My colleague Pat Speer recently reported that the Securities and Exchange Commission (SEC) has issued guidelines laying out the kinds of information companies should disclose regarding cyber events (i.e. cyber-attacks) that could lead to financial losses.

According to Pat’s article, the SEC’s move to issue guidelines came amid concern that investors had difficulty assessing security risks if companies did not disclose such information in their public filings. Of all the vertical markets currently tracking security issues, health care, when it comes to both payers and providers, have a stake in the game—so this is obviously a key concern for insurers. Health insurance exchanges, mandated by President Obama’s health care reforms, may provide fertile ground for possible attacks, say experts, as stakeholders rush to implement. In addition, providers’ use of mobile devices, which often hold confidential patient information, is another concern.

These are valid problems—which we have been writing about for some time. The recommendations for disclosure, if followed, would certainly provide valuable information about insurers and other financial services providers in the form of past cyber-crime problems, as well as their vulnerability to future attacks. That said, however, reports of such incidents could also be damaging to the parties involved, since customers are less likely to do business with companies whose defenses have been breached.

The recommendations themselves are simply suggestions. They carry no force of law or regulation. In its statement, the SEC says: “The statements in this CF Disclosure Guidance represent the views of the Division of Corporation Finance. This guidance is not a rule, regulation, or statement of the Securities and Exchange Commission. Further, the Commission has neither approved nor disapproved its content.” Thus, the SEC’s Corporate Finance Division recommends (but does not require) disclosure, meanwhile, the SEC doesn’t even approve the recommendations. Are you confused yet?

Returning to the point that insurers and other financial services companies are not going to fall over themselves to report issues that could impact them negatively, it seems clear that the recommendations are a nice idea, but not one that is likely to see practical application. In the current economy and highly competitive insurance environment, it is doubtful that most insurers will step up to the plate. Let us not, then, labor under the delusion that these new guidelines will have any salutary effect on the problem of cyber-crime.

Don’t get me wrong. Guidelines like these are exactly what are needed to help get a clear picture of what is happening to companies in terms of security, but the companies themselves must also decide whether or not they are willing to pay the price for such public disclosure. In the end, many will choose to say nothing—first, because they are not required to do so, and second, because it is the business equivalent of shooting themselves in the foot.

It’s sad to say, but for many in our industry unauthorized access and other types of attacks have shifted into the category titled “costs of doing business.”

Ara C. Trembly ( is the founder of Ara Trembly, The Tech Consultant, and a longtime observer of technology in insurance and financial services.

Readers are encouraged to respond to Ara using the “Add Your Comments” box below. He can also be reached at

This blog was exclusively written for Insurance Networking News. It may not be reposted or reused without permission from Insurance Networking News.

The opinions of bloggers on do not necessarily reflect those of Insurance Networking News.

Register or login for access to this item and much more

All Digital Insurance content is archived after seven days.

Community members receive:
  • All recent and archived articles
  • Conference offers and updates
  • A full menu of enewsletter options
  • Web seminars, white papers, ebooks

Don't have an account? Register for Free Unlimited Access