Have you ever wondered what lies behind the legal consequences of a non-compliance event? Fines are just the tip of the iceberg. The real damage often lies deeper: lost trust, reputational damage, operational disruptions and even business failures. Some companies take years to recover from a scandal. Some others don’t survive. With cyberattacks on the rise, regulators have put strict standards in place to protect sensitive information. And, of course, stronger legal consequences come with them. Organizations might question whether investing in compliance is worth the cost compared to the risks of non-compliance. However, the consequences can hit hard and fast. Cybersecurity isn’t just about money, it’s also about trust and survival. And I will tell you why. Understanding non-compliance in cybersecurity First, to better prepare for compliance challenges, it is valuable to understand how non-compliance is defined by regulatory bodies. In cybersecurity, non-compliance refers to the failure to adhere to established regulations, standards, or best practices specific to the industry designed to protect information systems and data. This can occur in various ways, as illustrated below: Ignoring regulatory requirements like GDPR, NIS1 and 2, and DORA, which outline specific requirements for data protection, incident response, access controls, and security awareness training Inadequate security measures, such as encryption, firewalls, and access controls, to safeguard data and systems Lack of robust security policies and/or not enforcing internal policies and procedures that guide employees on how to handle and protect data Insufficient cybersecurity training and awareness programs for employees, leading to human errors and vulnerabilities Poor incident response to respond to and recover from security incidents, which can exacerbate the impact of a breach The implementation of a risk management and compliance strategy is essential. It must necessarily include a comprehensive risk assessment, security checkpoints and regular updates. Risks and possible consequences of non-compliance Let’s begin with some straightforward facts. As early as 2017, a Ponemon Institute report, The true cost of compliance with data protection regulations, estimated that non-compliance could be nearly three times as expensive as compliance. The IBM report, Cost Of A Data Breach (2023) highlighted that “the average cost of a data breach was $4.45 million with an average cost for France of $4 million.” A value up 15% over three years. Simply put, one of the consequences of non-compliance with regulations is an astronomical cost that can be easily avoided with the right proactive approach. First, let’s take a closer look at how costs can add up: Legal and financial risks One of the most immediate risks of non-compliance is the imposition of legal and financial penalties. Regulatory authorities can investigate, impose sanctions and revoke licenses or permits on companies that do not comply with cybersecurity standards. These fines can reach millions of euros, depending on the severity of the offence and the size of the organization: Regulations Financial penalties Targets Key factors for penalties NIS2 Up to €10 million or 2% of global annual turnover Essential Entities (EEs) and Important Entities (EIs) Incident reporting negligence or non-compliance with security protocols DORA Up to €10 million or 5% of global annual turnover Mainly financial entities and ICT service providers operating within the European Union in financial services Continued non-compliance GDPR Up to €20 million or 4% of annual global turnover Any entity, public or private, regardless of its size, as long as it is required to process personal data Non-compliance with data protection obligations So, what is the impact of these fines on organizations? The stats from the 2024 edition of the CMS GDPR Enforcement Tracker for Europe are as follows: 612 fines, average EUR 2.7 million for “insufficient legal basis for data processing” 561 fines, average EUR 3.7 million for “non-compliance with general data processing principles” 357 fines, average EUR 1.1 million for “insufficient technical and organizational measures to ensure information security” The highest until now has been received by Meta in 2023 for an amount exceeding €1.2 billion. This fine was imposed due to the company’s transfer of European users’ personal data to the United States without adequate data protection measures. Legal action may also be taken by clients or any affected individuals whose personal information has been compromised due to non-compliance. They can sue for damages, including but not restricted to financial loss, identity theft, and emotional distress. Impact on customer trust and reputational damage Companies that fail to comply with cybersecurity standards can be perceived as negligent, leading to a loss of trust from customers and partners. When you search for ‘SolarWinds’ online, you can be sure that a mention of the attack comes up in the first results. This is likely to make you question their services. The attack also impacted their stock price, which dropped from $24.83 in December 2020 and has still not recovered in 2024, currently hovering around $11 in August. Once lost, it is difficult to regain trust. To rebrand itself, the company may need to invest in extensive PR campaigns, cybersecurity improvements, and proactive measures to regain customer trust. However, even with these efforts, the stain on brand reputation can linger for years. This is what LastPass experienced in 2022, where the impact of the breach was even more serious, considering their core business is providing password management security services. The CEO of LastPass has openly acknowledged a rise in customer churn following the incident, despite their efforts to invest in new security measures Operational risks Remediation efforts, system downtime, and breach investigations can lead to significant operational damages and productivity losses For example, Norsk Hydro’s 2019 ransomware attack resulted in an estimated $60 million in losses due to service interruptions and remediation costs. Similarly, the 2021 ransomware attack on Dax Hospital paralyzed operations and endangered patients, highlighting the importance of cybersecurity compliance for critical infrastructures. The impact is even more important for smaller companies, as 60% are estimated to go out of business within 6 months of a cyberattack. Impact on leaders and management Non-compliance can have personal consequences for company leaders, including personal liability, criminal prosecution, and sanctions ranging from fines and suspension to imprisonment. Under regulations like NIS2 and DORA, managers and executives may be held accountable for cybersecurity breaches if they are found to have failed to implement adequate cybersecurity measures. Liability will vary depending on factors such as the nature and severity of the breach, industry and local jurisdiction. The NIS2 Directive also introduces a significant innovation by placing direct obligations on management bodies to ensure a high level of accountability for compliance with cybersecurity requirements. Building a culture of compliance While it may be too soon to definitively hold CEOs accountable for most of the non-compliance events in 2024, one thing is clear: cybersecurity is increasingly integral to their personal and professional responsibilities. Also, in a world where compliance professionals anticipate growing personal liability, your organization’s compliance strategy and culture could not only determine the financial impact of a breach but also influence whether top talent will choose to work with you to improve your security posture. These are key factors that should be taken into consideration for your future planning of a cybersecurity and compliance strategy.