PRUDENTIAL FINANCIAL INC 10-K Cybersecurity GRC - 2025-02-13

Page last updated on February 14, 2025

PRUDENTIAL FINANCIAL INC reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2025-02-13 16:24:16 EST.

Filings

10-K filed on 2025-02-13

PRUDENTIAL FINANCIAL INC filed a 10-K at 2025-02-13 16:24:16 EST
Accession Number: 0001137774-25-000044

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

ITEM 1C. CYBERSECURITY Risk Management and Strategy Because of the size and scope of our business, we are subject to numerous and evolving cybersecurity risks, any of which, if it materializes, could affect our business strategy, results of operations, or financial condition. See “Item 1A. Risk Factors-Operational Risk” for a discussion of such risks. Cybersecurity risk management is integrated within our risk management framework. See “Item 7. Management’s Discussion and Analysis of Financial Condition and Results of Operations-Risk Management” for additional information on our risk management processes. We conduct risk identification through several processes at the business unit, corporate, senior management, and Board levels. This framework includes escalation points to Prudential’s risk committees, allowing cyber risk and control matters to be elevated to the Board of Directors or its Audit Committee for oversight. In order to respond to the threat of security breaches and cyber-attacks, we have developed an information security program designed to protect and preserve the confidentiality, integrity, and continued availability of information owned by, or in the care of, the Company. This information security program provides for the coordination of various corporate functions and governance groups, including global technology, risk, legal, compliance and corporate audit, and serves as a framework for the execution of responsibilities across businesses and operational roles. Among other things, the information security program establishes security standards for our technological resources and includes training for employees, contractors and third parties. Employees with access to our Company’s systems are subject to comprehensive annual training on responsible information security, data security, and cybersecurity practices and how to protect data against cyber threats. As part of the information security program, we conduct periodic exercises with independent outside advisors to assess the effectiveness of our program and our internal response preparedness. We regularly engage with the broader cybersecurity community and monitor cyber threat information. To address risks associated with third parties , Prudential has established an enterprise-wide Third-Party Risk Management Program. This program’s features include, among other things, identifying, assessing and managing cybersecurity risks throughout the life of our third-party relationships . We also maintain an incident response plan, which specifies escalation and evaluation processes for cyber events. This plan is executed in close coordination with our corporate functions, including a dedicated cyber and privacy law function, external affairs, and risk management, and is designed to ensure, among other things, appropriate and timely reporting and disclosure. When we do experience cybersecurity incidents, like the cybersecurity incident we disclosed in February 2024, we aim to utilize that experience to inform and strengthen our information security program. During the period covered by this Report, we did not identify any cybersecurity threats that have materially affected or are reasonably likely to materially affect our business strategy, results of operations, or financial condition. See “Item 1A. Risk Factors-Operational Risk” for a discussion of risks related to cybersecurity. Governance The Company’s information security program is overseen by the Chief Information Security Officer (“CISO”) and Information Security Office, as well as the Head of Global Technology and Operations (“HGTO”) . The CISO and Information Security Office are responsible for monitoring for, and informing management of, cybersecurity incidents impacting Prudential’s systems. We believe that our employees responsible for managing cybersecurity risk have the skills and knowledge to assess and manage the Company’s material risks from cybersecurity threats, and their qualifications include degrees and certifications typical for cybersecurity professionals. We expect these employees to, among other things, understand computer systems, networks, and security technologies and be proficient in a variety of security tools and techniques. The CISO has served in various roles in information technology and information security for over 25 years, including serving as the head of information technology risk at two large public companies. The CISO holds a graduate degree in technology management and has attained the professional certifications of Certified Information Systems Security Professional and Certified Information Privacy Professional. For a description of the relevant expertise of the HGTO, see “Item 1. Business-Information About our Executive Officers.” The Audit Committee of the Board of Directors, which is responsible for oversight of certain risk issues, including cybersecurity, receives reports from the CISO, the HGTO and Operational Risk Management throughout the year. At least annually, the Board and the Audit Committee also receive updates about the results of program reviews, including exercises and response readiness assessments led by outside advisors who provide a third-party independent assessment of our technical program and internal response preparedness. To the extent cybersecurity controls are related to internal control over financial reporting, such controls are considered in the context of Prudential’s annual external integrated audit. The Audit Committee regularly briefs the full Board of Directors on these matters, and the full Board of Directors also receives periodic briefings on cyber threats in order to enhance our directors’ literacy on cyber issues.

Company Information