110 Compliance Statistics to Know for 2025

  • October 28, 2024
Author

Anna Fitzgerald

Senior Content Marketing Manager

Reviewer

Emily Bonnie

Senior Content Marketing Manager

If there’s one constant within the compliance industry, it’s this: 

The state of risk and compliance is ever-changing. 

As cybersecurity concerns continue to grow, the cost associated with not having a well-thought-out risk and compliance program is sky-high. 

We’ve compiled over 100 compliance statistics for 2024 that cover the current state of compliance, the risk of non-compliance, compliance management and tools, vendor risk management data, and industry trends. 

We hope these statistics will help educate teams about the importance of compliance, build a solid compliance program, and get executive buy-in to address the changing nature of compliance risks. 

The current state of compliance

New priorities, risks, technologies, and regulations have emerged and affected the state of compliance. Find out how the industry has changed and increased in complexity in recent years. 

1. 70% of corporate risk and compliance professionals said they have noticed a shift from check-the-box compliance to a more strategic approach over the past two to three years. (2023 Thomson Reuters Risk & Compliance Survey Report)

2. 47% of compliance professionals are focused on simply finding a better, easier way to alleviate the burden of the legal requirements of compliance, while only 16% are ready to go beyond checking a box and adopt a strategic approach to compliance. (FloQast's 2024 Exploring Strategic Compliance: The Next Frontier)

3. 83% of risk and compliance professionals said that keeping their organization compliant with all relevant laws, policies, and regulations was a very important or absolutely essential consideration in its decision-making processes. (Navex Global's 2023 Definitive Risk & Compliance Benchmark Report)

4. 80% of corporate risk and compliance professionals agreed that their organization views risk and compliance as valuable business advisory functions, and 74% agreed that risk and compliance requirements enable, support, and enhance business activity. (2023 Thomson Reuters Risk & Compliance Survey Report)

5. In 2023, almost 70% of service organizations said they need to demonstrate compliance or conformity to at least six frameworks spanning information security and data privacy taxonomies. (Coalfire Compliance Report 2023)

6. 59% of security and IT leaders indicate their organization has multiple systems that must adhere to compliance requirements. (Coalfire Compliance Report 2023)

7. 40% of surveyed business and risk leaders said their organization has improved its approach to risk to achieve more robust compliance with regulatory standards in the last 12 months. When looking only at leaders from the top performing 5% of organizations, this number jumped to 81%. (PwC’s Global Risk Survey 2023)

8. 73% of organization leaders agree that cyber and privacy regulations are effective in reducing their organizations’ cyber risks in 2023. This is a noticeable increase from 39% who agreed with the same statement in 2022. (World Economic Forum's Global Cybersecurity Outlook 2023)

9. 80% of compliance professionals in strategic roles are focused on helping their organizations identify appropriate risks, while 79% are dedicated to providing greater visibility to senior management, highlighting the growing importance of compliance in driving strategic decision-making and risk management. (FloQast's 2024 Exploring Strategic Compliance: The Next Frontier)

10. The average US firm spends between 1.3 and 3.3% of its total wage bill on regulatory compliance.(The Cost of Regulatory Compliance in the United States 2024)

11. 84% of security and IT professionals list data protection frameworks, such as GDPR and CCPA, as a mandatory requirement for their industries. (Coalfire Compliance Report 2023)

12. When risk and compliance professionals were asked where their organizations's compliance function is housed, the top answers were:

  • It is an independent function reporting to the CEO and/or board of directors (22%)
  • Within IT/data security/data privacy (18%)
  • It is split across multiple departments (18%)
  • Within the legal department (17%)
  • Within the human resources department (9%)
  • Within the internal audit department (6%). (Navex Global's 2023 Definitive Risk & Compliance Benchmark Report)

13. Compliance officers reported that the top three areas with which compliance is now involved are the implementation of a demonstrably compliant culture (58%), the setting of risk appetite (51%), and assessing the effectiveness of corporate governance arrangements (48%).(Thomson Reuter's Cost of Compliance Report 2023)

