Source: Kerry Hargrove via Alamy Stock Photo
Fresh on the heels of the Bank of America cyber compromise, another Fortune 500 giant is notably in the data breach crosshairs: Prudential Financial said this week that hackers cracked "certain" of its systems earlier in the month.
The announcement also stands out for another reason: While corporations are now required to report cybersecurity incidents that have "material" impact to operations to the US Securities & Exchange Commission (SEC), Prudential appears to have gotten out ahead of that new mandate with a voluntary incident disclosure, before any such impact has been determined.
"It's great to see that Prudential Financial quickly detected and responded to the data breach, and our hope is that the attackers were stopped before any sensitive data was stolen, and that the impact to the business is minimal," says Joseph Carson, chief security scientist and advisory CISO at Delinea. For now though, those details are unclear.
Cybercrime Gang Likely Behind Prudential's Breach
In a Form 8-K notice to the SEC, Prudential said that it detected unauthorized access to its infrastructure on Feb. 5. It determined that the threat actor, which the financial and insurance behemoth believes was an organized cybercrime group, had gained access the day before to "administrative and user data from certain [IT] systems, and a small percentage of company user accounts associated with employees and contractors."
The company has kicked off its incident response, which is in the early stages; so far, it's unclear if the attackers accessed additional information or systems, heisted customer or client data, or if the incident will have a material impact on Prudential operations.
With no evidence of any of those scenarios, Prudential isn't yet under a mandate to report the breach. Thus, researchers say the firm's SEC filing is indicative of what could be a new trend: proactive filings.
We Don't Need to Do This — but We Will
On Dec. 15, the SEC incident-disclosure rules changed to require a Form 8-K to be filed within "four business days of determining [a cyber] incident was material."
Claude Mandy, chief evangelist for data security at Symmetry Systems, notes that Prudential's move to file before fully identifying the materiality of the breach could be an effort to defang any extortion attempts by the assailants.
The potential for weaponizing the new SEC regulations is evident in the case of MeridianLink, which opted to not negotiate with the ransomware group ALPHV (aka BlackCat) after a cyberattack. The gang responded by filing a formal complaint with the SEC, alleging that its recent victim failed to comply with new disclosure regulations.
"The proactive holding statement by Prudential is indicative of the pressure being put on cybercrime victims by cybercriminals under this new incident reporting regime," Mandy says. "It is a sign of a well-rehearsed incident response program."
He adds, "cybercriminals can and will be threatening public disclosure of the incident to extort money from the victims. An early disclosure like this relieves that pressure, but it requires modern data security tools to determine the likely materiality of the incident."
Meanwhile, Darren Guccione, CEO and co-founder at Keeper Security, said in an emailed statement that such voluntary reporting of cyber incidents could simply be a spin-doctoring effort, after seeing the fallout that Uber and SolarWinds execs suffered for not reporting incidents in a timely manner.
"Prudential may be attempting to proactively mitigate reputational damage … this type of voluntary disclosure is likely motivated more by public relations than regulations," he noted.
The incident also points up a glaring omission in federal law: There are no blanket federal data privacy statutes that require businesses to inform customers directly of real or potential data breaches, and no corresponding fines or sanctions in place that act as punitive deterrents. The feds have effectively relegated data privacy and protection to the states and sector-specific agency regulation; the California Consumer Privacy Act (CCPA) is one of the strictest protections, though critics complain CCPA doesn't go far enough.
What sets the new SEC rule apart from other regulations is its requirement that publicly traded companies report such breaches within four days of determining material impact. In contrast, HIPAA gives healthcare entities 60 days for such notifications.
Prudential did not immediately return a request for comment from Dark Reading. Mandy notes that for now, Prudential customers will just need to wait and see whether their information has been compromised in the breach.
"As we’ve seen with other breaches, there may be further aspects to the incident that are uncovered as the investigation and fallout continues," Mandy says. "The holding statement from Prudential indicates that based on what they know right now, they do not believe it meets their threshold for materiality. This threshold is determined by Prudential, based on whether the impact (in their view) would be material information to an investor or shareholder."
He adds, "We hope to see more detailed analysis from Prudential as the investigation continues."