If you want to understand the current state of security, compliance, and governance, the numbers are a good place to start. Organizations are managing more vendors, more regulations, and more risk than at any point before—and most are doing it with teams and processes that haven't kept pace.
TL;DR: The average U.S. data breach now costs over $10 million, and most organizations have at least one vendor that's been breached in the last two years. And most compliance teams are still running on manual workflows. We pulled together 129 statistics from independent research published in 2024–2026 covering GRC, third-party risk, breach costs, AI governance, and the link between compliance maturity and business outcomes. The data speaks for itself.
Third Party and Vendor Risk
97% of organizations experienced at least one supply chain breach in 2025 — up from 81% in 2024. (BlueVoyant Annual Supply Chain Cyber Security Research, 2026)
91% of CISOs report an increase in third-party cybersecurity incidents over the past year, and 95% predict that trend will continue. (Panorays 2025 CISO Survey, n=200)
30% of data breaches in 2025 involved a third party — double the rate from the prior year. (Verizon 2025 Data Breach Investigations Report)
Only 3% of organizations have full visibility into their entire supply chain, including fourth- and nth-party relationships. (Panorays 2025 CISO Survey)
81% of CISOs say they have insufficient budget to address third-party risks effectively. (Panorays 2025 CISO Survey)
98% of organizations admit to leaving third-party vulnerabilities unresolved due to resource constraints. (Panorays 2025 CISO Survey)
Only 4% of organizations have high confidence that their third-party questionnaires accurately reflect actual vendor risk posture. (RiskRecon, State of TPRM 2024)
Nearly a quarter of organizations suffered security incidents caused by third parties in 2024 — up from just 9% in 2020. (RiskRecon, State of TPRM 2024)
98% of organizations have a relationship with at least one third party that experienced a breach in the last two years. (SecurityScorecard)
40% of cyber insurance breach claims involve a third party. (Resilience 2024 Cyber Risk Report)
Nearly four in ten companies send an average of 55 questionnaires to third parties annually, often across multiple risk domains. (EY Global Third-Party Risk Management Survey 2025)
Less than half — 43% — of TPRM programs are adequately staffed to handle current vendor volumes. (RiskRecon, State of TPRM 2024)
Only 40% of organizations regularly report to the board about the state of their TPRM programs and the risks they face. (RiskRecon and Ponemon Institute)
Regulatory compliance (48%) and cyber risk (37%) are now the top two drivers of TPRM strategy globally. (KPMG Global TPRM Survey 2026, n=851)
Only 1 in 5 organizations has fully integrated TPRM into their enterprise-wide risk management system. (KPMG Global TPRM Survey 2026)
Only 22% of organizations find AI in TPRM "very effective," even as more than half are exploring AI adoption. (KPMG Global TPRM Survey 2026)
Only 17% of TPRM leaders say they have completely reliable and integrated data quality to underpin their risk management decisions. (KPMG Global TPRM Survey 2026)
A third of organizations suffered monetary loss or reputational damage from third-party incidents in the past three years. (KPMG Global TPRM Survey 2026)
More than two-thirds of large organizations experienced at least one third-party cybersecurity incident in the past 12 months. (Munich Re Global Cyber Risk & Insurance Survey 2026)
72% of financial institutions admit they are only partially aware of which vendors use AI — and not a single organization felt extremely confident managing that risk. (Ncontracts 2026 State of TPRM Survey)
Fourth-party breaches now account for 4.5% of all breaches — and 12.7% of third-party breaches cascade into fourth-party incidents. (SecurityScorecard 2026)
27% of organizations do not assess or monitor fourth parties at all. (Venminder 2026)
Compliance Complexity & Cost
92.6% of compliance professionals say their role has become more challenging over the past few years — the highest reading in four years of survey data. (Regology State of Regulatory Compliance 2026, n=204)
72% of executives say increasing compliance complexity over the last three years has negatively impacted their company's profitability. (PwC Global Compliance Survey 2025)
76% of executives say rising compliance complexity has negatively impacted their ability to establish and maintain third-party relationships. (PwC Global Compliance Survey 2025)