14. 76% of risk and compliance professionals said that ensuring their organization builds and maintains an ethical culture of compliance was a very important or absolutely essential consideration in its decision-making processes. (Navex Global's 2023 Definitive Risk & Compliance Benchmark Report)

15. Risk and compliance professionals spend the most time identifying and assessing risk (56%) and monitoring compliance (52%). (2023 Thomson Reuters Risk & Compliance Survey Report)

16. The top three priorities for legal and compliance leaders in 2024 are:

17. 60% of risk and compliance professionals indicate that Cybersecurity is a planned training topic over the next two-to-three years. This was the most commonly indicated compliance training topic. (Navex Global's 2023 Definitive Risk & Compliance Benchmark Report)

The risk of non-compliance

Turning your compliance program into a well-oiled machine can be a daunting task. But the risk of not having such a program in place far outweighs any hesitations you may have. If you need a reminder of just how high the risks associated with poor compliance management practices can be, look no further than the data points below. 

18. When asked what compliance issues they've experienced in the past three years, 19% of risk and compliance professionals said legal or regulatory action taken against the organization by a governing body. This was the third most common compliance issue reported. (Navex Global's 2023 Definitive Risk & Compliance Benchmark Report)

19. 77% of organizations have plans to transition to the next revision of applicable frameworks within the allowable periods, which indicates a strong awareness of the implications of these revisions and the need for action to maintain compliance. However, 21% of organizations plan to do nothing until a required audit or wait for external party findings. (Coalfire Compliance Report 2023)

20. Breaches cost almost $220,000 more on average when noncompliance with regulations was indicated as a factor in the event. (IBM's Cost of a Data Breach Report 2023)

21. Organizations with a high level of noncompliance with regulations showed an average cost of USD 5.05 million. This is a 12.6% increase compared to the average cost of a data breach, or USD 560,000. (IBM's Cost of a Data Breach Report 2023)

22. Despite the belief that cyber regulations are helping the organization, there’s a significant difference between CEO and CISO/CSO confidence in their ability to comply with these regulations. For example, 67% of CEOs are confident in their organization's regulation compliance with AI compared to 54% of CISO/CSOs. (PwC's 2025 Global Digital Trust Insights)

23. Three out of five corporate risk and compliance professionals feel confident about their ability to address compliance risks. (2023 Thomson Reuters Risk & Compliance Survey Report)

24. The top three factors cited as obstacles to a team’s confidence in their ability to address compliance risks were a lack of knowledgeable personnel, inadequate resources, and poor company culture. (2023 Thomson Reuters Risk & Compliance Survey Report)

Compliance management statistics

Many organizations have begun to automate aspects of their compliance strategy. Find out what practices are becoming the norm within the risk and compliance industry below. 

25. In a Navex Global Survey, 50% of risk and compliance professionals described their programs as mature – managing or optimizing – in 2024. The other half place themselves in the bottom 3 maturity tiers. (Navex Global's 2023 Definitive Risk & Compliance Benchmark Report)

26. 6% of risk and compliance professionals described their program as underdeveloped, or the least mature. (Navex Global's 2023 Definitive Risk & Compliance Benchmark Report)

27. 60% of GRC users still manage compliance manually with spreadsheets. (Coalfire Compliance Report 2023)

28. While 55% of CFOs and 50% of audit committees and boards are asking internal audit teams to do more work around risk, the bulk of internal audit’s capacity continues to be locked up in traditional audit and SOX work. On average, internal audit functions with Sarbanes-Oxley (SOX) responsibilities are currently allocating only 15% of their time to advisory-related work focused on key capabilities like enterprise risk management (ERM), continuous controls monitoring, information security controls testing, and others. Functions without SOX responsibilities allocate only slightly more advisory time, at 21%.(AuditBoard's Internal Audit’s Expanding Role: The Foundation for Connected Risk 2024)

