Compliance ‘Laggards’ Face Most Financial Risk from Data Loss, Report Shows

Compliance ‘Laggards’ Face Most Financial Risk from Data Loss, Report Shows

The latest report by the IT Policy Compliance Group finds that nine of ten companies are exposed to financial risk from data losses and thefts that can be cost-effectively avoided. The report, “Why Compliance Pays – Reputations and Revenues at Risk,” finds the majority of the 475 firms surveyed must contend with six to 17 business disruptions and five to 22 instances of losses or thefts of sensitive information each year. Those firms with the best IT compliance results have, at most, two disruptions annually.

See Also: OnDemand | The Four Steps to Build a Modern Data Protection Platform

“There are two real key findings from this ongoing report for financial institutions. We are finally able to quantify publicly reported data losses, (this data was also checked from historical databases as well). Financial risk for losing data is absolutely huge, compared to the amount of money being spent on compliance and data protection,” said Jim Hurley, a senior research manager for Symantec and senior director of the IT Policy Compliance Group.

“The second key finding is, and we stumbled onto this by accident, is the relationship between compliance and data loss. How well (or poorly) a company does compliance, and how well (or poorly) they’re doing on data loss, we found a relationship between the two,” Hurley noted.

“I expected a normal distribution, a normal spread like what we see in the rest of the world of compliance. But it’s a one to one mapping between the two. At first I thought the numbers were skewed, but we checked them and they are right. I expected a different distribution, but across the entire universe of companies, this distribution rings true,” Hurley said. The companies that are doing well in compliance efforts are suffering far fewer data loss events and base business disruptions.

Notably, Hurley said, financial and accounting service industry sees more “compliance laggards.” This number is higher by about 5 percent of the rest of population at large. “The banking industry matches the entire population, they don’t do any better or any worse than the rest of the industries in the survey,” he explained.

Key Findings

Most organizations are exposed to financial risk from data loss and theft

Nine out of ten firms are not leveraging compliance and IT governance procedures that could help mitigate financial risk from lost or stolen data. Benchmark results include:

  • Lagging organizations—2 out of 10—have the most to gain.
  • Normative organizations—7 out of 10—can reduce substantial financial risk.
  • Leading organizations—only 1 out of 10—are well positioned.

Compliance leaders have the fewest business disruptions

Firms with the best IT compliance results have the least business downtime from IT security events. Findings show:

  • Compliance leaders have only two or fewer disruptions annually from IT security events.
  • Compliance laggards experience 17 or more disruptions a year from IT security events.
  • Compliance leaders have the least data loss and theft

Firms with the best IT compliance report the fewest data losses. Results include:

  • Compliance leaders have two or fewer data losses or thefts of sensitive data annually.
  • Compliance laggards have 22 or more data losses per year.

Probability of a financial loss: Not if, but when

Financial loss will occur with data loss and theft. The question is when and by how much. The probability of making the front page of the paper for a data loss or theft is:

  • Once every three years or sooner for compliance laggards
  • One every 42 years or later for compliance leaders

Financial risk and loss are significant enough to manage

The expected financial risk for publicly disclosed data loss and theft is matched by limited actual experience. Financial risks include:

  • An 8 percent decline in the market value of a share of stock for publicly traded firms
  • An 8 percent loss of customers
  • A temporary decline in revenue of 8 percent
  • Additional costs for litigation, notification, settlements, cleanup, restoration, and improvements averaging $100 per lost customer record

Returns are high

Due to high financial risk and relatively low spending on compliance and data protection, returns on spending for compliance and data protection are high:

  • Start at about 100 percent on the low end
  • Easily exceed 1,000 percent for higher returns

Best practices to improve results: Follow the leaders

The benchmarks identify practices being implemented by leaders that dramatically improve IT compliance results, markedly reduce business downtime from IT security events, substantially reduce incidents of data loss and theft, and reposition these firms for lower financial risk. Such practices include:

  • Implementing more of the appropriate IT controls
  • Reducing control objectives, making it easier to communicate, measure, and report
  • Establishing higher standards for performance objectives
  • Encouraging a culture of operational excellence in IT
  • Monitoring, measuring, and reporting controls against objectives at least once every two weeks
  • Allocating more funds to control automation

Even if not disclosed publicly, the likelihood that a data breach generates negative publicity is proportionally higher for companies with poor IT policy compliance programs. The report finds the probability of making headlines for a data loss or theft is once every three years for compliance laggards, but only once every 42 years for compliance leaders.

“The report itself validates what companies have been striving to accomplish. All too often companies are implementing controls more from a compliance standpoint than from a due diligence standpoint. But taking the results of this report, it validates the justification that companies are looking for when they spend money on compliance controls,” said Rocco Grillo, managing director at Protiviti, a technology risk consultancy.

“When you can bring this type of validated data to the table, this is the type of data that your executives are looking for. Most IT organizations already know where their vulnerabilities exist, but it’s the cost of the countermeasures that is the struggle. By having data like this to substantiate it, it establishes a business case for spending,” Grillo concluded.

This new research from the IT Policy Compliance Group also includes several recommendations for developing and implementing more effective IT policy compliance controls, and is available at

About the Author

Linda McGlasson

Linda McGlasson

Managing Editor

Linda McGlasson is a seasoned writer and editor with 20 years of experience in writing for corporations, business publications and newspapers. She has worked in the Financial Services industry for more than 12 years. Most recently Linda headed information security awareness and training and the Computer Incident Response Team for Securities Industry Automation Corporation (SIAC), a subsidiary of the NYSE Group (NYX). As part of her role she developed infosec policy, developed new awareness testing and led the company's incident response team. In the last two years she's been involved with the Financial Services Information Sharing Analysis Center (FS-ISAC), editing its quarterly member newsletter and identifying speakers for member meetings.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.