Return of the Guru

Federal Recommendations Will Do Little to Stem Cyber-crime

Ara Trembly
Insurance Experts' Forum, October 17, 2011

My colleague Pat Speer recently reported that the Securities and Exchange Commission (SEC) has issued guidelines laying out the kinds of information companies should disclose regarding cyber events (i.e. cyber-attacks) that could lead to financial losses.

According to Pat’s article, the SEC’s move to issue guidelines came amid concern that investors had difficulty assessing security risks if companies did not disclose such information in their public filings. Of all the vertical markets currently tracking security issues, health care, when it comes to both payers and providers, have a stake in the game—so this is obviously a key concern for insurers. Health insurance exchanges, mandated by President Obama’s health care reforms, may provide fertile ground for possible attacks, say experts, as stakeholders rush to implement. In addition, providers’ use of mobile devices, which often hold confidential patient information, is another concern.

These are valid problems—which we have been writing about for some time. The recommendations for disclosure, if followed, would certainly provide valuable information about insurers and other financial services providers in the form of past cyber-crime problems, as well as their vulnerability to future attacks. That said, however, reports of such incidents could also be damaging to the parties involved, since customers are less likely to do business with companies whose defenses have been breached.

The recommendations themselves are simply suggestions. They carry no force of law or regulation. In its statement, the SEC says: “The statements in this CF Disclosure Guidance represent the views of the Division of Corporation Finance. This guidance is not a rule, regulation, or statement of the Securities and Exchange Commission. Further, the Commission has neither approved nor disapproved its content.” Thus, the SEC’s Corporate Finance Division recommends (but does not require) disclosure, meanwhile, the SEC doesn’t even approve the recommendations. Are you confused yet?

Returning to the point that insurers and other financial services companies are not going to fall over themselves to report issues that could impact them negatively, it seems clear that the recommendations are a nice idea, but not one that is likely to see practical application. In the current economy and highly competitive insurance environment, it is doubtful that most insurers will step up to the plate. Let us not, then, labor under the delusion that these new guidelines will have any salutary effect on the problem of cyber-crime.

Don’t get me wrong. Guidelines like these are exactly what are needed to help get a clear picture of what is happening to companies in terms of security, but the companies themselves must also decide whether or not they are willing to pay the price for such public disclosure. In the end, many will choose to say nothing—first, because they are not required to do so, and second, because it is the business equivalent of shooting themselves in the foot.

It’s sad to say, but for many in our industry unauthorized access and other types of attacks have shifted into the category titled “costs of doing business.”

Ara C. Trembly ( is the founder of Ara Trembly, The Tech Consultant, and a longtime observer of technology in insurance and financial services.

Readers are encouraged to respond to Ara using the “Add Your Comments” box below. He can also be reached at

This blog was exclusively written for Insurance Networking News. It may not be reposted or reused without permission from Insurance Networking News.

The opinions of bloggers on do not necessarily reflect those of Insurance Networking News.

Comments (0)

Be the first to comment on this post using the section below.

Add Your Comments...

Already Registered?

If you have already registered to Insurance Networking News, please use the form below to login. When completed you will immeditely be directed to post a comment.

Forgot your password?

Not Registered?

You must be registered to post a comment. Click here to register.

Blog Archive

Driving Growth Through Distribution Management

In the current hyper-competitive marketplace, many carriers are focusing on improving their distribution practices as a key technique for driving growth.

The Start of a New Era: Digital Retailers and Insurance

Insurers from all around the world are making great efforts to become digital.

Google and Insurance: One Year Later

Google is getting the approval for selling insurance on their compare site in a large number of states via a number of different insurance partners.

How IT Managers Can Get Close to Policyholders

Four steps CIOs need to take to lead insurance organizations to greater “customer obsession.”

Strategic Initiatives for 2015: Making Sense of the Shifts

Insurers must choose between embracing innovation or just continuing with business as usual and run the risk of becoming a casualty in the new competitive battle.

To Stay in the Game, Insurers Must Aggressively Embrace New Consumer Technologies

Emerging technologies displayed at the CES could be some of the greatest change agents since the introduction of the Internet, offering breakthroughs that could challenge many businesses.