29. In 2023, compliance and risk professionals said their top policy management challenges were training employees on policies (42%) and aligning policies to changing regulations (38%). This reflects some improvement from the 2022 survey, in which 48% said training employees on policies and 40% said aligning policies to changing regulations. (Navex Global's 2023 Definitive Risk & Compliance Benchmark Report)

30. 23% of security and IT professionals said staying aware and interpreting new requirements and regulations affecting the organization was the top compliance program challenge. (Coalfire Compliance Report 2023)

31. 76% of compliance managers say they manually scan regulatory websites to track changes and assess the impact on their organization. (MetricStream State of Compliance Survey Report 2021)

32. When asked what would help reduce the complexity and cost of the risk and compliance process, almost half (49%) of the surveyed corporate risk and compliance professionals said standardizing risk and compliance frameworks across their organization. (2023 Thomson Reuters Risk & Compliance Survey Report)

33. The majority of security and IT leaders (62%) cited mapping controls and systems across frameworks as a method used to manage the impact of complying with multiple compliance frameworks. (Coalfire Compliance Report 2023)

34. 64% of large companies (more than $1 billion in annual revenue) list enhanced evidence mapping as the top way to effectively demonstrate compliance with multiple frameworks. (Coalfire Compliance Report 2023)

35. 65% of respondents aid they have sufficient or very sufficient funding to audit, document, analyze, and act on the result of compliance efforts. 62% said they have sufficient or very sufficient staffing to do so as well. (Navex Global's 2023 Definitive Risk & Compliance Benchmark Report)

36. 61% of respondents said they expected the cost of senior compliance officers to increase. The top reasons why cost of senior compliance staff is expected to increase over the next 12 months is demand for skilled staff and knowledge (77%) and additional senior staff required to cope with volumes of regulatory requirements (40%). (Thomson Reuter's Cost of Compliance Report 2023)

37. The main skill required for an ideal compliance officer is subject matter expertise. Other important skills are communication skills, integrity, and attention to details. (Thomson Reuter's Cost of Compliance Report 2023)

38. While more than one-third of respondents expected compliance teams to grow as well as the cost of compliance staff to increase, turnover of staff and budgets remain at 2022 levels. (Thomson Reuter's Cost of Compliance Report 2023)

39. In 2023, 58% of security and IT professionals said they need larger compliance budgets. (Coalfire Compliance Report 2023)

40. 27% of security and IT professionals ranked mitigating internal audit fatigue from recurring second-party and third-party assessment activities as the top compliance program challenge. (Coalfire Compliance Report 2023)

Compliance tools statistics

As the industry evolves, new technologies and tools are introduced to streamline and improve processes. When companies incorporate these technologies and tools in a proactive compliance strategy, they find it saves them money and improves their overall security posture. 

41. Compliance leaders anticipate technology will be one of the areas of highest spend increases this year. (Key Budget, Staffing and Spending Trends for Compliance in 2023)

42. Almost two-thirds (65%) of corporate risk and compliance professionals said using technology to streamline and automate manual processes would help reduce the complexity and cost of risk and compliance. (2023 Thomson Reuters Risk & Compliance Survey Report)

43. In the Navex Global survey of risk and compliance professionals, the most prominent reason for adopting new risk and compliance automation and technology solutions was to reduce risks (41%). (Navex's 2024 State of Risk & Compliance Report)

44. The second most prominent reason for adopting new risk and compliance automation and technology solutions was to meet regulatory requirements (32%). (Navex's 2024 State of Risk & Compliance Report)

45. 19% of risk and compliance professionals indicated they are adopting new automation and technology solutions to reduce costs. (Navex's 2024 State of Risk & Compliance Report)

46. Only 7% of risk and compliance professionals said their organization does not use automation and technology solutions for their risk and compliance program. (Navex's 2024 State of Risk & Compliance Report)

