Prudential Financial disclosed that 36,545 individuals had personal information stolen in an early February breach that was claimed by ALPHV/Black Cat, the group also responsible for the Change Healthcare ransomware attack.
In
a letter to consumers on March 29, the large insurance company said the stolen
personal data includes names, addresses, driver’s license numbers, and
non-driver identification card numbers.
“As part of our response, we have worked with
leading cyber security experts to confirm the unauthorized third party no
longer has access to our company systems,” said Prudential Financial in the
letter.
The
company also said it took measures to protect its systems and data,
including enhancing access controls and security protocols and implementing
additional monitoring technologies and procedures. Prudential Financial said
it’s also taking steps to strengthen its authentication protocols and help
protect access to customer accounts.
Organizations should take note of new SEC disclosure rules
In
light of this recent disclosure by Prudential Insurance, it's crucial to
reflect on the four-day incident notification process outlined in the new SEC
regulations, noted Craig Jones, vice president of security operations at Continue.
Jones pointed out that, historically, there's often a lag between breach
disclosure and victim notification.
“But
with the new SEC regulations aiming for timelier disclosures, we anticipate
an improvement in this process,” said Jones. “However, the effectiveness will
depend on companies' adherence to these regulations and their commitment to
transparency. It remains to be seen whether this will significantly change the
current playbook for large companies, or if we will continue to observe delayed
notifications.”
Nick
France, chief technology officer at Section, said companies are always likely
to remain wary of really rapid disclosure, given the financial impact these
incidents can have, and try to delay as much as possible.
“Ultimately,
I believe that the new SEC regulations should make these processes work
faster," France said. "However, given the wording of the regulation,
and the fact that it only came into effect at the very end of 2023, it may take
some time before we see disclosures happening at the four-day pace."
Dave
Gerry, chief executive officer at Bug Crowd, said the SEC has made it clear
that its primary goal revolves around ensuring investors are notified of
security incidents promptly.
“Broader customer notification is a
secondary outcome to that, and, I'd expect to see companies continue to comply
with the SEC rules while also implementing their own incident response
playbooks,” said Gerry.
https://www.scmagazine.com/news/prudential-financial-february