89% of organizations say compliance complexity has negatively impacted IT and data management — 34% say it did so to a great extent. (PwC 2025)
69% of organizations find regulations too complex or too numerous, or struggle to verify whether third-party suppliers are actually complying. (A-LIGN 2025 Compliance Benchmark Report)
58% of organizations conducted four or more audits in 2025; 35% of enterprises conducted more than six on average. (A-LIGN 2025 Compliance Benchmark Report)
71% of enterprise organizations spend over $100,000 per year on audits alone. (A-LIGN Compliance Benchmark 2025)
Financial institutions spend $61 billion annually on compliance — and 99% expect those costs to continue rising. (Mordor Intelligence, eGRC Market Report)
47% of organizations reported failing a formal audit two to five times in the past three years. (Coalfire 2024)
63% of executives say disaggregated data makes compliance harder. (PwC Global Compliance Survey 2025)
68% of C-suite leaders say time-consuming compliance and reporting tasks significantly or moderately hinder enabling functions from contributing to broader business objectives. (Thomson Reuters Institute 2025 C-Suite Survey)
Over 4,500 regulatory updates are issued globally each year. (Gartner, cited in Integrate.io 2026)
73.5% of organizations have already faced regulatory fines or penalties for non-compliance — or expect to. (Regology State of Regulatory Compliance 2026)
More than 80% of compliance teams still rely on manual processes — even as more than half report using AI in some capacity. (Regology State of Regulatory Compliance 2026)
57.8% of compliance teams operate with five or fewer compliance professionals. (Regology State of Regulatory Compliance 2026)
By end of 2026, 70–75% of the global population will be covered by modern privacy regulations — up from less than 10% a decade ago. (Gartner, cited in Integrate.io 2026)
Gartner predicts legal and compliance functions will increase spending on GRC platforms by 50% as multiple regulatory frameworks converge. (Gartner, cited in Kiteworks 2026)
Breach & Non-Compliance Costs
The average cost of a data breach for U.S. companies in 2025 was $10.22 million — an all-time record. (IBM Cost of a Data Breach Report 2025)
The global average cost of a data breach was $4.44 million in 2025 — the first global decline in five years. (IBM Cost of a Data Breach Report 2025)
In 2024, the global average breach cost was $4.88 million — a 10% increase over 2023 and the largest spike since the pandemic. (IBM/Ponemon Cost of a Data Breach Report 2024)
Data breaches cost nearly $220,000 more on average when non-compliance with regulations is a contributing factor. (IBM Cost of a Data Breach Report 2023)
Among breached organizations, 32% paid regulatory fines — 48% of those fines exceeded $100,000, and a quarter exceeded $250,000. (IBM Cost of a Data Breach Report 2025)
Nearly two-thirds of organizations breached in 2025 say they are still recovering — most taking over 100 days to fully restore operations. (IBM Cost of a Data Breach Report 2025)
Healthcare remains the costliest industry for data breaches for the 14th consecutive year at $7.42M per incident. (IBM Cost of a Data Breach Report 2025)
Breaches involving data across multiple cloud environments cost over $5M on average and take 283 days to contain. (IBM Cost of a Data Breach Report 2024)
The SEC ordered $8.2 billion in financial remedies in FY2024 — including $600M in penalties for recordkeeping failures alone. (U.S. SEC FY2024 Enforcement Report)
Total GDPR fines reached approximately €5.65 billion by early 2025 — with 2024 penalties including €310M against LinkedIn and €251M against Meta. (GDPR Enforcement Tracker)
GDPR breach notifications averaged 443 reports per day in 2025 — the first time daily notifications exceeded 400 since the regulation began. (Swif.ai 2026)
Cyberattacks targeting software supply chains are expected to cost the global economy $80.6 billion annually by 2026. (Juniper Research, cited in Indusface 2026)
Global cybercrime is forecast to cost $10.5–10.8 trillion in 2026. (Cybersecurity Ventures 2026)
Board & Enterprise Governance
85% of CEOs say cybersecurity is a critical component to achieving business growth. (NACD Director's Handbook on Cyber-Risk Oversight 2026)
77% of boards now discuss the material and financial implications of a cyber incident — up 25 percentage points since 2022. (NACD 2025 Public Company Board Practices and Oversight Survey)
72% of directors have undertaken cyber risk education or training in the past year — up from less than half in 2022. (NACD 2025 Board Practices & Oversight Survey)