47. 38% of organizations outsource some or all of their compliance functionality compared to 30% in 2022. (Thomson Reuter's Cost of Compliance Report 2023)

48. Roughly 1 in 5 of risk and compliance professionals identified the following reasons for adopting automation and technology solutions:

  • Automate practices and procedures (23%)
  • Help reach organizational objectives (23%)
  • Integrate program components (e.g., incident management, risk management, policy & procedure management, etc.) (21%)
  • Increase reporting capabilities (21%)
  • Improve program analytics (20%)
  • Streamline workflows/reduce redundancy (20%)
  • Reduce spent time on managing risk and compliance tasks (19%). (Navex's 2024 State of Risk & Compliance Report)

49. 70% of compliance and risk management leaders said they believe AI will have a transformative or major impact on their functions within the next one to five years. (Moody's 2024 Navigating the AI landscape: Insights from compliance and risk management leaders)

50. 82% of supply chain professionals indicate technology advancements, specifically in AI and machine learning, will have a significant impact on the supply chain over the next five years. However, only 24% of companies have integrated AI into their operations. (Inspectorio's State of Supply Chain Report 2024)

51. While 78% of all respondents said they believe AI is a force for good in their profession, one of the strongest endorsements came from the risk, fraud, and compliance professionals (89% said this). (Thomson Reuters 2024 Future of Professionals Report)

52. In UK companies that use AI in risk and compliance, the top use cases are:

  • Risk assessment and analytics (25%)
  • Data analytics and reporting (23%)
  • Workflow and document drafting (21%)
  • Fraud detection and prevention (19%)
  • Compliance training and education (15%)
  • Monitoring regulatory changes (13%). (2023 Thomson Reuters Risk & Compliance Survey Report)

53. A majority of organizations (67%) employ some level of security AI and automation, with 31% reporting they use it extensively in their operations. (IBM's Cost of a Data Breach Report 2024)

54. ​​Organizations that used AI and automation extensively reported USD 1.88 million lower data breach costs compared to organizations that didn’t use AI and automation. When AI and automation was deployed extensively across prevention workflows—attack surface management (ASM), redteaming, and posture management—organizations experienced even more cost savings. They averaged USD 2.2 million less in breach costs compared to those with no AI use in prevention workflows. This finding was the largest cost savings revealed in the 2024 report.  (IBM's Cost of a Data Breach Report 2024)
55. Organizations that used AI and automation extensively identified and contained data breaches nearly 100 days faster on average than organizations that didn’t use these technologies at all. (IBM's Cost of a Data Breach Report 2024)

Compliance Automation Platform Buyer’s Guide

Learn how a compliance AI and automation platform can help streamline and scale your security and compliance efforts, then use an evaluation form to fast-track the vendor evaluation process.

The importance of vendor and third-party risk management 

As many organizations opt to outsource various tasks to third-party vendors, the risks associated with sharing sensitive information jump sharply. Look at how other organizations are handling their vendor risk management with the statistics below. 

56. In an analysis by Cyentia Institute and SecurityScorecard, the average firm had around 10 third-party relationships and nearly all firms (98%) had at least one third-party partner who had suffered a breach in the last two years. (Cyentia Institute and SecurityScorecard Research Report 2023)

57. 98% of organizations are affiliated with a third party that has experienced a breach. Furthermore, at least 29% of all breaches have third-party attack vectors, although the percentage is likely much higher since many reports on breaches do not specify an attack vector. (SecurityScorecard's 2023 Global Third-Party Cybersecurity Breach Report)

58. Over 40% of organizations surveyed experienced a cyber incident linked to a third party, and another 21% experienced multiple. (2023 Report by ProcessUnity and CyberGRX)

59. When asked what compliance issues they've experienced in the past three years, 18% of risk and compliance professionals said third party ethics or compliance failure. (Navex Global's 2023 Definitive Risk & Compliance Benchmark Report)

60. 59% of senior decision-makers view the use of third parties as the most significant corruption risk facing their organization. (2023 Global Compliance Risk Benchmarking Survey)

