Return of the Guru

Federal Recommendations Will Do Little to Stem Cyber-crime

Ara Trembly
Insurance Experts' Forum, October 17, 2011

My colleague Pat Speer recently reported that the Securities and Exchange Commission (SEC) has issued guidelines laying out the kinds of information companies should disclose regarding cyber events (i.e. cyber-attacks) that could lead to financial losses.

According to Pat’s article, the SEC’s move to issue guidelines came amid concern that investors had difficulty assessing security risks if companies did not disclose such information in their public filings. Of all the vertical markets currently tracking security issues, health care, when it comes to both payers and providers, have a stake in the game—so this is obviously a key concern for insurers. Health insurance exchanges, mandated by President Obama’s health care reforms, may provide fertile ground for possible attacks, say experts, as stakeholders rush to implement. In addition, providers’ use of mobile devices, which often hold confidential patient information, is another concern.

These are valid problems—which we have been writing about for some time. The recommendations for disclosure, if followed, would certainly provide valuable information about insurers and other financial services providers in the form of past cyber-crime problems, as well as their vulnerability to future attacks. That said, however, reports of such incidents could also be damaging to the parties involved, since customers are less likely to do business with companies whose defenses have been breached.

The recommendations themselves are simply suggestions. They carry no force of law or regulation. In its statement, the SEC says: “The statements in this CF Disclosure Guidance represent the views of the Division of Corporation Finance. This guidance is not a rule, regulation, or statement of the Securities and Exchange Commission. Further, the Commission has neither approved nor disapproved its content.” Thus, the SEC’s Corporate Finance Division recommends (but does not require) disclosure, meanwhile, the SEC doesn’t even approve the recommendations. Are you confused yet?

Returning to the point that insurers and other financial services companies are not going to fall over themselves to report issues that could impact them negatively, it seems clear that the recommendations are a nice idea, but not one that is likely to see practical application. In the current economy and highly competitive insurance environment, it is doubtful that most insurers will step up to the plate. Let us not, then, labor under the delusion that these new guidelines will have any salutary effect on the problem of cyber-crime.

Don’t get me wrong. Guidelines like these are exactly what are needed to help get a clear picture of what is happening to companies in terms of security, but the companies themselves must also decide whether or not they are willing to pay the price for such public disclosure. In the end, many will choose to say nothing—first, because they are not required to do so, and second, because it is the business equivalent of shooting themselves in the foot.

It’s sad to say, but for many in our industry unauthorized access and other types of attacks have shifted into the category titled “costs of doing business.”

Ara C. Trembly ( is the founder of Ara Trembly, The Tech Consultant, and a longtime observer of technology in insurance and financial services.

Readers are encouraged to respond to Ara using the “Add Your Comments” box below. He can also be reached at

This blog was exclusively written for Insurance Networking News. It may not be reposted or reused without permission from Insurance Networking News.

The opinions of bloggers on do not necessarily reflect those of Insurance Networking News.

Comments (0)

Be the first to comment on this post using the section below.

Add Your Comments...

Already Registered?

If you have already registered to Insurance Networking News, please use the form below to login. When completed you will immeditely be directed to post a comment.

Forgot your password?

Not Registered?

You must be registered to post a comment. Click here to register.

Blog Archive

With Google Favoring Mobile, Will The Industry Take it Seriously?

Google’s search engine will now will favor mobile friendly content over traditional website content; within the insurance industry, the greatest initial impact is likely to be felt by insurance distributors.

Why Some Technologists Get Cold Feet on Mobile

There are those who believe that favoring one channel or mode over another will lead to even more silos and dysfunction than we already have in many organizations.

Insurance IT Spending and Budgeting Benchmarks

New research from Novarica highlights areas of concern and offers insights on insurers spending and budgeting decisions.

Enterprise Mobilemania Continues Unabated

More than half of companies are spending more on developing mobile applications -- but are they more efficient?

Why Insurers Need More Than a Policy Admin System

For some insurers, not being able to handle the volume of quotes that are being submitted to them means leaving significant money on the table.

The Pitfalls of Using Assembly Line Methods to Create Software

Most of the time, when the business needs IT, it is for custom software development, just like creating a concept car.