Professionals

10. 80% of surveyed respondents shared that they had a business continuity plan in place and that it helped them in navigating the pandemic’s impact. 

Source: Navex Global’s 2021 Definitive Risk & Compliance Benchmark Report

Data breaches by the numbers

Data breaches are a costly risk for organizations, highlighting the need for preventative measures to identify and rectify any potential weaknesses in an organization’s data protection. We’ve compiled a list of stats that highlight the costs associated with common causes and data breaches. 

1. 65% of organizations say they predict more expenses on cybersecurity and privacy resources in 2021. 

Source: ACA Key Trends and Forces Shaping Compliance and Risk Management (2021)

2. Identity-based attacks are growing. Almost 90% of web application breaches were due to credential abuse, and phishing was the cause of more than a third of all breaches. 

Source: Verizon’s Data Breach Investigations Report 2021

3. 78% of businesses worldwide say zero trust has grown in priority, and nearly 90% are currently towards a zero-trust initiative. 

Source: Okta’s State of Zero Trust Security 2021 Report

4. More than 60% of all data breaches are accredited to weak or stolen credentials. 

Source: Verizon’s Data Breach Investigations Report 2021

5. Attacks targeting the financial sector, from February to April 2020, grew by 238%. 

Source: VMWare Modern Bank Heists Threat Report

6. The average cost of a data breach per incident in 2021 among companies surveyed reached $4.24 million, the highest in 17 years. 

Source: IBM

7. Remote work is an upcoming threat for data breaches. When remote work was shown as a factor in the event, breaches cost over $1 million more on average. 

Source: IBM

8. Customer personal data (such as email, name, and password) is a part of 44% of data breaches. 

Source: IBM

9. The total number of cyber attack-related data compromises, compared to the fiscal year 2020, year-to-date, is up 27%, with ransomware and phishing seen as the top attack methods. 

Source: Identity Theft Resource Center Q3 2021 findings

10. 67% of organizations with employees between 5,001–10,000 plan to invest in employee security awareness programs, which is twice as much as the number reported in 2019 (33%). Source: Netwrix 2020 IT Trends Report

11. About 60% of organizations have over 500 accounts with non-expiring passwords, highlighting just one of the many inadequate security practices that leave organizations open for data breaches. 

Source: Varonis

12. By 2023, Gartner predicts that 65% of the population globally will have its private data covered and protected under modern privacy regulations. 

Source: Gartner’s State of Privacy and Personal Data Protection report

Leading Causes of Data Breaches

A data breach involves any security incident in which unauthorized parties gain access to confidential information or sensitive data, including corporate data (customer data records, financial information, intellectual property) or personal data (Social Security numbers, healthcare data, bank account numbers ).

Data breaches can be caused by one or more of the following factors

  • Weak and Stolen Passwords
  • Social Engineering
  • Physical Attacks
  • Insider Threats 
  • Malware
  • Unpatched Applications

1. Osano reported that cyber hackers were responsible for the most number of data breaches, and hacker-caused data breaches, on average, exposed 17 times more sensitive data than other breach types (unintended internet disclosure, inside jobs, unintended physical disclosure). 

2. Hackers and criminal insiders are responsible for 48% of data breaches.

Source: 2018 Cost of a Data Breach Study, IBM

3. Many organizations fail to understand how their data is used by their vendors. A study from Cisco reports that the average organization shares its data with as many as 730 different vendors and third parties. 

Source: Cisco

4. Two out of every three data breaches are caused by third-party vendors.

Source: Internal Auditors Research Foundation

5. 70 million data records were leaked or stolen in 2018 due to poorly configured AWS S3 cloud storage buckets.

Source: The 2019 Internet Threat Report from Symantec

6. Lax data access practices are the key reason behind so much sensitive data being left exposed. About 53% of businesses leave 1,000 or more files with sensitive data accessible to all employees, whether the employees are actually authorized to access the data or not.

Source: The 2019 Global Data Risk Report from Varonis

Compliance Statistics by Framework

Each compliance framework has its own considerations as well as trends. We’ll cover some of the most popular ones to stay on top of changes across frameworks. 