61. Only 69% of risk and compliance professionals said their organization was at least “good” at engaging in ongoing monitoring and risk management throughout the course of a relationship with a third-party. (Navex's 2024 State of Risk & Compliance Report)

62. 64% of organizations stated that third-party risk management was viewed as a strategic imperative by their boards of directors and executive teams. (2023 Report by ProcessUnity and CyberGRX)

63. In 2023, the majority of compliance and risk professionals (72%) agreed their third-party due diligence program significantly reduces their legal, financial and reputational risks. (Navex Global's 2023 Definitive Risk & Compliance Benchmark Report)

64. The majority of compliance and risk professionals (80-88%) rate their organization as at least good in the various elements of a third-party due diligence program. (Navex Global's 2023 Definitive Risk & Compliance Benchmark Report)

65. Respondents from larger companies (5,000 employees or more) were most likely to rate their third-party due diligence program elements as very good or excellent (55-65%). Only 45-53% of smaller organizations (less than 5,000 employees) said the same across various program elements. (Navex Global's 2023 Definitive Risk & Compliance Benchmark Report)

66. Only 7% of compliance and risk professionals said they don’t do anything currently in their approach to third parties in 2023. This is down from 12% in 2022. (Navex Global's 2023 Definitive Risk & Compliance Benchmark Report)

67. 27% of organization apply the same risk management approach to all third parties regardless of risk level. (Navex Global's 2023 Definitive Risk & Compliance Benchmark Report)

68. On average, most organizations (85%) perform risk-based compliance diligence on third parties. Of these, more than half (55%) said that they perform risk-based diligence on third parties before contracting with them and also periodically thereafter. (2023 Global Compliance Risk Benchmarking Survey)

69. Most organizations (87%) have written policies regarding employee engagement/interaction with third parties. (2023 Global Compliance Risk Benchmarking Survey)

70. Almost three-quarters of organizations (74%) have a code of conduct for third parties, and two-thirds (66%) of those respondents require third parties to attest to their compliance with the code of conduct or similar policy. (2023 Global Compliance Risk Benchmarking Survey)

71. The majority of compliance and risk professionals (60%) rate their compliance program's performance as good or very good at requiring compliance training and certifications from third parties. A combined 20% of respondents rated their program as either poor or fair and 21% rated it as excellent. (Navex Global's 2023 Definitive Risk & Compliance Benchmark Report)

72. Only 22% of organizations perform regular compliance audits on third parties, with only 11% reporting annually and 11% reporting less frequently. 40% of organizations report auditing third parties only based on triggering events. (2023 Global Compliance Risk Benchmarking Survey)

73. 11% of risk and compliance professionals went as far as to say their program was “poor” with respect to ongoing monitoring of third parties. (Navex's 2024 State of Risk & Compliance Report)

74. 40% of legal, compliance, and privacy leaders selected "strengthening third-party risk management processes and/or technology" as one of their top five priorities. 6% selected it as their #1 priority. (Gartner for Legal, Risk & Compliance Leaders July 2025 Survey)

75. 35% of business and tech executives find third-party breaches to be one of the most concerning cyber threats, and 28% feel least prepared to address this threat. (PwC's 2025 Global Digital Trust Insights)

76. 40% of supply chain professionals consider risk management and supply chain resilience as their primary concern, followed by 37% focusing on regulatory and compliance pressures. (Inspectorio's State of Supply Chain Report 2024)

Data breaches by the numbers

Data breaches continue to be a costly risk for businesses, highlighting the need for preventative measures to monitor and flag any potential weaknesses in a company’s data protection. We’ve compiled a list of stats that underscore the costs associated with data breaches and common causes. 