Only 50% of organizations report that boards have formal oversight of their compliance programs. (NAVEX 2025 State of Risk & Compliance Report)
54% of board directors say the threat of disruption from emerging technologies such as AI is not a standing agenda item at their board meetings. (Diligent, cited in Governance Intelligence 2026)
65% of general counsel and compliance officers selected "changes in the regulatory environment" as a top risk — ahead of tariffs and other business concerns. (Diligent Institute / Corporate Board Member GC Risk Index)
CISOs, CROs, and CCOs now face potential criminal charges, SEC enforcement actions, and personal financial liability for risk management failures. (Diligent, ERM Trends 2026)
77% of global C-suite leaders believe compliance contributes significantly or moderately to their overall business objectives. (Thomson Reuters Institute 2025 C-Suite Survey)
78% of CEOs agree that cyber and privacy regulations are effective in reducing their organizations' cyber risks — up from 61% in 2024 and 39% in 2022. (WEF Global Cybersecurity Outlook 2025)
Only 1 in 5 organizations have fully integrated risk and compliance functions across the enterprise. (PwC Global Crisis and Resilience Survey)
Nearly half of organizations — 48% — have centralized risk and resilience structures, but only 26% have strong cross-functional collaboration. (KPMG Risk and Resilience Survey 2025)
Manual Burden & Siloed Programs
83% of organizations report moderate or major delays caused by manual compliance work — and 53% dedicate the equivalent of a full-time employee exclusively to evidence collection. (RegScale State of CCM Report 2026, n=253)
65% of organizations report using manual processes for most GRC activities, limiting consistent and repeatable controls. (Industry aggregate 2024–2025)
Only 28% of organizations monitor their security controls continuously in real time — 72% still rely on periodic assessments. (RegScale State of CCM Report 2026)
While 95% of organizations have implemented some level of GRC automation, only 4% have achieved full end-to-end automation. (RegScale State of CCM Report 2026)
Security teams spend between 30–50% of their time on administrative tasks, and 71% of companies take a reactive approach to evidence collection — gathering it only for audits. (CISO Society State of CCM Report 2024)
55% of CFOs and 50% of audit committees are asking internal audit to do more risk work — yet teams can only allocate 15% of their time to advisory work. (AuditBoard 2024)
An estimated 70% of internal audit hours in SOX compliance programs are spent on administrative tasks like spreadsheet management. (Protiviti / Zluri SOX Compliance Analysis)
91% of organizations now have a centralized GRC team — but most still struggle with manual workflows and fragmented processes. (Hyperproof IT Risk & Compliance Benchmark 2026, n=1,002)
60% of organizations with ad-hoc risk management experienced a data breach in 2024–2025, compared to 41% of those using integrated or automated GRC tools. (Hyperproof IT Risk & Compliance Benchmark 2026)
Organizations that take an integrated, automated approach to risk management were only 27% as likely to experience a breach in 2025 as those with ad-hoc programs. (Hyperproof IT Risk & Compliance Benchmark 2026)
85% of organizations are actively rethinking traditional GRC approaches due to resource constraints and unsustainable manual workflows. (RegScale State of CCM Report 2026)
Enterprise Risk Management
Nearly 75% of enterprises experienced at least one critical risk event in the past year — cyberattacks and IT failures account for most of them. (Forrester, The State of Enterprise Risk Management, 2025)
Firms without board-level ERM visibility were 20% more likely to suffer six or more critical events. (Forrester, The State of Enterprise Risk Management, 2025)
Only 11% of senior finance leaders view their organization's risk management process as a strategic tool that delivers competitive advantage. (AICPA and NC State University, The State of Risk Oversight 2025)
Nearly two-thirds of executives — 64% — believe their organization's risk management process provides no or minimal competitive advantage. (AICPA and NC State University, The State of Risk Oversight 2025)
Only 35% of financial leaders report having comprehensive ERM processes in place, and only 32% rate their organization's overall risk oversight as "mature" or "robust." (AICPA and NC State University, The State of Risk Oversight 2025)