HIPAA Compliance Statistics

HIPAA is an essential compliance required by healthcare entities towards safeguarding sensitive Patient Health Information(PHI).

For the healthcare compliance industry, check out these HIPAA compliance statistics:

1. Between the years 2009 and 2022, 5,150 healthcare data breaches involving 500 or more records were reported. Those breaches have led to the leak of more than 382 million medical records.

Source: The HIPAA Journal 

2. An average of 1.94 healthcare data breaches in 2022, involving 500 or more records, were reported every day.

Source: The HIPAA Journal 

3. 58% of ASETT (Administrative Simplification Enforcement and Testing Tool) complaints in the first quarter of 2023 did not violate HIPAA rules.

Source: Centers for Medicare & Medicaid Services

4. Hacking leads among the causes of healthcare data breaches over theft, impermissible disclosures, or ransomware attacks.

Source: The HIPAA Journal 

5. 2022 established a record year for HIPAA enforcement, with over 222 penalties issued.

Source: The HIPAA Journal

6. 55% of the financial penalties in 2022 were imposed by the Office of Civil Rights against small practices.

Source: The HIPAA Journal

7. Penalties can fall between $100 per HIPAA violation and up to a maximum of $25,000 per violation category annually.

Source: The HIPAA Journal

GDPR Compliance Statistics

GDPR framework is created by Europian Union to safeguard personal information of citizens residing in Europe and is applicable to companies both working within the EU or dealing with citizens of EU.

Countries in the EU, with GDPR standards, can respond to digital security risks. Here are a few GDPR statistics:

1. The aggregate value of GDPR fines issued in 2022 was 50% more as compared to the value of fines reported in 2021. 

Source: DLA Piper

2. The aggregate total fines reported since the implementation of GDPR on May 25, 2018, to Jan. 10, 2023, total 2.92 billion euros, or $3.1 billion.

Source: DLA Piper

3. To stay compliant with GDPR standards, 20% of compliance staff said they’ve changed their email provider.

Source: Business 2 Community 

4. 90% of compliance workers regard GDPR compliance as the hardest to attain. 

Source: Globalscape

Additional Compliance Framework Statistics

International compliance standardization and payment data security gain importance by the year. Below are a few takeaways on the state of compliance for the ISO 27001 and PCI DSS:

1. PCI fines in the U.S. can range between $5,000 to $100,000 per month until the issue is rectified.

Source: VikingCloud

2. Organizations achieving and maintaining PCI compliance reached 43.4% in 2020.

Source: Verizon

3. The ISO has placed 24,780 international compliance standards, with over 1,412 standards added in 2022.

Source: ISO 

4. ISO members are represented in 168 countries.

Source: ISO

The cost of non-compliance

Non-compliance may lead to the loss of loyal customers and clients who hesitate to conduct business with an organization they view as unethical. Overall, the total cost for non-compliance is estimated to be greater than $14 million, including revenue loss, fines, penalties, productivity loss, business disruption,  reputation damage and other fees.

Turning your organization into a well-oiled compliance machine can be a daunting task. But the cost and implications of not having such a program in place is expensive, more expensive than getting that well-oiled compliance machine. 

If you need a number on just how high the costs linked with poor compliance management practices can be, take a look at the data points below. 

1. 31% of surveyed respondents predict their compliance teams will expand in the next 12 months, down from 43% in 2018. 

Source: Thomson Reuters’ Cost of Compliance Report 2021

2. The projected total cost across financial institutions worldwide of financial crime compliance is $213.9 billion. 

Source: LexisNexis Global True Cost of Compliance 2020 Report

3. U.S. businesses have an average expense of $10,000 per employee on regulatory costs.

Source: CEI Ten Thousand Commandments 2021

4. In a single non-compliance event, organizations lose an average of $4 million in revenue.

Source: GlobalScape’s The True Cost of Compliance with Data Protection Regulations

5. The cost of non-compliance has increased by 45% since 2011. 

Source: GlobalScape’s The True Cost of Compliance with Data Protection Regulations

6. 50% of organizations agreed that they spend 6-10% of their revenue on compliance costs.