77. 28% risk and compliance professionals said their organization experienced a data privacy/cybersecurity breach in the past three years, the most common compliance issue experienced over that period. This is a slight decrease from 30% in 2023. (Navex's 2024 State of Risk & Compliance Report)

78. Cyber incidents, such as cyber crime and data breaches, was reported as the leading risk to businesses globally for 2023 by 34% of risk management experts. (Statista)

79. More than half of breached organizations are facing high levels of security staffing shortages. This issue represents a 26.2% increase from the prior year. (IBM's Cost of a Data Breach Report 2024)

80. 73% of all data breaches involve the human element. They may be the result of human error, privilege misuse, use of stolen credentials or, social engineering.(Verizon's 2023 Data Breach Investigations Report)

81. 86% of web application breaches — which account for 25% of all breaches — involve stolen or weak credentials. (Verizon's 2023 Data Breach Investigations Report)

82. For the second year in a row, phishing and stolen or compromised credentials were the two most prevalent attack vectors, responsible for 15% and 16% of data breaches, respectively, in 2024. (IBM's Cost of a Data Breach Report 2024)

83. Breaches involving stolen or compromised credentials took the longest to identify and contain/ On average, it took nearly 10 months (292 days) to identify and contain these data breaches in 2024. (IBM's Cost of a Data Breach Report 2024)

84. About 1 in 3 data breaches involved shadow data, showing the proliferation of data is making it harder to track and safeguard. Shadow data theft correlated to a 16% greater cost of a breach. (IBM's Cost of a Data Breach Report 2024)

85. Phishing was the second most prevalent attack vector and the most expensive at the global average cost of USD 4.88 million per data breach. (IBM's Cost of a Data Breach Report 2024)

86. Although relatively rare at 7% of occurrences, attacks initiated by malicious insiders were the costliest, at an average of USD 4.99 million. (IBM's Cost of a Data Breach Report 2024)

87. 83% of breaches involved external actors, and the primary motivation for attacks continues to be overwhelmingly financially driven, at 95% of breaches. (Verizon's 2023 Data Breach Investigations Report)

88. The average cost of a data breach jumped to USD 4.88 million from USD 4.45 million in 2023, a 10% spike and the highest increase since the pandemic. (IBM's Cost of a Data Breach Report 2024)

89. The industrial sector experienced the costliest increase in average breach costs of any industry, rising by an average USD 830,000 per breach over last year. (IBM's Cost of a Data Breach Report 2024)

90. Employee training is one of the most effective cost mitigators of data breaches. On average, breaches at organizations with employee training cost $260,000 less. (IBM's Cost of a Data Breach Report 2024)

91. In 2024, nearly half of all breaches (46%) involved some form of customer personal identifiable information, such as emails, phone numbers and home addresses, making customer PII the most commonly breached record type for the fourth year in a row. (IBM's Cost of a Data Breach Report 2023)

92. The global average for all stolen record types rose to a high of USD 169, with employee PII the costliest at USD 189 per record. (IBM's Cost of a Data Breach Report 2023)

How Secureframe can help you improve your security and compliance posture

Regardless of industry, there’s no question that risk and compliance practices are crucial to running a company in our current environment.

A compliance automation platform can help your organization reap the benefits of compliance while reducing the costs and complexity associated with it.

Below are some of the major benefits that Secureframe provides customers, according to a survey by UserEvidence:

  • Stronger security: 97% strengthened their security and compliance posture
  • Faster compliance: 89% sped up time-to-compliance for multiple frameworks
  • Reduced costs: 85% unlocked annual cost savings
  • Improved visibility: 71% improved visibility into their security and compliance posture
  • Accelerated deals: 66% accelerated sales cycles

To learn how Secureframe automates and streamlines the end-to-end compliance process so you can achieve similar results, schedule a demo.

About the UserEvidence Survey

The data about Secureframe users was obtained through an online survey conducted by UserEvidence in February 2024. The survey included responses from 44 Secureframe users (the majority of whom were manager-level or above) across the information technology, consumer discretionary, industrials, financial, and healthcare industries.

Use trust to accelerate growth

Request a demoangle-right
cta-bg