61% of senior finance leaders agree that the volume and complexity of corporate risks have changed "mostly" or "extensively" over the last five years. (AICPA and NC State University, The State of Risk Oversight 2025)
Most ERM budgets are increasing by only 1–4% — barely keeping up with inflation. Only 4% of firms expect a budget increase of more than 10%. (Forrester, The State of Enterprise Risk Management, 2025)
44% of executives rank AI and data regulations in the top three factors driving them to rethink their company's short-term strategy. (PwC May 2025 Pulse Survey)
45% of GRC professionals say breaking down silos between risk, compliance, and operations teams is their single top priority for 2025. (MetricStream / GRC Report Survey 2025)
Cybersecurity, third-party dependencies, and AI governance dominate the top 10 near-term executive risk concerns. (NC State ERM Initiative / Protiviti, 14th Annual Executive Risk Survey, n=1,540)
Only 26% of organizations have strong cross-functional collaboration and a holistic view of risks — despite nearly half reporting centralized risk structures. (KPMG Risk and Resilience Survey 2025)
AI Governance & Compliance
78% of business executives lack strong confidence they could pass an independent AI governance audit within 90 days. (Grant Thornton 2026 AI Impact Survey, n=950)
83% of compliance and risk leaders report using AI tools — yet only about 25% have implemented a strong governance framework to oversee that use. (Compliance Week / konaAI AI & Compliance Survey 2026, n=193)
U.S. agencies issued 59 new AI regulations in 2024 — more than double the prior year. Globally, 75 countries increased AI legislation by 21%. (IBM 2025)
76% of organizations plan to pursue an AI audit or certification within the next 24 months. (A-LIGN Compliance Benchmark 2025)
63% of organizations that experienced AI-related breaches either had no AI governance policy or were still developing one. (IBM 2025)
More than 50% of organizations lack systematic inventories of AI systems currently in production or development. (CSA Labs / EU AI Act Research Note, March 2026)
83% of organizations lack the basic technical controls needed to prevent employees from uploading confidential data to public AI tools. (IBM / Kiteworks 2025)
65% of AI tools used in enterprises operate without IT oversight — a condition that increases average breach costs by $670,000 per incident. (IBM 2025)
55% of technology leaders cite regulatory or compliance uncertainty as a top barrier to scaling AI — often an internal governance gap, not an external regulation problem. (Grant Thornton 2026 AI Impact Survey)
54% of COOs are concerned about regulatory and compliance uncertainty related to agentic AI — compared to just 20% of CIOs and CTOs. (Grant Thornton 2026 AI Impact Survey)
Only 35.7% of managers feel adequately prepared for EU AI Act compliance; 19.4% describe themselves as poorly prepared. (Prefactor 2026 AI Governance Statistics)
Organizations that deploy AI governance platforms are 3.4x more likely to achieve high effectiveness in AI governance than those that don't. (Gartner, Q2 2025, n=360)
Spending on AI governance platforms is expected to reach $492 million in 2026 and surpass $1 billion by 2030. (Gartner, February 2026)
38.8% of organizations still lack a formal AI risk review process, even as generative AI enters compliance workflows informally. (Regology State of Regulatory Compliance 2026)
59.3% of compliance teams are already using AI in some capacity — and 75.5% say they are enthusiastic about expanding its role, up from 54% in 2025. (Regology State of Regulatory Compliance 2026)
64% of organizations report significant or transformational improvement in GRC outcomes from AI adoption. (RegScale State of CCM Report 2026)
Framework Adoption & Audit Trends
ISO 27001 adoption is at 81% in 2025, up from 67% in 2024 — a 14% year-over-year increase. Organizations now more often rank ISO 27001 as their most important audit over SOC 2. (A-LIGN 2025 Compliance Benchmark Report)
Nearly 70% of organizations now comply with six or more security and privacy frameworks. (Truzta / TrustCloud 2026)
76% of organizations plan to pursue an AI audit or certification within 24 months, and 53% plan to adopt a new compliance framework within 12 months. (A-LIGN Compliance Benchmark 2025)
38% of organizations have had an audit report rejected by a vendor or prospect due to quality or completeness concerns. (A-LIGN Compliance Benchmark 2024)
45% of organizations say they would switch audit providers for more efficient processes. (A-LIGN Compliance Benchmark 2024)
50% of organizations experienced at least one compliance issue in the past three years, and 37% experienced more than one. (NAVEX State of Risk & Compliance Report)
