110 Compliance Statistics to Know for 2024

  • November 21, 2023
Author

Anna Fitzgerald

Senior Content Marketing Manager at Secureframe

Reviewer

Emily Bonnie

Senior Content Marketing Manager at Secureframe

If there’s one constant within the compliance industry, it’s this: 

The state of risk and compliance is ever-changing. 

As cybersecurity concerns continue to grow, the cost associated with not having a well-thought-out risk and compliance program is sky-high. 

We’ve compiled over 100 compliance statistics for 2024 that cover the current state of compliance, the risk of non-compliance, compliance management and tools, vendor risk management data, and industry trends. 

We hope these statistics will help educate teams about the importance of compliance, build a solid compliance program, and get executive buy-in to address the changing nature of compliance risks. 

The current state of compliance

New priorities, risks, technologies, and regulations have emerged and affected the state of compliance. Find out how the industry has changed and increased in complexity in recent years. 

1. 70% of corporate risk and compliance professionals said they have noticed a shift from check-the-box compliance to a more strategic approach over the past two to three years. (2023 Thomson Reuters Risk & Compliance Survey Report)

2. 83% of risk and compliance professionals said that keeping their organization compliant with all relevant laws, policies, and regulations was a very important or absolutely essential consideration in its decision-making processes. (Navex Global's 2023 Definitive Risk & Compliance Benchmark Report)

3. 80% of corporate risk and compliance professionals agreed that their organization views risk and compliance as valuable business advisory functions, and 74% agreed that risk and compliance requirements enable, support, and enhance business activity. (2023 Thomson Reuters Risk & Compliance Survey Report)

4. 60% of executives said they feel that their organization is investing more time and resources in complying with laws and regulations. Only about half (31%) of consumers said the same. (PwC's 2021 Consumer Intelligence Series survey on ESG)

5. In 2023, almost 70% of service organizations said they need to demonstrate compliance or conformity to at least six frameworks spanning information security and data privacy taxonomies. (Coalfire Compliance Report 2023)

6. 59% of security and IT leaders indicate their organization has multiple systems that must adhere to compliance requirements. (Coalfire Compliance Report 2023)

7. 40% of surveyed business and risk leaders said their organization has improved its approach to risk to achieve more robust compliance with regulatory standards in the last 12 months. When looking only at leaders from the top performing 5% of organizations, this number jumped to 81%. (PwC’s Global Risk Survey 2023)

8. 73% of organization leaders agree that cyber and privacy regulations are effective in reducing their organizations’ cyber risks in 2023. This is a noticeable increase from 39% who agreed with the same statement in 2022. (World Economic Forum's Global Cybersecurity Outlook 2023)

9. If it were a country, U.S. regulation would be the world’s eighth-largest economy. (CEI Ten Thousand Commandments 2022

10. U.S. businesses spend an average of $10,000 per employee on regulatory costs. (CEI Ten Thousand Commandments 2022

11. 84% of security and IT professionals list data protection frameworks, such as GDPR and CCPA, as a mandatory requirement for their industries. (Coalfire Compliance Report 2023)

12. When risk and compliance professionals were asked where their organizations's compliance function is housed, the top answers were:

  • It is an independent function reporting to the CEO and/or board of directors (22%)
  • Within IT/data security/data privacy (18%)
  • It is split across multiple departments (18%)
  • Within the legal department (17%)
  • Within the human resources department (9%)
  • Within the internal audit department (6%). (Navex Global's 2023 Definitive Risk & Compliance Benchmark Report)

13. Compliance officers reported that the top three areas with which compliance is now involved are the implementation of a demonstrably compliant culture (58%), the setting of risk appetite (51%), and assessing the effectiveness of corporate governance arrangements (48%).(Thomson Reuter's Cost of Compliance Report 2023)

14. 76% of risk and compliance professionals said that ensuring their organization builds and maintains an ethical culture of compliance was a very important or absolutely essential consideration in its decision-making processes. (Navex Global's 2023 Definitive Risk & Compliance Benchmark Report)

15. Risk and compliance professionals spend the most time identifying and assessing risk (56%) and monitoring compliance (52%). (2023 Thomson Reuters Risk & Compliance Survey Report)

16. The top five highest risk areas as defined by chief audit executives are: 

17. 60% of risk and compliance professionals indicate that Cybersecurity is a planned training topic over the next two-to-three years. This was the most commonly indicated compliance training topic. (Navex Global's 2023 Definitive Risk & Compliance Benchmark Report)

The risk of non-compliance

Turning your compliance program into a well-oiled machine can be a daunting task. But the risk of not having such a program in place far outweighs any hesitations you may have. If you need a reminder of just how high the risks associated with poor compliance management practices can be, look no further than the data points below. 

