What is Vendor Risk Management?Read article
Become a security expert
Get the latest articles on startup security and compliance best practices delivered straight to your inbox.Get a Secureframe demo
If there’s one constant within the compliance industry, it’s this:
The state of risk and compliance is ever-changing.
As cybersecurity concerns continue to grow, the cost associated with not having a well-thought-out risk and compliance program is sky-high.
We’ve compiled 70 compliance statistics for 2022 that cover the cost of non-compliance, compliance management, internal audit numbers, vendor risk management data, and industry trends.
We hope these statistics will help educate teams about the importance of compliance, build a solid compliance program, and get executive buy-in to address the changing nature of compliance risks.
As the compliance industry evolves, new technologies and tools are being introduced to streamline and improve processes. When companies take a proactive approach to creating and solidifying their compliance strategy, they find it saves them money and improves their overall security posture.
Find out how the industry has changed in recent years.
1. 86% of companies surveyed agreed that innovative digital technologies have helped identify financial crime. (Refinitiv's Global Risk and Compliance Report 2021)
2. The leading risk among organizations for 2021 was business interruption (41%), including supply chain disruptions. This was followed closely by cyber incidents such as cybercrime, data breaches, and fines and penalties at 40%. (Statista)
3. 70% of risk and compliance experts said the pandemic has increased their reliance on technology to improve decision making, performance monitoring, and risk management. (Thomson Reuter’s Fintech, Regtech and the Role of Compliance Report 2021)
4. Firms have identified the top five risk and compliance functions that can benefit from technology as the following:
5. Cybersecurity practices among vendors are becoming an expectation, as 44% of firms say they are being asked for proof of cybersecurity as part of a request for proposal (RFP). (ACA Key Trends and Forces Shaping Risk and Compliance Management in 2021)
6. Risk and compliance programs are maturing. Navex Global found that the number of "mature and advanced" risk and compliance programs grew by 29%, while the number of "reactive and basic" ones declined by 35%. (Navex Global's 2021 Definitive Risk & Compliance Benchmark Report)
7. 34% of organizations outsource some or all of their compliance functionality. (Thomson Reuter's Cost of Compliance Report 2021)
8. If it were a country, U.S. regulation would be the world’s eighth-largest economy. (CEI Ten Thousand Commandments 2021)
9. When security professionals are asked how to improve their company’s security posture, the top answer is upgrading tools (67%). This is an effort which they also report is being thwarted by integration difficulties, lack of expertise, and the sheer number of tools to manage. (Netenrich's Global 2021 Survey of IT and Security Professionals)
10. 80% of respondents say they had a business continuity plan in place and that it helped them navigate the pandemic’s impact. (Navex Global's 2021 Definitive Risk & Compliance Benchmark Report)
Turning your compliance program into a well-oiled machine can be a daunting task. But the cost of not having such a program in place far outweighs any hesitations you may have. If you need a reminder of just how high the costs associated with poor compliance management practices can be, look no further than the data points below.
11. Organizations lose an average of $4 million in revenue due to a single non-compliance event. (GlobalScape's The True Cost of Compliance with Data Protection Regulations)
12. There has been a 45% increase in the cost of non-compliance since 2011. (Diligent Insights' How Compliance Officers See the World in 2020)
13. 50% of organizations said they spend 6-10% of their revenue on compliance costs. (Bloomberg)
14. 31% of respondents predict their compliance teams will grow in the next 12 months, down from 43% in 2018. (Thomson Reuter's Cost of Compliance Report 2021)
15. The projected total cost of financial crime compliance across financial institutions worldwide is $213.9 billion. (LexisNexis Global True Cost of Compliance 2020 Report)
16. U.S. businesses spend an average of $10,000 per employee on regulatory costs. (CEI Ten Thousand Commandments 2021)
17. In the U.S., PCI compliance fines aren’t published, but they can range from $5,000 to $100,000 per month until the issue is dealt with. (Diligent Insights' How Compliance Officers See the World in 2020)
18. Regulatory monitoring can save businesses $1.03 million on average. (GlobalScape's The True Cost of Compliance with Data Protection Regulations)
19. Globally, fraud causes total losses upwards of $3.6 billion. (Association of Fraud Examiners’ 2020 Global Study on Occupational Fraud and Abuse)
20. Regulators fined banks $10 billion in a 15-month period through 2019, with most of those fines caused by cyber attacks (60%). (Fenergo)
21. Organizations spend $5.47 million on compliance compared to an average of $14.82 million for non-compliance. (GlobalScape The Total Cost of Compliance with Data Protection Regulations)
22. The General Data Protection Regulation (GDPR) offers some of the strictest penalties among data protection regulations and standards. Under the GDPR, EU authorities can fine organizations up to €20 million, or 4% of worldwide turnover for the preceding financial year, whichever is higher. (Tessian Biggest GDPR Fines of 2019, 2020, and 2021 (So Far))
Many organizations have begun to automate aspects of their compliance strategy. Find out what practices are becoming the norm within the risk and compliance industry below.
