Why do companies need to comply (the short version)?

When asked why your company needs to comply, tell them this:

Investing in the company’s GRC program is not merely a compliance exercise but a move to shield our organization from this threat of non-compliance and the risks that come with it. By allocating the necessary budget, we are committing to uphold operational integrity, preserve our reputation, and avoid the substantial fines that can arise from non-compliance. Such an investment is critical for supporting our long-term success in an increasingly regulated and scrutinized business environment.

If they want to know more, here’s a much longer version. You can email me HERE and I’ll send you the long version as a PDF.

Why do companies need to comply (the long version)?

Let’s face it: we govern, and we comply, because we have to. We comply to cover our butts – that’s why and don’t let anyone argue otherwise.

I’ve seen way too many books, articles, and whitepapers that say that compliance is a “business driver” or a “source of competitive advantage.” That’s horsecrap.

I live at the top of a very large hill and my office is at the bottom, a couple of miles away. I play a game when I leave for work very early in the morning. You see, there are two stop signs and two traffic lights between my house and my office. If I time it right – and don’t stop at the first stop sign or the first stop light – I can get through the second one when it is green and coast the entire way from just outside my driveway to where I turn into the office parking lot. It’s fun. So, I play a game of risk. If I don’t see any cars near the stop sign, I don’t even brake (I can see a whole block left and right of me). If I get through that, the first stop light is on a ground-trigger and if my speed is just right, the light turns green just as I’m hitting the intersection. If I see other cars, the game is off. If I don’t, it’s on. It’s all a game of risk. I’ll comply with stopping if it’s risky for me not to do so.

Why do I do that? It’s fun, and I’m selfish. We as humans are all selfish. Period. Even our genes are selfish! A gentleman by the name of Richard Dawkins laid that argument out in his book “The Selfish Gene”^[1]. In it, he introduces the concept of the “selfish gene,” suggesting that genes act in their own self-interest to ensure their survival and propagation, often at the expense of the organisms they inhabit. Dawkins explores various aspects of evolutionary theory, including altruism, cooperation, and kin selection, all through the lens of gene-centered evolution. In short, we will favor ourselves at the expense of the organization and our community if left to our own accord. So we are forced to comply. And we are forced to create a governance body to enforce compliance, or at least compliance when we aren’t willing to take the risk.

What are the threats behind the risk of non-compliance?

Threats come in four basic flavors:

• court rulings against you or your organization, which could result in fines or imprisonment;
• industry fines against your organization;
• loss of business for your organization; and
• denial of insurance coverage for your organization.

Regulatory rules

Regulatory pressure for effective ethics and compliance programs (hereinafter “Program” is used to refer to an effective ethics and compliance program) has been increasing ever since the United States Sentencing Commission (USSC) passed the Federal Sentencing Guidelines for Organizations (FSGO) in 1991. However, scandals involving Enron, WorldCom, Tyco, Freddie Mac, AIG, Lehman Brothers, and others have significantly impacted modern regulatory compliance. These glaring misjudgments and compliance failures resulted in criminal actions that led to record fines and increased regulatory scrutiny designed to prevent future criminal violations.

Thus, today, more than ever, having a Program can directly impact a company’s bottom line by minimizing the risk of fines, penalties, and employee wrongdoing and by strengthening its corporate culture and reputation among its stakeholders. As businesses recognize the importance of the compliance function, the role of the compliance officer is also becoming more important, elaborate, and sought after. Unsurprisingly, the Bureau of Labor Statistics projects continued growth in the employment of compliance officers through 2022^[2].

The first drivers

The Federal Sentencing Guidelines for Organizations (FSGO) established a systematic approach to deterring organizational wrongdoing by providing universally enforceable sentencing guidelines and mitigating conditions. These guidelines, instituted by the United States Sentencing Commission (USSC), offer a framework for sentencing organizations convicted of federal crimes. Under the FSGO, companies with effective compliance programs can significantly reduce fines and penalties, with reductions of up to 95 percent^[3]. Conversely, organizations lacking such programs may face fines increased by up to 400 percent. The FSGO emphasizes the necessity for organizations to foster a compliance-oriented culture, promoting due diligence to prevent and detect criminal conduct^[4]. These guidelines underscore the importance of robust compliance programs in fortifying organizations against legal and reputational risks.