Source: Bloomberg

The cost of compliance

The average estimate for regulatory compliance and economic effects of federal intervention is $1.9 trillion annually. If the cost of federal regulations were to be compared to a country, it would be in 9th position, just behind India and ahead of Canada.

1. In the U.S., PCI compliance fines and penalties aren’t published, but they can range between $5,000 to $100,000 per month until the issue is resolved. 

Source: PCI Compliance Guide FAQs

2. Businesses can save  $1.03 million on average through regulatory monitoring. 

Source: GlobalScape’s The True Cost of Compliance with Data Protection Regulations

3. Fraud causes, globally, total losses upwards of $3.6 billion. 

Source: Association of Fraud Examiners’ 2020 Global Study on Occupational Fraud and Abuse

4. In a 15-month period through 2019, regulators fined banks $10 billion, with most of those fines attributed to cyber attacks (60%).  

Source: Fenergo

5. Organizations have expenses of up to $5.47 million on compliance as compared to an average cost of $14.82 million for non-compliance. 

Source: GlobalScape The Total Cost of Compliance with Data Protection Regulations  

6. Among data protection regulations and standards, the General Data Protection Regulation (GDPR) has some of the strictest policies and penalties. Under the GDPR, EU authorities can penalize organizations  4% of worldwide turnover or fines up to €20 million, whichever is higher, for the preceding financial year. 

Source: Tessian Biggest GDPR Fines of 2019, 2020, and 2021 (So Far)

7. In the U.S., businesses. on average, spend $10,000 per employee on regulatory costs.

Source: Ten Thousand Commandments 2019, CEI

8. For organizations across all industries worldwide, the average compliance cost is $5.47 million.

Source: Ten Thousand Commandments 2018, CEI

9. Some of the highest compliance costs are associated with the financial services industry, with the average cost of compliance amounting to $30.9 million.

Source: The True Cost of Compliance, Corporate Compliance Insights

10. Companies have the highest spending on specialized technology, with incident response coming in second and audits and assessments coming in third.

Source: The True Cost of Compliance, Corporate Compliance Insights

11. For businesses to achieve compliance, GDPR is considered the most difficult framework

12. Most businesses conduct one or more compliance audits annually

Source: The True Cost Of Compliance With Data Protection Regulations, Poneman Institute LLC

13. It pays to invest in compliance: if businesses spend more on compliance activities, such as audits, training and expert staffing, and enabling technologies, it would be less expensive than if they were in non-compliance with data protection regulations. 

Source: The True Cost Of Compliance With Data Protection Regulations, Poneman Institute LLC

Compliance and security technology

Organizations are rapidly making a transition from the tedious manual compliance processes towards compliance automation software to improve their overall cybersecurity posture while ensuring compliance in real time.

1. Data breaches cost, on average, $1.55 million less for businesses that have fully deployed automated security technology than for organizations that have not deployed automated security

Source: 2018 Cost of a Data Breach Study by Ponemon Institute LLC

2. Companies spend, on average, $1.34 million on specialized compliance or cybersecurity technology

Source: The True Cost of Compliance with Data Protection Regulations, GlobalScape

3. Organizations that enabled compliance technology saved, on average, $1.45 million in compliance costs

Source: The True Cost of Compliance with Data Protection Regulations, GlobalScape

4. Of businesses that are currently utilizing Governance, Risk, and Compliance (GRC) technology, 61% of them plan to raise their spending on GRC platforms in the next three years

Source: The Ultimate List of Compliance Program Statistics, ComplianceNext

5. Only 69% of organizations are utilizing technology to fulfil their compliance programs

Source: KPMG’s chief compliance officer survey

6. Only 18% of organizations have automated processes for reporting and IT risk data collection, despite it being proven the most effective way to mitigate risk

Source: KPMG’s chief compliance officer survey

Third-Party Compliance Statistics

Compliance involves third parties you work with as well that can introduce their own compliance concerns. 

Here are a few key insights with respect to third-party risk management statistics:

1. 58% of compliance teams report, with respect to third-party risk management, that gauging vendor responsiveness is their top challenge.

Source: ACA

2. 48% of organizations disclosed difficulty with tracking third-party compliance.