23. 44% of organizations say their top compliance management challenges are handling compliance assessments, undergoing control testing, and implementing policy and process updates. (MetricStream State of Compliance Survey Report 2021)
24. 76% of compliance managers say they manually scan regulatory websites to track changes and assess the impact on their organization. (MetricStream State of Compliance Survey Report 2021)
25. 40% of organizations say they use office productivity software, such as documents and spreadsheets, for compliance management. (MetricStream State of Compliance Survey Report 2021)
26. The top three skills for compliance officers are: subject matter expertise, communication skills, and anticipating future regulatory trends. (Thomson Reuter's Cost of Compliance Report 2021)
27. Stagnant budgets and a shifting workforce have left many compliance teams feeling stretched, with 87% of organizations reporting they have no additional capacity due to being understaffed or only adequately staffed. (Deloitte State of Compliance 2020 Report)
28. ISO is the largest international standards organization in the world, with 24,130 international standards covering nearly every aspect of technology and manufacturing. In the year 2020 alone, ISO published 1,627 new standards. (ISO)
29. 55% of organizations say their compliance culture is based around a “Can we?” rather than “Should we?” attitude, indicating a focus on building a more proactive and positive compliance culture. (Deloitte State of Compliance 2020 Report)
30. 43% of those under extreme pressure to increase revenue due to the pandemic said they would like to deploy (AI) and ML to combat financial crime in the future. (Refinitiv's Global Risk and Compliance Report 2021)
31. 68% of companies prioritize threats according to the potential cost to the business. The impact they fear most is loss of data and negatively affecting customer relationships. (Netenrich's Global 2021 Survey of IT and Security Professionals)
32. In the wake of the pandemic, compliance training has shifted to e-learning, with 62% of organizations reporting using that method rather than blended learning (30%) and instruction-led (9%). (Deloitte State of Compliance 2020 Report)
As many organizations opt to outsource various tasks to third-party vendors, the risks associated with sharing sensitive information jump sharply. Look at how other organizations are handling their vendor risk management practices with the statistics below.
33. 44% of organizations have experienced a breach within the last 12 months, with 74% saying it was the result of giving too much privileged access to third parties. (Ponemon Institute’s A Crisis in Third-Party Remote Access Security report)
34. 47% of firms predict they will spend more on third-party risk management resources in 2021. (ACA Key Trends and Forces Shaping Risk and Compliance Management in 2021)
35. 58% of organizations say that the top challenge they face when it comes to third-party risk management is vendor responsiveness in the due diligence phase. (ACA Key Trends and Forces Shaping Risk and Compliance Management in 2021)
36. 48% of organizations find it challenging to track third-party compliance. (MetricStream State of Compliance Survey Report 2021)
37. Organizations spend more than 15,000 hours completing risk assessments each year. (Ponemon Institute and CyberGRX’s The Cost of Third-Party Cybersecurity Risk Management 2019)
38. The average annual spend on vetting third parties is $2.1 million. (Ponemon Institute and CyberGRX’s The Cost of Third-Party Cybersecurity Risk Management 2019)
39. 63% of organizations say that reliance on a vendor’s reputation is the most common reason they are not thoroughly evaluating their privacy and security practices. (Ponemon Institute’s A Crisis in Third-Party Remote Access Security Report)
40. 61% of respondents say their third-party management program does not define or rank risk levels. (Ponemon Institute’s A Crisis in Third-Party Remote Access Security report)
41. 73% of organizations find managing third-party permissions and remote access to be a drain on internal resources and an overwhelming undertaking for their team. (Ponemon Institute’s A Crisis in Third-Party Remote Access Security report)
42. Many organizations are not thoroughly vetting a vendor’s security and privacy practices. Only 49% say their organizations are doing this due diligence with all third parties before allowing them access to sensitive and confidential information. (Ponemon Institute’s A Crisis in Third-Party Remote Access Security report)
What is Vendor Risk Management?Read article
Data breaches continue to be a costly risk for businesses, highlighting the need for preventative measures to monitor and flag any potential weaknesses in a company’s data protection. We’ve compiled a list of stats that underscore the costs associated with data breaches and common causes.