18. When asked what compliance issues they've experienced in the past three years, 19% of risk and compliance professionals said legal or regulatory action taken against the organization by a governing body. This was the third most common compliance issue reported. (Navex Global's 2023 Definitive Risk & Compliance Benchmark Report)

19. 77% of organizations have plans to transition to the next revision of applicable frameworks within the allowable periods, which indicates a strong awareness of the implications of these revisions and the need for action to maintain compliance. However, 21% of organizations plan to do nothing until a required audit or wait for external party findings. (Coalfire Compliance Report 2023)

20. Breaches cost almost $220,000 more on average when noncompliance with regulations was indicated as a factor in the event. (IBM's Cost of a Data Breach Report 2023)

21. Organizations with a high level of noncompliance with regulations showed an average cost of USD 5.05 million. This is a 12.6% increase compared to the average cost of a data breach, or USD 560,000. (IBM's Cost of a Data Breach Report 2023)

22. 35% of risk executives said compliance and regulatory risk presents the greatest threat to their company's ability to drive growth. Another 35% said cyber or information risk was. (2022 PwC Pulse Survey of CROs and Risk Management Leaders)

23. Three out of five corporate risk and compliance professionals feel confident about their ability to address compliance risks. (2023 Thomson Reuters Risk & Compliance Survey Report)

24. The top three factors cited as obstacles to a team’s confidence in their ability to address compliance risks were a lack of knowledgeable personnel, inadequate resources, and poor company culture. (2023 Thomson Reuters Risk & Compliance Survey Report)

Compliance management statistics

Many organizations have begun to automate aspects of their compliance strategy. Find out what practices are becoming the norm within the risk and compliance industry below. 

25. In a Navex Global Survey, a significantly greater share of risk and compliance professionals described their programs as mature – managing or optimizing – in 2023 than in 2022. More than half (53%) said their organization was on the mature side of the spectrum, compared to 38% in 2022. (Navex Global's 2023 Definitive Risk & Compliance Benchmark Report)

26. 6% of risk and compliance professionals described their program as underdeveloped, or the least mature. (Navex Global's 2023 Definitive Risk & Compliance Benchmark Report)

27. 60% of GRC users still manage compliance manually with spreadsheets. (Coalfire Compliance Report 2023)

28. 44% of organizations say their top compliance management challenges are handling compliance assessments, undergoing control testing, and implementing policy and process updates. (MetricStream State of Compliance Survey Report 2021

29. In 2023, compliance and risk professionals said their top policy management challenges were training employees on policies (42%) and aligning policies to changing regulations (38%). This reflects some improvement from the 2022 survey, in which 48% said training employees on policies and 40% said aligning policies to changing regulations. (Navex Global's 2023 Definitive Risk & Compliance Benchmark Report)

30. 23% of security and IT professionals said staying aware and interpreting new requirements and regulations affecting the organization was the top compliance program challenge. (Coalfire Compliance Report 2023)

31. 76% of compliance managers say they manually scan regulatory websites to track changes and assess the impact on their organization. (MetricStream State of Compliance Survey Report 2021)

32. When asked what would help reduce the complexity and cost of the risk and compliance process, almost half (49%) of the surveyed corporate risk and compliance professionals said standardizing risk and compliance frameworks across their organization. (2023 Thomson Reuters Risk & Compliance Survey Report)

33. The majority of security and IT leaders (62%) cited mapping controls and systems across frameworks as a method used to manage the impact of complying with multiple compliance frameworks. (Coalfire Compliance Report 2023)

34. 64% of large companies (more than $1 billion in annual revenue) list enhanced evidence mapping as the top way to effectively demonstrate compliance with multiple frameworks. (Coalfire Compliance Report 2023)

