Prudential Financial has disclosed a cybersecurity breach. Detected on February 5, 2024, the breach involved unauthorized access to certain company systems.
In a filing with the US Securities and Exchange Commission (SEC) on February 12, Prudential said it immediately activated its cybersecurity incident response protocol and is working with external experts to investigate and mitigate the incident. The company suspects the involvement of a cybercrime group.
“Organizations need to quickly identify what the potential impact from a breach is to determine its potential materiality to kick start the disclosure process,” commented Claude Mandy, chief evangelist of data security at Symmetry Systems.
“At the same time, the cybercriminals can and will be threatening public disclosure of the incident to extort money from the victims. An early disclosure like this relieves that pressure but requires modern data security tools to determine the likely materiality of the incident.”
According to Prudential, the breach exposed administrative and user data from specific IT systems and some employee and contractor accounts, but there’s no evidence of customer or client data compromise.
“We continue to investigate the extent of the incident, including whether the threat actor accessed any additional information or systems, to determine the impact of the incident,” Prudential said.
“The incident has not had a material impact on the company’s operations, and the company has not determined the incident is reasonably likely to materially impact the company’s financial condition or results of operations.”
Commenting on the news, Darren Guccione, CEO and Co-Founder of Keeper Security, said there will likely be a surge of mandatory cyber-incident reports to the Federal Commission following the finalization of the new SEC reporting requirements.
Read more on the new requirements: What You Need to Know About the New SEC Requirements
“However, with this case and others, we also appear to be seeing an increased inclination to voluntarily report cyber-incidents that do not meet the threshold for disclosure,” Guccione explained.
“By submitting a report to the SEC that an incident occurred but did not have a material impact on operations, Prudential may be attempting to proactively mitigate reputational damage – operating under the assumption that fewer people will read an SEC filing than a public statement.”
The disclosure of the Prudential Financial breach comes in the wake of Bank of America’s recent notification to its customers regarding a data breach via one of its service providers, Infosys McCamish Systems (IMS).
Image credit: JHVEPhoto / Shutterstock.com