The Dodd-Frank Wall Street Reform and Consumer Protection Act of 2010 (Dodd-Frank) represents a comprehensive response to the 2008 financial crisis, aiming to enhance financial stability and consumer protection. Among its numerous provisions, Dodd-Frank introduces stringent regulations for the financial industry and establishes the Consumer Financial Protection Bureau (CFPB) to oversee consumer financial products and services. One key aspect of Dodd-Frank is its emphasis on whistleblower protection and enforcement^[5]. The act incentivizes individuals to report violations of securities laws by offering them financial rewards, leading to a significant increase in whistleblower tips and complaints being reported to regulatory authorities such as the Securities and Exchange Commission (SEC). Dodd-Frank highlights the importance of transparency, accountability, and ethical conduct in the financial sector, driving organizations to strengthen their compliance practices and internal controls^[6].

The Foreign Corrupt Practices Act (FCPA) is a crucial federal law that prohibits bribery of foreign officials by U.S. companies and individuals, aiming to combat corruption and promote ethical business practices globally^[7]. Enforced by the Department of Justice (DOJ) and the Securities and Exchange Commission (SEC), the FCPA has seen intensified enforcement efforts in recent years, resulting in significant fines and penalties for non-compliant organizations. For instance, the DOJ’s enforcement of the FCPA led to substantial penalties for Marubeni Corporation, which was fined $88 million for foreign bribery charges in March 2014^[8]. The FCPA’s enforcement underscores the importance of implementing robust compliance programs and internal controls to mitigate legal and reputational risks associated with corrupt practices. Compliance with the FCPA is essential for organizations operating internationally, as noncompliance can lead to severe monetary losses and permanent reputational damage.

Current and future laws

The General Data Protection Regulation (GDPR) significantly impacted international privacy law by introducing stringent regulations and hefty fines for non-compliance^[9]. Designed to enhance personal data protection and privacy, GDPR applies to all types of businesses operating within the EU, imposing flexible fines that scale with the size of the organization. Infringements can lead to fines up to €20 million or 4% of the firm’s worldwide annual revenue, whichever is higher, depending on the severity of the violation^[10]. These regulations encompass a wide range of violations, including breaches of basic processing principles, conditions for consent, and data subjects’ rights. The regulation emphasizes the importance of adherence to its standards to avoid substantial financial penalties^[11]​​.

In the US, the federal government is cracking down on the protection of Federal Contract Information (FCI) and Controlled Unclassified Information (CUI) by updating regulations to include the Cybersecurity Maturity Model Certification (CMMC) 2.0^[12]. CMMC 2.0 introduces a streamlined model compared to its predecessor, focusing on safeguarding sensitive unclassified information from cybersecurity threats, including advanced persistent threats. This new version is expected to impact a significant number of entities within the defense sector, emphasizing the importance of a data-centric security approach to combat insider threats and ensuring the protection of DoD-sensitive data​.^[13] The DoD specifies that once CMMC 2.0 is implemented, self-assessments or third-party assessments will be required depending on the CMMC level, emphasizing the importance of maintaining compliance to secure and participate in DoD contracts and that they will utilize the False Claims Act (FCA) to prosecute entities and individuals who fail to adhere to required cybersecurity standards or knowingly misrepresent their cybersecurity practices^[14].

Industry fines

The most prominent examples of industry fines comes from the world of Payment Card compliance, specifically, complying with the Payment Card Industry Data Security Standard suite^[15]. PCI DSS applies to all businesses that process card payments, with compliance levels based on the number of transactions processed annually. Non-compliance and breaches can lead to fines ranging from $5,000 to $100,000 per month, depending on the volume of transactions and the period of non-compliance^[16]. Data breaches can incur fines of $50 to $90 per affected customer, potentially leading to lawsuits and compensation amounts reaching millions of dollars, as seen in the case of Equifax and others​. Over the past decade, several notable violations of the Payment Card Industry Data Security Standard (PCI DSS) have resulted in substantial financial and reputational damage to the organizations involved. These incidents highlight the critical importance of adhering to PCI DSS guidelines to protect cardholder data and avoid the severe consequences of non-compliance. Here’s a summary of some of the most significant breaches^[17]:

