The report, titled “A New Era of Compliance: Raising the Bar for Organizations Worldwide” and sponsored by RSA, found that companies are constantly updating their compliance programs to meet tougher information security requirements, which often conflict from country to country.
“One country tells you to do one thing; while another tells you [that you] can’t do that. It makes it difficult to have a global model for compliance. Organizations end up having to duplicate functions across sovereign boundaries to stay compliant, adding costs”, according to the report.
In addition to regulatory fines and actions, data breaches can lead to costs, such as the expense of notification, damage control activities, breach investigation and clean-up; damage to reputation caused by negative media; loss of customer, business partner, and investor trust; legal costs of litigation; decline in shareholder value; loss of business; heightened scrutiny by business partners and customers through more detailed assessments; and higher costs of meeting future contract requirements.
“Our research suggest that quick fixes in the field of regulatory compliance are rarely effective in the longer term, even though they may appear to work in the shorter term”, Paul Dorey, an SBIC member and director of CSO Confidential, told Infosecurity. “We also discovered that standards are increasingly important in the field of regulatory compliance, mainly because there is an increasing dependence on third parties.”
Companies are becoming more nervous because regulators around the world are holding them accountable for data breaches caused by third parties. The increasing use of third parties increases the need for effective corporate oversight; this additional oversight can increase costs as well. In addition, third-party service providers will need to increase their information security investment to comply with more stringent regulatory requirements, the report noted.
“Heightened scrutiny of other people and by other people is going to cost you. Besides regulators, customers or partners who are working with you are going to demand more of you. That’s going to add cost,” said Stewart Room, partner at Field Fisher Waterhouse, who contributed to the report.
The move to the cloud is creating additional regulatory compliance issues. The study cited Google’s delay in setting up a cloud-based email and document archiving system for the City of Los Angeles because of information security requirements of the state’s Justice Department and the Los Angeles Police.
The study recommends that business take a number of steps to cope with the more stringent regulatory compliance environment, including fortifying third-party risk management, employing risk-based compliance methods, and automating the compliance process.