35. 65% of respondents aid they have sufficient or very sufficient funding to audit, document, analyze, and act on the result of compliance efforts. 62% said they have sufficient or very sufficient staffing to do so as well. (Navex Global's 2023 Definitive Risk & Compliance Benchmark Report)

36. 61% of respondents said they expected the cost of senior compliance officers to increase. The top reasons why cost of senior compliance staff is expected to increase over the next 12 months is demand for skilled staff and knowledge (77%) and additional senior staff required to cope with volumes of regulatory requirements (40%). (Thomson Reuter's Cost of Compliance Report 2023)

37. The main skill required for an ideal compliance officer is subject matter expertise. Other important skills are communication skills, integrity, and attention to details. (Thomson Reuter's Cost of Compliance Report 2023)

38. While more than one-third of respondents expected compliance teams to grow as well as the cost of compliance staff to increase, turnover of staff and budgets remain at 2022 levels. (Thomson Reuter's Cost of Compliance Report 2023)

39. In 2023, 58% of security and IT professionals said they need larger compliance budgets. (Coalfire Compliance Report 2023)

40. 27% of security and IT professionals ranked mitigating internal audit fatigue from recurring second-party and third-party assessment activities as the top compliance program challenge. (Coalfire Compliance Report 2023)

Compliance tools statistics

As the industry evolves, new technologies and tools are introduced to streamline and improve processes. When companies incorporate these technologies and tools in a proactive compliance strategy, they find it saves them money and improves their overall security posture. 

41. Compliance leaders anticipate technology will be one of the areas of highest spend increases this year. (Key Budget, Staffing and Spending Trends for Compliance in 2023)

42. Almost two-thirds (65%) of corporate risk and compliance professionals said using technology to streamline and automate manual processes would help reduce the complexity and cost of risk and compliance. (2023 Thomson Reuters Risk & Compliance Survey Report)

43. 35% of risk and compliance professionals indicated they are adopting technology to meet regulatory requirements. (Navex Global's 2022 Definitive Risk & Compliance Benchmark Report)

44. 38% of organizations outsource some or all of their compliance functionality compared to 30% in 2022. (Thomson Reuter's Cost of Compliance Report 2023)

45. Only 5% of risk and compliance professionals said their organization does not use automation and technology solutions for their risk and compliance program. (Navex Global's 2023 Definitive Risk & Compliance Benchmark Report)

46. Firms have identified the top five risk and compliance functions that can benefit from technology as the following: 

47. In the Navex Global survey of risk and compliance professionals, the most prominent reason for adopting new risk and compliance automation and technology solutions was to reduce risks (46%). (Navex Global's 2023 Definitive Risk & Compliance Benchmark Report)

48. The second most prominent reason for adopting new risk and compliance automation and technology solutions was to meet regulatory requirements (38%). (Navex Global's 2023 Definitive Risk & Compliance Benchmark Report)

49. Roughly 1 in 5 of respondents identified the following reasons for adopting automation and technology solutions:

50. When security professionals are asked how to improve their company’s security posture, the top answer is upgrading tools (67%). This is an effort which they also report is being thwarted by integration difficulties, lack of expertise, and the sheer number of tools to manage. (Netenrich's Global 2021 Survey of IT and Security Professionals)

51. 43% of those under extreme pressure to increase revenue due to the pandemic said they would like to deploy (AI) and ML to combat financial crime in the future. (Refinitiv's Global Risk and Compliance Report 2021)

52. In UK companies that use AI in risk and compliance, the top use cases are:

  • Risk assessment and analytics (25%)
  • Data analytics and reporting (23%)
  • Workflow and document drafting (21%)
  • Fraud detection and prevention (19%)
  • Compliance training and education (15%)
  • Monitoring regulatory changes (13%). (2023 Thomson Reuters Risk & Compliance Survey Report)

53. A majority of organizations (61%) employ some level of security AI and automation, with 28% reporting they use it extensively in their operations. (IBM's Cost of a Data Breach Report 2023)

54. Organizations that used security AI and automation extensively reported USD 1.76 million lower data breach costs compared to organizations that didn’t use security AI and automation capabilities. (IBM's Cost of a Data Breach Report 2023)

55. Organizations that used security AI and automation extensively experienced, on average, a 108-day shorter time to identify and contain data breach. (IBM's Cost of a Data Breach Report 2023)

The importance of vendor and third-party risk management 

As many organizations opt to outsource various tasks to third-party vendors, the risks associated with sharing sensitive information jump sharply. Look at how other organizations are handling their vendor risk management with the statistics below. 