1. Magecart Attack on Warner Music Group (2020): Hacker groups under Magecart compromised payment card data by targeting third-party software companies, including card numbers, CVC/CVV, and expiration dates​​.
2. Target Data Breach (2013): Target lost data on 40 million cards due to a malware attack that bypassed their $1.6 million detection tool, resulting in nearly $18.5 million in settlements and over $202 million in legal fees​​.
3. Adobe Data Breach (2013): Adobe had 38 million user accounts compromised, including three million credit card records, leading to a $1 million settlement and undisclosed amounts for violating the Customer Records Act​​.
4. Heartland Payment Systems (2009): This breach affected 175,000 merchants and led to a 14-month ban from processing payments of major credit card providers, with approximately $145 million in compensation​​.
5. Equifax Data Breach (2017): Over 143 million Americans were affected, resulting in a settlement totaling $425 million for the loss of social security numbers, birth dates, addresses, driver’s licenses, and credit card numbers​​.
6. Home Depot (2014): Compromised 56 million credit cards and agreed to pay at least $19.5 million to compensate consumers, on top of $161 million in pre-tax expenses for the breach​​.
7. TJX Companies Inc. (2005–2006): Exposed over 94 million accounts by failing to secure their wireless networks and improperly storing data​​.
8. First American Financial Corporation (2019): A design defect on their website left 885 million records exposed, including sensitive financial information​​.
9. SolarWinds (2020): This was one of the most sophisticated and significant cyber espionage incidents ever discovered. Malicious code was inserted into software updates for SolarWinds’ Orion platform, used by over 33,000 customers, affecting numerous US government agencies and private companies​.
10. LinkedIn (2021): Approximately 700 million LinkedIn profiles were scraped, nearly 92% of its total user base, and the data was put up for sale online. The information included emails, phone numbers, and professional details.
11. T-Mobile Data Breach (2023): T-Mobile announced a breach affecting 37 million customers, with personal data including names, emails, and birthdates exposed. No financial data was compromised, and affected customers were offered credit monitoring services​.
12. Okta Data Breach (2024): Hackers accessed Okta’s customer support system using a service account, affecting numerous customer support cases. The breach was discovered after suspicious account activity was identified.

Loss of business

There are two great examples of loss of business. The first one hits very close to home for us here at Unified Compliance. Prior to 2024, the number of our clients that required a cyber risk analysis was 10%. At the beginning of 2024, 85% of our clients required a cyber risk analysis to be conducted prior to doing business with us (even clients who have been doing business with us for over a decade). Indeed, cybersecurity and third-party risk management are significant concerns for businesses today^[18]. The growth in the use of external independent advisors for cybersecurity matters to 45% from 15% in 2018 indicates an increasing reliance on third-party risk analyses^[19].

Organizations wanting to do online business with the US Federal Government must pass the Federal Risk and Authorization Management Program (FedRAMP) compliance in the US defense space. FedRAMP aims to ensure that cloud services used by the government have adequate security measures in place. There are two types of FedRAMP authorizations: the Joint Authorization Board (JAB) Provisional Authority to Operate (P-ATO) and an agency-specific Authority to Operate (ATO). While obtaining a JAB P-ATO can be more challenging due to its rigorous review process, it allows a cloud service provider (CSP) to offer their services across all federal agencies. The problem, at this point, is that because enforcement of FedRAMP isn’t prevalent, many organizations that need to comply are failing to comply^[20]. This is probably the reason that the CFRs are being updated with CMMC 2.0 certification guidelines and enforcement policies.

Denial of insurance

There are instances where organizations have been refused cybersecurity insurance due to their inability to meet the security requirements imposed by insurance companies^[21]. The cybersecurity insurance market has grown increasingly stringent, with insurers demanding detailed security measures as a condition for coverage. This is largely due to the rising costs associated with data breaches, ransomware attacks, and other cyber threats. For instance, organizations may be denied coverage for several reasons, including failure to maintain or follow an ongoing program of minimum security standards, discrepancies or errors in completing initial risk assessments and conducting their own initial forensic discovery without proper incident response planning^[22]. Insurance providers assess whether businesses took “due care” to protect themselves from cyberattacks and closely scrutinize claims for ransomware payments, IT forensics, legal costs, and other factors related to breaches^[23]​.

Compliance is not a business driver

Don’t think of being compliant as a business driver. Think of it as the necessary seatbelts you must wear or hear that annoying “ding ding ding” in your car^[24] if you don’t wear them.

Being compliant can keep you safe when threats arise – true.

If you get in a wreck, seatbelts can save your life.

If your payment system or marketing system is hacked, being in compliance can save you huge amounts in fines, and most likely, your insurance won’t get canceled.

Compliance Programs are, therefore, risk-based

In advocating for the allocation of a budget towards our Governance, Risk Management, and Compliance (GRC) program, it is imperative to recognize the fundamental role this investment plays in safeguarding the organization against a myriad of potential threats. The essence of building a robust GRC program lies in its ability to effectively mitigate risks and prevent the significant negative outcomes that stem from non-compliance with critical regulations such as the FSGO, Dodd-Frank, FCPA, GDPR, and standards such as PCI-DSS and CMMC 2.0. The consequences of failing to meet these regulations and standards are far-reaching and include severe legal penalties, substantial financial losses, and irreversible damage to our reputation.

