The Compliance Officers Dirty Little Secret

Fines may not equal cost of regulatory compliance, but they arent the only cost of noncompliance

At many organizations, chief compliance officers (CCOs) conclude the price of achieving compliance is more than the expense of a regulatory fine. So they roll the dice, attempting to save money by forgoing serious compliance efforts, thinking they’ll simply absorb the fines for noncompliance if theyre ever caught. Unfortunately, that gamble is made on flawed assumptions: Most of these initial calculations are based on numbers that dont figure in the long tail of cost incurred from noncompliance and data breaches.
This faulty calculation is the dirty little secret of todays typical CCO, says Bob Janacek, CTO at cloud-based information delivery company DataMotion.
There are a lot of compliance officers that just go into this maybe reading about what the fine will be, and they think thats all that is because they havent been through it before and they dont see the long tail behind that, he says. Its not just the front-end fines.
Compliance and security personnel need to consider much more than just regulatory fines into their risk calculations, warns Chris Apgar, CEO and president of Apgar & Associates, a privacy, security, and regulatory compliance consultancy. He says they need to think of the legal risks from class-action lawsuits incurred following a breach, the cost of notification of victims, potential fallout in stock prices, the cost of technology and consultants to remediate problems when the regulators crack down, and the intangible costs of brand damage when word gets out about the companys missteps.
Apgar holds up the recent fallout from a breach at Blue Cross Blue Shield of Tennessee as a good example of how fines are just a small cost associated with noncompliance.
Yes, they were fined $1.5 million, but it cost them over $17 million to address the breach and mitigate, he says. It can be very expensive, and thats real hard costs: Thats not the intangible costs of loss of trust and potential loss of business. People dont understand what the full cost is because they just focus on what does the regulation require of me and what are the penalties?
[ How can you make your compliance spend more efficient? See
5 Ways Youre Wasting Compliance Dollars
. ]
Apgar relates an example he saw recently in a customer engagement to illustrate how hidden costs can manifest themselves when security incidents arise. In working with a large utility to test its incident response plan, his team found that its IT shops response procedures were in great shape. But when it came to responding to something in concert with other departments that would be affected by a breach, thats when things got squirrelly.
When we brought in the attorney and the communications shop and so forth, it just fell apart, he says. They didnt know what to do or where to go. There wasnt that linkage between a good, solid IT shop that was secure and then, when it spilled over into the business, what it would cost or what it would even take to address it.
According to Janacek, it will take a while yet for most CCOs to gather a broader picture of the risks as compared with the cost of compliance.
I think it may take a long time for compliance officers to really see the total risk that a compliance breach has on the organization, says Janacek, who believes that at the moment many well-intentioned CCOs are still learning through ad-hoc, on-the-job training. But hopefully when they see the total costs of these breaches in the media, and how many more times it costs to remediate these breaches versus putting in systems that could prevent them in the first place, hopefully they have the clout to try to do the right thing.
And when they do try to do the right thing, then perhaps the costs will be cut not through the roll of the dice, but instead by creating an efficient governance, risk, and compliance program.
The regulatory burden is only going to get heavier year-over-year. Its drag on the bottom line is palpable, says Ben Tomhave, principal consultant at LockPath. As such, it is becoming increasingly important that this burden be taken on aggressively through instantiation of a comprehensive GRC program that includes an imperative to actively manage operational risk in a measurable, cost-effective manner. To achieve this objective, businesses will need to formalize their GRC practices through stand-up of a GRC program.
Have a comment on this story? Please click Add Your Comment below. If youd like to contact
Dark Readings
editors directly,
send us a message
.

Last News
▸ ArcSight prepares for future at user conference post HP acquisition. ◂ Discovered: 07/01/2025 Category: security	▸ Samsung Epic 4G: First To Use Media Hub ◂ Discovered: 07/01/2025 Category: security	▸ Many third-party software fails security tests ◂ Discovered: 07/01/2025 Category: security

**Cyber Security Categories**
Google Dorks Database	Exploits Vulnerability	Exploit Shellcodes

CVE List

Tools/Apps

News/Aarticles

Phishing Database

Deepfake Detection

Trends/Statistics & Live Infos

Tags:
The Compliance Officers Dirty Little Secret