56. In an analysis by Cyentia Institute and SecurityScorecard, the average firm had around 10 third-party relationships and nearly all firms (98%) had at least one third-party partner who had suffered a breach in the last two years. (Cyentia Institute and SecurityScorecard Research Report 2023)

57. 54% of organizations reported experiencing a data breach caused by one of their third parties in the last 12 months. (The 2022 Data Risk in the Third-Party Ecosystem Study)

58. Over 40% of organizations surveyed experienced a cyber incident linked to a third party, and another 21% experienced multiple. (2023 Report by ProcessUnity and CyberGRX)

59. When asked what compliance issues they've experienced in the past three years, 18% of risk and compliance professionals said third party ethics or compliance failure. (Navex Global's 2023 Definitive Risk & Compliance Benchmark Report)

60. 59% of senior decision-makers view the use of third parties as the most significant corruption risk facing their organization. (2023 Global Compliance Risk Benchmarking Survey)

61. 31% of risk executives said third-party risk presents the greatest threat to their company's ability to drive growth. (2022 PwC Pulse Survey of CROs and Risk Management Leaders)

62. 64% of organizations stated that third-party risk management was viewed as a strategic imperative by their boards of directors and executive teams. (2023 Report by ProcessUnity and CyberGRX)

63. In 2023, the majority of compliance and risk professionals (72%) agreed their third-party due diligence program significantly reduces their legal, financial and reputational risks. (Navex Global's 2023 Definitive Risk & Compliance Benchmark Report)

64. The majority of compliance and risk professionals (80-88%) rate their organization as at least good in the various elements of a third-party due diligence program. (Navex Global's 2023 Definitive Risk & Compliance Benchmark Report)

65. Respondents from larger companies (5,000 employees or more) were most likely to rate their third-party due diligence program elements as very good or excellent (55-65%). Only 45-53% of smaller organizations (less than 5,000 employees) said the same across various program elements. (Navex Global's 2023 Definitive Risk & Compliance Benchmark Report)

66. Only 7% of compliance and risk professionals said they don’t do anything currently in their approach to third parties in 2023. This is down from 12% in 2022. (Navex Global's 2023 Definitive Risk & Compliance Benchmark Report)

67. 27% of organization apply the same risk management approach to all third parties regardless of risk level. (Navex Global's 2023 Definitive Risk & Compliance Benchmark Report)

68. On average, most organizations (85%) perform risk-based compliance diligence on third parties. Of these, more than half (55%) said that they perform risk-based diligence on third parties before contracting with them and also periodically thereafter. (2023 Global Compliance Risk Benchmarking Survey)

69. Most organizations (87%) have written policies regarding employee engagement/interaction with third parties. (2023 Global Compliance Risk Benchmarking Survey)

70. Almost three-quarters of organizations (74%) have a code of conduct for third parties, and two-thirds (66%) of those respondents require third parties to attest to their compliance with the code of conduct or similar policy. (2023 Global Compliance Risk Benchmarking Survey)

71. The majority of compliance and risk professionals (60%) rate their compliance program's performance as good or very good at requiring compliance training and certifications from third parties. A combined 20% of respondents rated their program as either poor or fair and 21% rated it as excellent. (Navex Global's 2023 Definitive Risk & Compliance Benchmark Report)

72. Only 22% of organizations perform regular compliance audits on third parties, with only 11% reporting annually and 11% reporting less frequently. 40% of organizations report auditing third parties only based on triggering events. (2023 Global Compliance Risk Benchmarking Survey)

73. 48% of organizations find it challenging to track third-party compliance. (MetricStream State of Compliance Survey Report 2021)

74. Cybersecurity practices among vendors are becoming an expectation, as 44% of firms say they are being asked for proof of cybersecurity as part of a request for proposal (RFP). (ACA Key Trends and Forces Shaping Risk and Compliance Management in 2021