The RegTech market is projected to hit $70+ billion by 2030. (Truzta / TrustCloud 2026)
Trust, Assurance & Business Impact
65% of organizations say customers, investors, and suppliers are increasingly requiring proof of compliance as a condition of doing business. (Vanta 2024)
77% of global C-suite leaders say compliance contributes significantly or moderately to their overall business objectives. (Thomson Reuters Institute 2025 C-Suite Survey)
24% of organizations say increasing revenue and winning new clients is the primary driver behind their compliance program. (Secureframe 2025)
35% of enterprise leaders cite client acquisition as the primary driver behind their compliance programs — making security questionnaire response speed a direct competitive differentiator. (Steerlab 2026)
Organizations with fully integrated AI are nearly four times more likely to report revenue growth than those still piloting — 58% vs. 15%. (Grant Thornton 2026 AI Impact Survey)
96% of organizations believe third-party risk management delivers measurable ROI — yet 61% say their TPRM program is undervalued by the business. (Venminder / KPMG, 2025–2026)
Half of businesses have ended a vendor relationship due to security concerns. (Vanta 2024)
Organizations using automated compliance monitoring cut regulatory penalties by an average of 40% compared to manual tracking. (Gartner, cited in Truzta 2026)
Security reviews are among the top deal blockers in B2B enterprise sales — vendor assessments that take two to four weeks create direct, material revenue impact. (InfoSecFlow 2026)
Among breached organizations, those that self-identified the breach had nearly $1 million lower breach costs on average than those where the attacker disclosed it first. (IBM Cost of a Data Breach Report 2024)
Organizations that demonstrate strong security posture and continuous compliance are increasingly positioned to outperform peers on investor confidence, contract access, and M&A readiness. (VECTRA International 2026)
Talent, Skills & Readiness Gaps
Only 2% of organizations have implemented cyber resilience measures across all surveyed areas. (PwC 2025)
39% of organizations identify skills shortages as a major barrier to cyber resilience — and the gap has widened by 8% since 2024. (WEF Global Cybersecurity Outlook 2025)
Only 14% of organizations feel confident they have the people and skills needed to meet their current security and compliance demands. (WEF Global Cybersecurity Outlook 2025)
59% of organizations report critical or significant cybersecurity skills shortages, with AI and cloud security as the most urgent gaps. (ISC2 2025 Workforce Study)
There are an estimated 4.8 million unfilled cybersecurity jobs globally in 2026 — North America alone faces a shortage of 70,000+ professionals. (SentinelOne Cybersecurity Statistics 2026)
42% of internal audit leaders report lacking needed skill sets within their teams for cybersecurity, AI, data privacy, and advanced technology coverage. (IIA Vision 2035 Survey)
78% of business executives plan to increase cybersecurity budgets — yet only 6% believe their organizations are fully prepared to handle all cyberattack types. (PwC Global Digital Trust Insights 2026, n=3,887)
Social engineering attacks have surpassed ransomware as the leading cyber threat, cited by 63% of security professionals as their primary concern — a first in the survey's history. (ISACA 2026 Tech Trends Poll, ~3,000 professionals)
Data & analytics capability ranked as the #1 ERM capability requiring strengthening, selected by 51% of risk leaders — outpacing cybersecurity resilience, ESG integration, and risk culture. (ERMA Survey 2026)
Organizations that treat AI trust as a core business capability rather than a compliance exercise are better positioned to scale AI adoption and deliver measurable performance advantage. (McKinsey 2026 AI Trust Maturity Survey, ~500 organizations)
What Does This Mean For You?
Across all of these statistics, a few patterns stand out. The organizations managing risk most effectively aren't the ones with the biggest teams or the highest budgets — they're the ones with the most integrated and automated programs. Fewer breaches. Lower costs. Faster sales cycles. Better audit outcomes.
The numbers make a consistent case that compliance and risk management, approached strategically, deliver real business value — not just risk mitigation. If you're looking to make the case internally for investment in trust, these stats are a useful starting point. Book your demo to learn more.
