Companies can easily underestimate the investment required to meet compliance. Thinking compliance is a one-and-done activity that you can skate by with minimal spend only sets you up for unpleasant surprises later on. Compliance can be a long, drawn-out process, involving HR, finance, security, leadership, and others. So it’s important to look at all the costs up front in order to set aside a realistic budget.
A good way to approach compliance is to treat it like a new product launch. You’ll need a dedicated project team, new technology, a reasonable budget, and more to get it off the ground.
Let’s begin by breaking down the various types of costs associated with compliance:
- Direct Costs: These are expenses related to implementing compliance requirements and undergoing an audit, including assessments, auditors, and new technology.
- Indirect Costs: These are the intangible costs like time, management, and training.
- Opportunity Costs: There are also costs to consider if you don’t meet compliance, such as lost business, penalty fees, and a diminished reputation in the industry.
The actual costs for each of these categories will vary based on:
- The industry your organization sits in
- How many employees you have
- The number of regulations you’re required to adhere to
- The amount of sensitive and confidential information you’re required to safeguard
Throughout this series, we’ve kept our focus on PCI DSS and HIPAA, so let’s take a look at how to budget for each in consideration of direct, indirect, and opportunity costs.
Etched in Ink: The Direct Costs
Direct costs alone can be a major barrier to entry for companies that are considering HIPAA or PCI DSS compliance.
The process for HIPAA typically begins with a gap analysis. The cheapest and quickest way to begin, this analysis helps to identify gaps and propose remediation strategies. It does not require an on-site auditor visit, but it is the prelude to a full HIPAA audit, if you’re beholden to one. This analysis can cost between $15,000 and $20,000. Next is the full HIPAA audit which evaluates your organization’s compliance to the full set of HIPAA’s Security Rule requirements. Involving an auditor visit and a lot of upfront work to document your policies, procedures, and technologies, the cost can hover around $40,000 for a medium to large covered entity. If you’re going for a more complete HIPAA certification, HITECH certification runs $40,000–$60,000 or more, depending on the size of the organization.
PCI DSS Costs
For PCI DSS, costs can vary greatly depending on your circumstances. If you process fewer than 1 million transactions annually (PCI DSS Level 3), you’re likely looking at a cost of under $10,000 per year. For this level, all you need to do is complete the self-assessment questionnaire ($50–$200), undergo a quarterly ASV scan (as low as $1,200 a year), possibly develop a few policies, train your team on these new policies, and implement a couple of new or updated technologies and tools. Costs can increase to upwards of $10,000 a year if you’re starting from scratch or your posture is significantly outdated and requires all new technologies, policies, processes, and training.
If you process over 6 million transactions annually (PCI DSS Level 1), a PCI DSS audit is required, which can cost upwards of $70,000 per year. This includes the onsite audit, penetration testing, quarterly ASV scan, developing new or updated policies and processes, implementing new or updated technologies, and training employees. Again, costs will vary depending on how much you need here, but this is a good number from which to work.
Quantifying Behind The Scenes: The Indirect Costs
Indirect costs can be much harder to quantify. The biggest cost factor to consider is time, and this increases proportionally according to the factors listed above (company size, amount of sensitive data to protect, etc.). Here are the most common indirect costs:
Often, companies only take into account the cost of hiring an outside contractor and/or audit firm to help with the compliance process, but you should also take into account which internal team members will be involved. Typically, it’s representatives from IT, legal, security and/or compliance, HR, finance, and accounting. To determine personnel costs, lay out the time required of each person and multiply that by their compensation rate.
Implementation and Training
This category includes additional time and resources to implement and maintain compliance processes and technologies across the company. For some companies, maintenance alone can take one day a week, if not more, depending on company size. Keep in mind that compliance is never just a one-time thing. PCI DSS certification, for example, needs to be renewed each year, involving additional costs. Be sure to address this in your budget.
Enabling Business: The Opportunity Cost of Compliance
The hard costs are really just half of the compliance equation. What is the cost to you if you decide not to become compliant? You may be looking at hefty fines, loss of customers, reputation damage in the industry, and so on. For many companies, compliance is a necessity to customers, and by having it, sales and partnership opportunities are expanded.
Using this framework and having a basic understanding of the costs involved with compliance, you will be able to better prepare your budget and effectively achieve compliance.
Threat Stack Compliance Playbook
Take a look at The Threat Stack Compliance Playbook for Cloud Infrastructure.
The Playbook is intended for readers who want to understand what’s involved in becoming compliant in a cloud environment — without getting caught up in the details and complexity that the compliance process is well known for.