75. 58% of organizations say that the top challenge they face when it comes to third-party risk management is vendor responsiveness in the due diligence phase. (ACA Key Trends and Forces Shaping Risk and Compliance Management in 2021)

76. In 2022, supply chain attacks surpassed the number of malware-based attacks by about 40%. These supply chain attacks targeted 1,743 entities and impacted more than 10 million people. (ITRC 2022 Data Breach Report)

Data breaches by the numbers

Data breaches continue to be a costly risk for businesses, highlighting the need for preventative measures to monitor and flag any potential weaknesses in a company’s data protection. We’ve compiled a list of stats that underscore the costs associated with data breaches and common causes. 

77. Three in ten (30%) risk and compliance professionals said their organization experienced a data privacy/cybersecurity breach in the past three years, the most common compliance issue experienced over that period. This is a substantial increase from 22% in 2022. (Navex Global's 2023 Definitive Risk & Compliance Benchmark Report)

78. Cyber incidents, such as cyber crime and data breaches, was reported as the leading risk to businesses globally for 2023 by 34% of risk management experts. (Statista)

79. The number of publicly reported data compromises in the U.S. totaled 1,802 in 2022. This represents the second highest number of data events in a single year and just 60 events short of matching 2021’s all-time high number of data compromises. (ITRC 2022 Data Breach Report)

80. 73% of all data breaches involve the human element. They may be the result of human error, privilege misuse, use of stolen credentials or, social engineering.(Verizon's 2023 Data Breach Investigations Report)

81. 86% of web application breaches — which account for 25% of all breaches — involve stolen or weak credentials. (Verizon's 2023 Data Breach Investigations Report)

82. Phishing and stolen or compromised credentials were responsible for 16% and 15% of data breaches, respectively, in 2023. (IBM's Cost of a Data Breach Report 2023)

83. Breaches that initiated with stolen or compromised credentials took the longest to resolve. On average, it took nearly 11 months (328 days) to identify and contain these data breaches in 2023. (IBM's Cost of a Data Breach Report 2023)

84. About 60% of companies have over 500 accounts with non-expiring passwords, highlighting just one of the inadequate security practices that leave companies open for data breaches. (Varonis's 2021 Data Risk Report)

85. Phishing was the most prevalent attack vector and the second most expensive at the global average cost of USD 4.76 million per data breach. (IBM's Cost of a Data Breach Report 2023)

86. Although relatively rare at 6% of occurrences, attacks initiated by malicious insiders were the costliest, at an average of USD 4.90 million. This is 9.6% higher than the global average cost of USD 4.45 million per data breach. (IBM's Cost of a Data Breach Report 2023)

87. 83% of breaches involved external actors, and the primary motivation for attacks continues to be overwhelmingly financially driven, at 95% of breaches. (Verizon's 2023 Data Breach Investigations Report)

88. As in 2022, ransomware was present in 24% of data breaches this year. (Verizon's 2023 Data Breach Investigations Report)

89. The average cost of a data breach reached an all-time high in 2023 of USD 4.45 million. This represents a 2.3% increase from 2022. (IBM's Cost of a Data Breach Report 2023)

90. Employee training is one of the most effective cost mitigators of data breaches. On average, breaches at organizations with employee training cost $230,000 less. (IBM's Cost of a Data Breach Report 2023)

91. In 2023, 52% of all breaches involved some form of customer personal identifiable information, such as names and Social Security numbers, making customer PII the most commonly breached record type for the third year in a row. (IBM's Cost of a Data Breach Report 2023)

92. Customer PII is the most common and costliest to have compromised. In 2023, customer PII cost organizations USD 183 per record. Employee PII was close behind at USD 181 per record. (IBM's Cost of a Data Breach Report 2023)

How Secureframe can help you improve your security and compliance posture

Regardless of industry, there’s no question that risk and compliance practices are crucial to running a company in our current environment. Assessing and monitoring your business’s ongoing compliance strategy can help save thousands of dollars and improve your security posture.  To learn how Secureframe automates and streamlines the end-to-end compliance process so you can save time getting and staying compliant, schedule a demo.