Summing up your “why” to the board

No board is going to read the pages we’ve just written about why compliance is important. So here’s the TLDR^[25] of everything we just said:

Investing in the company’s GRC program is not merely a compliance exercise but a move to shield our organization from this threat of non-compliance and the risks that come with it. By allocating the necessary budget, we are committing to uphold operational integrity, preserve our reputation, and avoid the substantial fines that can arise from non-compliance. Such an investment is critical for supporting our long-term success in an increasingly regulated and scrutinized business environment.

They are going to ask for proof…

But of course you’ll be asked for proof, right? Right! Here’s some hard evidence for you that demonstrate the effectiveness of compliance programs. Here are five ways others have published for measuring the effectiveness of an organizational compli-ance program taken from a bevy of online sources ^[26]:

1. Risk Mitigation Timeframe - This measures the time it takes to implement changes to mitigate identified risks. A shorter timeframe indicates an effective program that can adapt quickly to changing circumstances.
2. Issue Detection Rate - The number of compliance issues detected internally divided by the total number of issues. A higher rate suggests the program is effectively identifying potential violations.
3. Compliance Expense Per Issue - The total compliance costs divided by the number of issues detected and resolved. A lower value indicates cost-efficiency in addressing compliance matters.
4. Employee Engagement Metrics - Data on employee interactions with policies, training, and reporting channels like hotlines. Higher engagement suggests an effective program that employees understand and utilize.
5. Regulatory Compliance Metrics - Measures of adherence to specific laws and regulations, such as timely I-9 submissions or corrected tax statements. Meeting these requirements demonstrates program effectiveness.
6. Audit Findings - The results of periodic audits that test internal controls and employee conduct alignment with policies and procedures. Fewer adverse findings indicate an effective program.
7. Remediation Timeframe - How quickly the organization addresses and resolves identified compliance issues and deficiencies. Prompt remediation is a sign of program effectiveness.

References

1. “The Selfish Gene (Popular Science): Richard Dawkins: 9780192860927: Amazon.Com: Books.” ↑

2. “Compliance Officer - Career Rankings, Salary, Reviews and Advice | US News Best Jobs.” ↑

3. “Effective Compliance & Ethics Programs Reduce Federal Fines by up to 95%.” ↑

4. “2010 FEDERAL SENTENCING GUIDELINES MANUAL: 2010 8b2_1.” ↑

5. “SEC.Gov | Office of the Whistleblower.” ↑

6. Haddon, “The Effect of the Dodd-Frank Act on Risk in the Financial Sector.” ↑

7. “Criminal Division | Foreign Corrupt Practices Act.” ↑

8. “Foreign Corrupt Practices Act.” ↑

9. Lechner, “GDPR.” ↑

10. “What If My Company/Organisation Fails to Comply with the Data Protection Rules?” ↑

11. “What Are the GDPR Fines? - GDPR.Eu.” ↑

12. “FAR 552.204–2 Security Requirements for FCI”; “48 CFR § 4.1901 - Definition of FCI”; “48 CFR § 52.204–21 - Basic Safeguarding of Covered Contractor Information Systems.”; “Executive Order 13556 of November 4, 2010L: Controlled Unclassified Information”; “32 CFR Part 2002 ‘Controlled Unclassified Information.’” ↑

13. Mroz, “CMMC 2.0.” ↑

14. “CMMC 2.0 Simplifies Requirements But Raises Risks for Government Contractors | Insights | Holland & Knight.” ↑

15. “PCI DSS Document Library.” ↑

16. Subabrata, “PCI DSS Fines and Penalties Explained.” ↑

17. “5 of the Biggest PCI Compliance Breaches to Date | GoAnywhere MFT.” and “8 Shocking Real-World PCI Violations and Their Consequences — Etactics.” ↑

18. “Gartner Survey Finds 45% of Organizations Experienced Third Party-Related Business Interruptions During the Past Two Years.” ↑

19. “What Cyber Disclosures Are Telling Shareholders in 2023.” ↑

20. fedweek, “Without Enforcement, Cloud Contracts Not in Compliance with FedRAMP.” ↑

21. “Why You Could Be Denied Cyber Insurance Policy Coverage | Mindcore.” ↑

22. “Four Tips to Avoid Denial of Cyber Insurance Coverage for a Data Breach.” ↑

23. “Avoiding The Most Common Cyber Insurance Claim Denials | GB&A.” ↑

24. Thank god I drive an old Miata that didn’t require the stupid “ding” noise when not putting them on. ↑

25. Too Long Didn’t Read ↑

26. Kelly, “5 Compliance Metrics Every Business Should Measure — GAN Integrity Blog”; Middleton, “Key Metrics for a Compliance Program to Monitor”; “Compliance Program Performance Metrics”; Team, “How to Measure Compliance Program Performance”; compliancelin1, “How Can You Measure a Compliance Program’s Effectiveness?” ↑