Hoping to grab a piece of a multibillion-dollar pie,
are releasing packages of hardware, software and services designed to help companies comply with new federal business regulations.
Sarbanes-Oxley, the USA Patriot Act and the Health Insurance Portability and Accountability Act require companies to document, protect and store everything from internal emails to minute financial transactions and medical records.
Complying with Sarbanes-Oxley alone will cost companies about $2.5 billion this year and about twice as much next year as all parts of the act become operative, says John Hagerty of ARM Research. Much of the cost is for consultants and planning, but by next year the IT component could reach an estimated $1 billion, said Hagerty. "Unlike Y2K, this is not a one-time buy. It will be a fact of life for years to come," he added.
Although there are already specific products available from vendors such as
that help solve compliance problems, IBM, which announced its solutions on Tuesday, and Veritas, which will announce next month, are launching integrated product lines aimed at compliance.
Others are sure to follow, including consultancies, storage hardware and software vendors, application vendors like
, Oracle and
, and specialized content-management suppliers like
(recently acquired by EMC) and
, said Stan Lepeak, an analyst with the Meta Group, an IT consultancy.
"The first wave of spending," said Lepeak, "was largely for consultants who helped determine the dimensions of the problem. Now we're moving into a phase where companies will spend to fix the problem," he said.
The regulations pose a host of IT-related challenges, some relatively simple, others far more complex. One of the solutions IBM announced on Tuesday, for example, is designed to detect money laundering, a requirement of the Patriot Act. Another is an email archive and records management service, while yet another helps make erased medical or financial records unrecoverable.
On Nov. 4, Veritas will announce its own compliance suite. Although the company hasn't yet released many details, industry sources quoted by
, a trade publication, will announce 10 new products, including some that will directly address compliance issues.
The compliance push is somewhat reminiscent of the IT panic sparked by Y2K. But peak compliance spending won't be nearly as high and the drop-off won't be nearly as deep, said Lepeak.
Moreover, new regulations will come online in the future, forcing companies to spend more to comply. For example, Section 409 of Sarbanes-Oxley, which won't go into effect until next year at the earliest, will require companies to provide real-time disclosure of material events that might affect performance, Hagerty said.
Companies that already have jumped into the market say results are good so far. EMC introduced its Centera product line a year ago, in part to solve compliance issues. It has been one of the company's fastest-growing products, the company says. Oracle in May unveiled its Internal Controls Manager, tailored to help companies comply with section 404 of Sarbanes-Oxley. Customer interest, said a spokeswoman, has been strong, and the company expects to add more compliance functionality to its suite of financial applications as regulations become clearer. (Neither IBM nor other companies in the compliance market would provide market-share information.)
Complicating everything is the plethora of new data types that must be stored, verified and indexed in order to comply. "Transactional data was what we had to keep 10 years ago. Now we have to track email, instant messages (as well as audio and video) to comply," said Steve McLaurin, a partner with IBM's business consulting services unit.