PRUDENTIAL FINANCIAL INC - (PRU)
10-K Filing Date: February 21, 2024
ITEM 1C.CYBERSECURITY
Risk Management and Strategy
Because of the size and scope of our business, we are subject to numerous and evolving cybersecurity risks, any of which, if it materializes, could affect our business strategy, results of operations, or financial condition. See “Item 1A. Risk Factors—Operational Risk” for a discussion of such risks.
Cybersecurity risk management is integrated within our risk management framework. See “Item 7. Management’s Discussion and Analysis of Financial Condition and Results of Operations—Risk Management” for additional information on
46
our risk management. We conduct risk identification through several processes at the business unit, corporate, senior management, and Board levels. This framework includes escalation points to Prudential’s risk committees, allowing cyber risk and control matters to be elevated to the Board of Directors or its Audit Committee for oversight.
In order to respond to the threat of security breaches and cyber-attacks, we have developed an information security program designed to protect and preserve the confidentiality, integrity, and continued availability of information owned by, or in the care of, the Company. This information security program provides for the coordination of various corporate functions and governance groups, including global technology, risk, legal, compliance and corporate audit, and serves as a framework for the execution of responsibilities across businesses and operational roles. Among other things, the information security program establishes security standards for our technological resources and includes training for employees, contractors and third parties. Employees with access to our Company’s systems are subject to comprehensive annual training on responsible information security, data security, and cybersecurity practices and how to protect data against cyber threats.
As part of the information security program, we conduct periodic exercises with independent outside advisors to assess the effectiveness of our program and our internal response preparedness. We regularly engage with the broader security community and monitor cyber threat information.
To address risks associated with third-parties, Prudential has established an enterprise-wide Third-Party Risk Management Program. This program’s features include, among other things, identifying, assessing and managing cybersecurity risks throughout the life of our third-party relationships.
We also maintain an incident response plan, which specifies escalation and evaluation processes for cyber events. This plan is executed in close coordination with our corporate functions, including a dedicated cyber and privacy law function, external affairs, and risk management, and is designed to ensure, among other things, appropriate and timely reporting and disclosure.
During the period covered by this Report, we did not identify any cybersecurity threats that have materially affected or are reasonably likely to materially affect our business strategy, results of operations, or financial condition. See “Item 1A. Risk Factors—Operational Risk” for a discussion of risks related to cybersecurity.
On February 13, 2024, as amended on February 21, 2024, the Company disclosed the occurrence of a cybersecurity incident. We continue to investigate the extent of the incident. As of the date of this Report, the incident has not had a material impact on the Company’s operations, and the Company has not determined the incident is reasonably likely to materially impact the Company’s financial condition or results of operations.
Governance
The Company’s information security program is overseen by the Chief Information Security Officer (“CISO”) and Information Security Office, as well as the Chief Information Officer (“CIO”). We believe that our employees responsible for managing cybersecurity risk have the skills and knowledge to assess and manage the Company’s material risks from cybersecurity threats, and their qualifications include degrees and certifications typical for cybersecurity professionals. We expect these employees to, among other things, understand computer systems, networks, and security technologies and be proficient in a variety of security tools and techniques, including intrusion detection, malware analysis and penetration testing. The CISO has served in various roles in information technology and information security for over 25 years, including serving as the head of information technology risk at two large public companies. The CISO holds a graduate degree in technology management and has attained the professional certifications of Certified Information Systems Security Professional and Certified Information Privacy Professional. For a description of the relevant expertise of the CIO, see “Item 1. Business—Information About our Executive Officers.”
The Audit Committee of the Board of Directors, which is responsible for oversight of certain risk issues, including cybersecurity, receives reports from the CISO, the CIO and Operational Risk Management throughout the year. At least annually, the Board and the Audit Committee also receive updates about the results of program reviews, including exercises and response readiness assessments led by outside advisors who provide a third-party independent assessment of our technical program and internal response preparedness. To the extent cybersecurity controls are related to internal control over financial reporting, such controls are considered in the context of Prudential’s annual external integrated audit.
The Audit Committee regularly briefs the full Board of Directors on these matters, and the full Board of Directors also receives periodic briefings on cyber threats in order to enhance our directors’ literacy on cyber issues.
47