Return of the Guru

Federal Recommendations Will Do Little to Stem Cyber-crime

Ara Trembly
Insurance Experts' Forum, October 17, 2011

My colleague Pat Speer recently reported that the Securities and Exchange Commission (SEC) has issued guidelines laying out the kinds of information companies should disclose regarding cyber events (i.e. cyber-attacks) that could lead to financial losses.

According to Pat’s article, the SEC’s move to issue guidelines came amid concern that investors had difficulty assessing security risks if companies did not disclose such information in their public filings. Of all the vertical markets currently tracking security issues, health care, when it comes to both payers and providers, have a stake in the game—so this is obviously a key concern for insurers. Health insurance exchanges, mandated by President Obama’s health care reforms, may provide fertile ground for possible attacks, say experts, as stakeholders rush to implement. In addition, providers’ use of mobile devices, which often hold confidential patient information, is another concern.

These are valid problems—which we have been writing about for some time. The recommendations for disclosure, if followed, would certainly provide valuable information about insurers and other financial services providers in the form of past cyber-crime problems, as well as their vulnerability to future attacks. That said, however, reports of such incidents could also be damaging to the parties involved, since customers are less likely to do business with companies whose defenses have been breached.

The recommendations themselves are simply suggestions. They carry no force of law or regulation. In its statement, the SEC says: “The statements in this CF Disclosure Guidance represent the views of the Division of Corporation Finance. This guidance is not a rule, regulation, or statement of the Securities and Exchange Commission. Further, the Commission has neither approved nor disapproved its content.” Thus, the SEC’s Corporate Finance Division recommends (but does not require) disclosure, meanwhile, the SEC doesn’t even approve the recommendations. Are you confused yet?

Returning to the point that insurers and other financial services companies are not going to fall over themselves to report issues that could impact them negatively, it seems clear that the recommendations are a nice idea, but not one that is likely to see practical application. In the current economy and highly competitive insurance environment, it is doubtful that most insurers will step up to the plate. Let us not, then, labor under the delusion that these new guidelines will have any salutary effect on the problem of cyber-crime.

Don’t get me wrong. Guidelines like these are exactly what are needed to help get a clear picture of what is happening to companies in terms of security, but the companies themselves must also decide whether or not they are willing to pay the price for such public disclosure. In the end, many will choose to say nothing—first, because they are not required to do so, and second, because it is the business equivalent of shooting themselves in the foot.

It’s sad to say, but for many in our industry unauthorized access and other types of attacks have shifted into the category titled “costs of doing business.”

Ara C. Trembly ( is the founder of Ara Trembly, The Tech Consultant, and a longtime observer of technology in insurance and financial services.

Readers are encouraged to respond to Ara using the “Add Your Comments” box below. He can also be reached at

This blog was exclusively written for Insurance Networking News. It may not be reposted or reused without permission from Insurance Networking News.

The opinions of bloggers on do not necessarily reflect those of Insurance Networking News.

Comments (0)

Be the first to comment on this post using the section below.

Add Your Comments...

Already Registered?

If you have already registered to Insurance Networking News, please use the form below to login. When completed you will immeditely be directed to post a comment.

Forgot your password?

Not Registered?

You must be registered to post a comment. Click here to register.

Blog Archive

Smarter Tablet Use Could Transform Insurance

By reducing administrative tasks and automating paperwork, tablets can increase agentsí selling time and help them respond to customers in seconds, not hours.

Insurance Wake-Up Call: Embrace the Shared Economy Opportunities

SMA believes that insurers must embrace a "shared economy," crowdsourcing and open innovation to get ahead in the new marketplace.

Silicon Valley Ventures

A trip to area hotbed of technological innovation calls into question the potential viability of insurers' legacy systems, operations and processes.

The Lion and the Mouse: Start-ups Pitch to Top Insurer

Insurers should be on the lookout for innovative partnership arrangements that produce unique and valuable solutions.

Open Source Continues its March into the Enterprise

Insurers have a range of open-source options for running their businesses.

Sometimes The Best Way to Speed Up is to Slow Down

Insurers across all lines of business increasingly recognize that their core systems are not able to properly position them to deal with imminent competitive threats.