43. 65% of organizations say they predict spending more on cybersecurity and privacy resources in 2021. (ACA Key Trends and Forces Shaping Risk and Compliance Management in 2021)
44. Identity-based attacks are on the rise. Almost 90% of web application breaches were caused by credential abuse, and phishing was present in more than a third of all breaches. (Verizon's Data Breach Investigations Report 2021)
45. 78% of companies worldwide say zero trust has increased in priority, and nearly 90% are currently working on a zero trust initiative. (Okta's State of Zero Trust Security 2021 Report)
46. More than 60% of all data breaches involve stolen or weak credentials. (Verizon's Data Breach Investigations Report 2021)
47. From February to April 2020, attacks targeting the financial sector grew by 238%. (VMWare Modern Bank Heists Threat Report)
48. The average cost of a data breach among companies surveyed reached $4.24 million per incident in 2021, the highest in 17 years. (IBM)
49. Remote work poses a new threat for data breaches. Breaches cost over $1 million more on average when remote work was indicated as a factor in the event. (IBM)
50. Customer personal data (such as name, email, and password) is included in 44% of data breaches. (IBM)
51. The total number of cyber attack-related data compromises year-to-date is up 27% compared to the fiscal year 2020, with phishing and ransomware seen as the top attack methods. (Identity Theft Resource Center Q3 2021 findings)
52. 67% of organizations with 5,001–10,000 employees plan to invest in employee security awareness, which is twice the number reported in 2019 (33%). (Netwrix 2020 IT Trends Report)
53. About 60% of companies have over 500 accounts with non-expiring passwords, highlighting just one of the inadequate security practices that leave companies open for data breaches. (Varonis)
54. By 2023, Gartner predicts that 65% of the world’s population will have its personal data covered under modern privacy regulations. (Gartner’s State of Privacy and Personal Data Protection report)
A key component of an organization’s governance, risk, and compliance program is regular internal audits.
Internal audits help companies find weak spots in internal processes before an external source does. We’ve compiled the following insights surrounding internal audits, highlighting their importance and how they’re conducted.
55. Only two in 10 chief audit executives said internal audits have experienced “extensive impact” from COVID-19. (The Institute of Internal Auditors 2021 North American Pulse of Internal Audit Report)
56. The top five highest risk areas as defined by chief audit executives are:
57. 66% of audit departments communicate with other risk and control groups within their organizations on how they can better share resources, particularly risk assessment and data analytics. (Gartner 2020 State of the Internal Audit Function Report)
58. Pre-pandemic, internal audit budgets grew 5% per year between 2017 and 2019. However, in 2020, that figure saw a 1.5% decrease. Gartner expects that number to remain flat in 2021. (Gartner 2020 State of the Internal Audit Function Report)
59. The Institute of Internal Auditors (IIA) suggests that over 75% of audit teams lack a modern audit technology solution. (IIA)
60. 62% of survey respondents said that moving from traditional, manual processes to a data-driven audit is a top challenge. (CaseWare IDEA State of Internal Audit 2020 survey)
61. Only 29.8% of respondents say that they regularly use data analytics in their audits. (CaseWare IDEA State of Internal Audit 2020 survey)
62. Holding regular compliance audits can save organizations up to $2.86 million. (GlobalScape's The True Cost of Compliance with Data Protection Regulations)
63. 37% of companies perform one or more internal audits annually. (GlobalScape's The True Cost of Compliance with Data Protection Regulations)
How to Do an Internal Audit + Security Audit ChecklistRead article
When it comes to the future of the compliance industry, businesses have been forced to rethink their operational resilience. With the disruption organizations continue to face due to the pandemic, companies have seen first-hand the need for — and benefits of — a well run risk and compliance management program.
We’ve rounded up a few of the compliance trends industry experts predict for the coming year.
64. The three areas of compliance that organizations plan to focus on in the future are enhancing regulatory and internal compliance assessments, elevating third-party compliance, and improving employee awareness with more compliance training. (MetricStream State of Compliance Survey Report 2021)
65. 62% of companies expect more compliance involvement in cyber resilience in the coming years. (Thomson Reuter's Cost of Compliance Report 2021)
66. Half of survey respondents expect the personal liability of compliance professionals to increase in the next 12 months, and 10% expect it to increase significantly. (Thomson Reuter's Cost of Compliance Report 2021)
67. 34% of organizations say that regtech solutions are affecting the management of compliance. (Thomson Reuter's Cost of Compliance Report 2021)
68. When surveyed, 1,100 compliance and GRC professionals ranked their top priorities for 2022 as:
69. The total projected cost of financial crime compliance in the U.S. and Canada for 2021 is $49.9 billion, which is an increase of 19% from 2020. (LexisNexis Risk Solutions’ 2021 True Cost of Financial Crime Compliance Study)
70. It’s estimated that we will see an increase over the coming decades in climate-related disasters, which will urge businesses to adopt environmental, social, and corporate governance (ESG) practices and procedures. Impacts from this will include supply chain management, investment decisions, and operational and strategic decision making. (NavexGlobal Top Risk & Compliance Trends for 2021)
We hope these statistics help provide an overview of the current state of compliance. Below is a visual guide of some of the most important facts and figures we covered.
Regardless of industry, there’s no question that risk and compliance practices are crucial to running a company in our current environment. Assessing and monitoring your business’s ongoing compliance strategy can help save thousands of dollars and improve your security posture.