Source: MetricStream

3. 48% of organizations do not have a complete list of all third parties with access to their network and data.

Source: Ponemon Institute

4. 39% of organizations listed vendor support issues as a primary reason for upgrading security frameworks. 

Source: Ponemon Institute

5. In the last year, cyberattacks targeting third parties have increased from 44% to 49%.

Source: Ponemon Institute

6. Compliance departments, in 34% of organizations, oversee all third-party risk management themselves.

Source: Gartner

7. As per 66% of legal and compliance leaders, third parties provide services outside their business’s core operational model.

Source: Gartner

8. 73% of the effort devoted to risk identification is allotted to recertification and due diligence efforts. Meanwhile, only 27% of effort goes into identifying risks over the course of a relationship 

Source: Gartner

9. 9% of businesses share managing third-party risk and vendor relationships as their top priority.

Source: Clausematch

10. 34% of companies outsource at least some part of their compliance functionality.

Source: Thomson Reuters

11. 52% of compliance experts about partners exposing a business to third-party risks claim a lack of data and information.

Source: Accenture

Compliance staff

Having well qualified and experienced cybersecurity professionals is essential for businesses to carry out their security and compliance programs. Companies are increasingly turning to cybersecurity professionals to safeguard their sensitive data in this ever evolving world of cyber-crime. 

1. Businesses save $1.25 million on average in compliance costs by appointing a C-level compliance leader.

Source: The True Cost of Compliance with Data Protection Regulations, GlobalScape

2. Businesses save an average of $14 per record lost or stolen by having a dedicated incident response team.

Source: 2018 Cost of a Data Breach Study, IBM

Twelve best practices that reduce total compliance costs 

Twelve best practices were identified in a survey conducted by Globalscape and the Ponemon Institute that reduce compliance costs. 

If your management team,  IT department, and compliance team are willing to be consistent with these practices, you can potentially save your organization millions of dollars by implementing these twelve best practices:

1. An average of $3.01 million was saved by using a centralized data governance program.

2. $2.86 million on average is saved by conducting regular compliance audits.

3. An average of $2.54 million was saved by implementing a corporate data security training.

4. Utilizing in-house legal expertise and hiring saved businesses $2.27 million on average.

5. Businesses saved $2.03 million on average by integrating data security with their security and privacy functions.

6. An average of $1.89 million by developing a formal incident response process.

7. Businesses $1.43 million on average by enabling governance, risk, and compliance technologies.

8. Businesses an average of $1.25 million by appointing a C-level compliance leader to make decisions and lead company-wide compliance efforts.

9. Board-level and CEO reporting on compliance issues and efforts saved businesses $1.08 million on average.

10. Businesses $1.03 million on average by implementing regulatory monitoring to make sure they were keeping up with regulatory changes.

11. Businesses $820,000 on average with program certifications.

12. Businesses $520,000 on average by putting a formal compliance charter in place.

We hope these statistics help give an overview of the current state of compliance. Below is a visual guide for some of the most important facts and figures we covered.

Conclusion

As cyber security hackers are adopting more sophisticated technology to gain access to organizations’ sensitive data, security compliance programs are gaining momentum as well. Organizations are rapidly turning to compliance programs to build trust with clients and stakeholders, avoid fines and penalties, and build strong cybersecurity posture to protect sensitive data.

With AI and cloud compliance tools to remove human error, automate manual tasks, and provide more efficiency and effectiveness, organizations are rapidly shifting from traditional, tedious ways of compliance towards compliance automation, hence saving valuable time and resources. 

Organizations are rapidly adopting compliance automation technologies, creating cybersecurity awareness among employees, and investing towards a better cybersecurity framework. This demonstrates the growing importance of compliance in modern times.

Ayush Saxena

Ayush Saxena

Ayush Saxena is a senior security and compliance writer. Ayush is fascinated by the world of hacking and cybersecurity. He specializes in curating the latest trends and emerging technologies in cybersecurity to provide relevant and actionable insights. You can find him hiking, travelling or listening to music in his free time.

Here’s what to read next….

Sprinto: Your growth superpower

Use Sprinto to centralize security compliance management – so nothing
gets in the way of your moving up and winning big.