US firms face rising fines as compliance & skills shortfall grow

New research suggests three-quarters of US businesses have been fined for data breaches or failures to comply with data protection regulations in the past 12 months, highlighting the difficulties companies face in the current regulatory landscape.

Regulatory pressure

According to the findings, 75% of surveyed organisations were fined for data breaches or regulatory violations. A further breakdown shows 34% of those businesses received fines ranging from USD $333,001 to USD $1.3 million. Many companies attribute this to the increasing pace and number of regulatory changes, which 74% say make compliance challenging.

Despite these challenges, 74% of respondents stated they have already prepared for upcoming regulatory requirements, while 22% plan to do so within the next year.

Skills shortfall

Companies pointed to a shortage of qualified staff as a key issue in maintaining compliance and managing information security. The information security skills gap is now the most significant challenge for US firms, with 51% of respondents identifying it as their top concern.

The research, conducted for IO, drew responses from 1,000 US security leaders across multiple sectors, including finance, technology, healthcare, manufacturing, education, and legal.

Policy changes

The findings come as businesses adapt to shifts in US government policy. The Trump administration has taken steps in cyber decentralisation and deregulation, reversing directives from previous administrations. There has been a move to refocus AI policy, limit cyber sanctions to foreign entities, and scale back requirements on software suppliers regarding secure development practices.

This approach places greater responsibility on individual security teams to navigate the evolving threat landscape and maintain resilience without centralised guidance.

Investment focus

Security leaders are planning new investments to address these risks. 80% of organisations have strengthened their third-party and vendor risk management over the past year. Within the next 12 months, 96% intend to invest in generative AI-powered threat detection and defence, while 94% plan to invest in deepfake detection technologies.

Compliance expenditures are also rising. 64% of respondents said they intend to increase budgets for compliance-related measures, including standards, certifications, and audits, as regulatory penalties impact company finances.

Supply chain requirements

Supply chain security is receiving renewed attention. 66% of organisations expect to increase investment in supply chain and third-party vendor security in the coming year, with almost a quarter planning spending increases in this area of more than 25%.

More companies are demanding compliance from their suppliers: 37% now require Cyber Essentials certification for suppliers, 33% require ISO 27001 certification, and 28% require certification to the AI-focused ISO 42001 standard. Requirements for ISO 42001 certification have risen significantly from just 2% the previous year.

Industry response

"Globally, the regulatory landscape is becoming increasingly complex. Organisations are starting to reexamine their security postures, from their own security stance to that of suppliers and third-party vendors. We're seeing threat actors looking for weak links and using them as entryways to gain access to larger organisations," said Chris Newton-Smith, CEO, IO.

"It's encouraging to see firms taking a compliance-led approach and beginning to require certification to frameworks like Cyber Essentials, ISO 27001, and ISO 42001 of their suppliers, effectively reinforcing their supply chains.

These standards provide best practices that support building resilience, enable businesses to mitigate risk, and require continuous improvement. They also align with core requirements across various regulations like the EU AI Act, DORA and GDPR, reducing the risk of regulatory non-compliance and streamlining overall compliance management."