Fresh in the wake of Bank of America computer compromiseAnother Fortune 500 giant is in the data breach’s crosshairs: Prudential Financial said this week that hackers breached “some” of its systems earlier this month.
The announcement also stands out for another reason: Companies are now required to do so report cybersecurity incidents that have a “material” impact. to transactions with the U.S. Securities & Exchange Commission (SEC), Prudential appears to have managed to overcome the new mandate with a voluntary disclosure of the incident, before that impact was determined.
“It is great to see that Prudential Financial detected and responded quickly to the data breach, and our hope is that the attackers were stopped before sensitive data was stolen and that the impact to the company is minimal,” says Joseph Carson, chief security scientist and CISO consultant at Delinea. For now, however, these details are unclear.
A gang of cybercriminals is likely behind the Prudential breach
In a Notice of Form 8-K to the SEC, Prudential said that it detected unauthorized access to its infrastructure on February 5. It determined that the threat actor, who the financial and insurance giant believes was an organized cybercrime group, had gained access the day before to “administrative and user data of some [IT] systems and a small percentage of corporate user accounts associated with employees and contractors.”
The company has initiated incident response, which is in the early stages; So far, it is unclear whether the attackers accessed additional information or systems, stole customers or customer data, or whether the incident will have a material impact on Prudential’s operations.
Without any evidence of either of these scenarios, Prudential still has no mandate to report the breach. As such, researchers say the company’s SEC filings are indicative of what may be a new trend: proactive filings.
We don’t need to do it, but we will
On December 15, the SEC’s rules on incident disclosure changed to require that a Form 8-K be filed within “four business days of the determination [a cyber] the accident was significant.”
Claude Mandy, chief data security evangelist at Symmetry Systems, notes that Prudential’s move to archive before fully identifying the materiality of the breach could be an attempt to neutralize any extortion attempts by the attackers.
The potential for using new SEC regulations as a weapon is evident in the case of MeridianLink, which decided not to negotiate with the ALPHV (aka BlackCat) ransomware group after a cyberattack. The gang responded file a formal complaint with the SECclaiming his recent victim failed to comply with new disclosure rules.
“Prudential’s proactive statement is indicative of the pressure cybercriminals are placing on cybercrime victims under this new incident reporting regime,” says Mandy. “It is the sign of a well-rehearsed incident response program.”
It adds: “Cybercriminals can and will threaten public disclosure of the incident to extort money from victims. Timely disclosure like this relieves that pressure, but requires modern data security tools to determine the likely materiality of the incident.”
Meanwhile, Darren Guccione, CEO and co-founder of Keeper Security, said in an emailed statement that such voluntary reporting of cyber incidents may simply be a spin-doctoring effort, after seeing the consequences it Uber AND SolarWinds executives suffered for do not report accidents in a timely manner.
“Prudential may be attempting to proactively mitigate reputational damage…this type of voluntary disclosure is likely motivated more by public relations than by regulation,” he noted.
The incident also highlights a glaring omission in federal law: There are no general federal data privacy statutes requiring companies to directly notify customers of actual or potential data breaches, and there are no corresponding fines or penalties to act as a deterrent punitive. The feds have effectively relegated privacy and data protection to states and industry-specific agency regulation; The California Consumer Privacy Act (CCPA) is one of the strongest protections, even if critics complain The CCPA doesn’t go far enough.
What distinguishes the new SEC rule from other regulations is the requirement that publicly traded companies report such violations within four days of determining material impact. In contrast, HIPAA gives healthcare entities 60 days for such notifications.
Prudential did not immediately respond to a request for comment from Dark Reading. Mandy notes that for now Prudential customers will just have to wait and see if their information was compromised in the breach.
“As we have seen with other breaches, there may be additional aspects of the incident that will be uncovered as the investigation and fallout continues,” Mandy says. “Prudential’s statement indicates that, based on what they know at this time, they do not believe this meets the materiality threshold. This threshold is determined by Prudential, based on whether the impact (in their opinion) would constitute a ‘material information for an investor or shareholder.”
He adds: “We hope to see a more detailed analysis from Prudential as the investigation continues.”