The finance services giant says it was hacked — and reported the incident proactively before SEC requirements mandated it. It could be an anti-extortion move, or merely a brand protection effort.
February 14, 2024
Fresh on the heels of the Bank of America cyber compromise, another Fortune 500 giant is notably in the data breach crosshairs: Prudential Financial said this week that hackers cracked "certain" of its systems earlier in the month.
The announcement also stands out for another reason: While corporations are now required to report cybersecurity incidents that have "material" impact to operations to the US Securities & Exchange Commission (SEC), Prudential appears to have gotten out ahead of that new mandate with a voluntary incident disclosure, before any such impact has been determined.
"It's great to see that Prudential Financial quickly detected and responded to the data breach, and our hope is that the attackers were stopped before any sensitive data was stolen, and that the impact to the business is minimal," says Joseph Carson, chief security scientist and advisory CISO at Delinea. For now though, those details are unclear.
In a Form 8-K notice to the SEC, Prudential said that it detected unauthorized access to its infrastructure on Feb. 5. It determined that the threat actor, which the financial and insurance behemoth believes was an organized cybercrime group, had gained access the day before to "administrative and user data from certain [IT] systems, and a small percentage of company user accounts associated with employees and contractors."
The company has kicked off its incident response, which is in the early stages; so far, it's unclear if the attackers accessed additional information or systems, heisted customer or client data, or if the incident will have a material impact on Prudential operations.
With no evidence of any of those scenarios, Prudential isn't yet under a mandate to report the breach. Thus, researchers say the firm's SEC filing is indicative of what could be a new trend: proactive filings.
On Dec. 15, the SEC incident-disclosure rules changed to require a Form 8-K to be filed within "four business days of determining [a cyber] incident was material."
Claude Mandy, chief evangelist for data security at Symmetry Systems, notes that Prudential's move to file before fully identifying the materiality of the breach could be an effort to defang any extortion attempts by the assailants.
The potential for weaponizing the new SEC regulations is evident in the case of MeridianLink, which opted to not negotiate with the ransomware group ALPHV (aka BlackCat) after a cyberattack. The gang responded by filing a formal complaint with the SEC, alleging that its recent victim failed to comply with new disclosure regulations.
"The proactive holding statement by Prudential is indicative of the pressure being put on cybercrime victims by cybercriminals under this new incident reporting regime," Mandy says. "It is a sign of a well-rehearsed incident response program."
He adds, "cybercriminals can and will be threatening public disclosure of the incident to extort money from the victims. An early disclosure like this relieves that pressure, but it requires modern data security tools to determine the likely materiality of the incident."
Meanwhile, Darren Guccione, CEO and co-founder at Keeper Security, said in an emailed statement that such voluntary reporting of cyber incidents could simply be a spin-doctoring effort, after seeing the fallout that Uber and SolarWinds execs suffered for not reporting incidents in a timely manner.
"Prudential may be attempting to proactively mitigate reputational damage … this type of voluntary disclosure is likely motivated more by public relations than regulations," he noted.
The incident also points up a glaring omission in federal law: There are no blanket federal data privacy statutes that require businesses to inform customers directly of real or potential data breaches, and no corresponding fines or sanctions in place that act as punitive deterrents. The feds have effectively relegated data privacy and protection to the states and sector-specific agency regulation; the California Consumer Privacy Act (CCPA) is one of the strictest protections, though critics complain CCPA doesn't go far enough.
What sets the new SEC rule apart from other regulations is its requirement that publicly traded companies report such breaches within four days of determining material impact. In contrast, HIPAA gives healthcare entities 60 days for such notifications.
Prudential did not immediately return a request for comment from Dark Reading. Mandy notes that for now, Prudential customers will just need to wait and see whether their information has been compromised in the breach.
"As we’ve seen with other breaches, there may be further aspects to the incident that are uncovered as the investigation and fallout continues," Mandy says. "The holding statement from Prudential indicates that based on what they know right now, they do not believe it meets their threshold for materiality. This threshold is determined by Prudential, based on whether the impact (in their view) would be material information to an investor or shareholder."
He adds, "We hope to see more detailed analysis from Prudential as the investigation continues."
Tara Seals, Managing Editor, News, Dark Reading
Tara Seals has 20+ years of experience as a journalist, analyst and editor in the cybersecurity, communications and technology space. Prior to Dark Reading, Tara was Editor in Chief at Threatpost, and prior to that, the North American news lead for Infosecurity Magazine. She also spent 13 years working for Informa (formerly Virgo Publishing), as executive editor and editor-in-chief at publications focused on both the service provider and the enterprise arenas. A Texas native, she holds a B.A. from Columbia University, lives in Western Massachusetts with her family and is on a never-ending quest for good Mexican food in the Northeast.
You May Also Like
Making Sense of Security Operations Data
Making Sense of Security Operations Data
Unbiased Testing. Unbeatable Results
Unbiased Testing. Unbeatable Results
Your Everywhere Security guide: Four steps to stop cyberattacks
Cybersecurity’s Hottest New Technologies – Dark Reading March 21 Event
Black Hat Asia – April 16-19 – Learn More
Black Hat Spring Trainings – March 12-15 – Learn More
Industrial Networks in the Age of Digitalization
Zero-Trust Adoption Driven by Data Protection
Passwords Are Passe: Next Gen Authentication Addresses Today’s Threats
The State of Supply Chain Threats
How to Deploy Zero Trust for Remote Workforce Security
Understanding Today’s Threat Actors
FortiSASE Customer Success Stories – The Benefits of Single Vendor SASE
2023 Gartner Magic Quadrant for Single-Vendor SASE
Threat Intelligence: Data, People and Processes
Migrations Playbook for Saving Money with Snyk + AWS
Cybersecurity’s Hottest New Technologies – Dark Reading March 21 Event
Black Hat Asia – April 16-19 – Learn More
Black Hat Spring Trainings – March 12-15 – Learn More
Copyright © 2024 Informa PLC Informa UK Limited is a company registered in England and Wales with company number 1072954 whose registered office is 5 Howick Place, London, SW1P 1WG.