The unending attacks on large financial companies continues as Prudential Financial reported Feb. 13 that an unspecified threat actor accessed company administrative and user data, as well as a small percentage of user accounts associated with employees and contractors.
Prudential, which released the information in an 8-K filing with the Securities and Exchange Commission (SEC), said it detected on Feb. 5 that the bad actor gained access to its systems the day before, Feb. 4. The company said it had no evidence that the threat actor took customer or client data.
The nation’s second largest insurance company with more than $55 billion in revenue said it did not believe the most recent attack had a “material impact” on its operations, and had not determined that the incident is “reasonably likely” to materially impact the company’s financial condition or operations. This notion of "materiality" is important because public companies are now supposed to file with the SEC within four days if they determine the breach caused material damage to the company's finances or operations.
Even though the company determined it was not materially impacted by the incident, some security pros said Prudential made a smart move by filing — and that at least in this initial period following the new SEC filing rules going into effect Dec. 18, companies may err of the side of filing.
John Gunn, chief executive officer at Token, said filing was smart because the company could learn more information about the attack in the future that would then reclassify it as a material event. Gunn added that the SEC’s objective is to require the disclosure of information that could “reasonably impact” an investor's decision to buy, sell or hold securities — and potentially this very minor breach could.
“Finally, this disclosure lessens the risk of a future shareholder class-action lawsuit should the breach turn out to be material in a significant way and it results in a decline in share price — shareholders were fully informed,” said Gunn.
Tim Chase, Global Field CISO at Lacework, added that thanks to new attention and regulations placed on cybersecurity, the culture around reporting has been changing. Chase said CISOs are under more scrutiny to prove they have repeatable, operationalized, and defensible security processes in place.
“As a result, CISOs and their companies are becoming more transparent and proactive in their reporting,” said Chase. “It’s easier to say something isn't material now, and then update later based on new findings, than not report and later find out it was material."
Darren Guccione, co-founder and CEO at Keeper Security, said there will certainly be a flood of mandatory cyber incident reports to the federal commission following the new SEC reporting requirements. However, in this case and others, Guccione expected an increased inclination to voluntarily report cyber incidents that do not meet the threshold for disclosure.
"By submitting a report to the SEC that an incident occurred, but did not have material impact on operations, Prudential may be attempting to proactively mitigate reputational damage — operating under the assumption that fewer people will read an SEC filing than a public statement,” said Guccione. “This type of voluntary disclosure is likely motivated more by public relations than regulations.”
Prudential’s news came on the heels of SC Media reporting yesterday that an attack on a third-party claimed by the LockBit ransomware group had led to the compromise of “deferred compensation plans” managed by Bank of America.
Planet Home Lending experienced an attack on Monday by LockBit that compromised the personal information of its customers.
Was Prudential identity system targeted?
Semperis Principal Technologist Sean Deuby pointed out that insurance companies are not subject to the same regulations as financial institutions and, thus, typically are not as sophisticated when it comes to security. Deuby said persistent threat actors will target certain companies and look for gaps in their security architecture until they find a weak spot and steal whatever they want.
“While details of last week’s Prudential attack are scant, it’s highly likely that their identity system was compromised because the vast majority of attacks use these systems as a well-paved pathway to their target,” said Deuby. “Securing identity systems is one of the most crucial components in an organization’s risk management program. And when services within the Active Directory and Entra ID identity systems are compromised, the hackers have been given the keys to the kingdom and are free to take control of IT resources and siphon away vast amounts of proprietary data.”
