|
Prudential Financial, Inc.
751 Broad Street
Newark, New Jersey 07102
June 21, 2024
Via Edgar
Mr. Geoffrey Kruczek
Mr. James Lopez
U.S. Securities and Exchange Commission
Division of Corporation Finance
Mail Stop 4720
100 F Street, N.E.
Washington, DC 20549
Re: Prudential Financial Inc. (the “Company”)
Amendment No. 1 to Form 8-K filed February 21, 2024
File No. 001-16707
Dear Messrs. Kruczek and Lopez:
We received your letter dated June 7, 2024, setting forth a comment of the staff of the Securities and Exchange Commission (the “Commission”) on the Company’s Current Report on Form 8-K filed February 13, 2024, as amended February 21, 2024, regarding a threat actor that gained unauthorized access to certain of our information systems (the “Cybersecurity Incident”). For your convenience, we have included the staff’s comment below along with our response.
Current Report on Form 8-K filed February 13, 2024, as amended February 21, 2024
General
|1.
|
We note the statement that you experienced a cybersecurity incident that has not had a material impact on your operations. Please advise us as to why you determined to file under Item 1.05 of Form 8-K given the statement that the incident has not had a material impact on your operations, and you have not determined the incident is reasonably likely to materially impact your financial condition or results of operations.
Response
We filed disclosure regarding the Cybersecurity Incident under Item 1.05 of Form 8-K for the following reasons, notwithstanding our determination that the Cybersecurity Incident had not had a material impact on our operations and was not reasonably likely to materially impact our financial condition or results of operations:
|1.
|
At the time of our initial filing, the Commission’s cybersecurity incident disclosure rule pursuant to Item 1.05 of Form 8-K (the “New Rule”) had been in effect less than two months, and only a small number of issuers had disclosed cybersecurity incidents pursuant to the New Rule. Moreover, there was limited staff guidance regarding compliance with the New Rule. Therefore, it was highly uncertain how companies should approach compliance during the course of a potentially significant cybersecurity incident, what investor and other market participant expectations regarding disclosure pursuant to the New Rule would be, and how the SEC would interpret and enforce the New Rule.
|2.
|
Upon detection, the Company promptly investigated the Cybersecurity Incident with the help of external cybersecurity experts and other third-party advisors. We endeavored to take into consideration all relevant facts and circumstances when evaluating our reporting obligations, including quantitative and qualitative factors. As our investigation unfolded, we suspected that the threat actor was a cybercrime group known for its persistence and ability to evade containment. While we ultimately concluded that the incident did not have a material impact on the Company’s operations and was not reasonably likely to materially impact our financial condition or results of operations, given the uncertainty of the New Rule described above and the additional regulatory and communications considerations described below, we felt prudence and the spirit of the New Rule favored disclosure over non-disclosure.
|3.
|
As our investigation, containment efforts, and remediation of the Cybersecurity Incident were ongoing, we were also preparing to file our Annual Report on Form 10-K. In accordance with Item 106 of Regulation S-K, our Form 10-K included newly required disclosure about cybersecurity risks, risk management and strategy, and governance. Making such disclosures during the course of an ongoing Cybersecurity Incident and related investigation presented many challenges, including the potential that our Form 10-K disclosures, with the benefit of hindsight, could be misconstrued as having been misleading (including by omission). We thought that disclosing the Cybersecurity Incident on Form 8-K prior to filing our Form 10-K would allow us to reference the ongoing Cybersecurity Incident in response to Item 106(b)(2) of Regulation S-K. At the time of the filing of our Form 10-K, these newly required cybersecurity disclosures had been in effect for approximately two months, there was limited staff guidance regarding compliance with the new requirements, and we felt that prudence and the spirit of compliance with the new requirements favored disclosure over non-disclosure.
|4.
|
We believed that disclosure of the Cybersecurity Incident on Form 8-K would allow us to communicate more freely about the Cybersecurity Incident with employees, customers, regulators and other stakeholders.
|5.
|
At the time of our filing, we were considering potential capital markets transactions (which we subsequently completed), and we believed that an ongoing and undisclosed cybersecurity incident could hinder our ability to access the capital markets or increase the risk of frivolous lawsuits or potential liability under the securities laws if our disclosures, with the benefit of hindsight, were misconstrued as having been misleading (including by omission).
We also considered whether to file our Form 8-K under Item 7.01 or Item 8.01 of Form 8-K instead of Item 1.05. We ultimately decided to file under Item 1.05 because, although we did not consider the Cybersecurity Incident to be material, we believed it was uncertain, following effectiveness of the New Rule, whether the staff would consider disclosure of a cybersecurity incident under Item 7.01 or Item 8.01 to be deficient. As a result of the foregoing considerations, notwithstanding our conclusion that the Cybersecurity Incident did not have a material impact on the Company’s operations and was not reasonably likely to materially impact our financial condition or results of operations, we felt prudent risk management and the spirit of the Commission’s cybersecurity disclosure rules favored disclosure over non-disclosure.
We are aware of the subsequent statement by the Director of the Division of Corporation Finance, issued on May 21, 2024, wherein he expresses the view that “[i]f a company chooses to disclose a cybersecurity incident for which it has not yet made a materiality determination, or a cybersecurity incident that the company determined was not material, the Division of Corporation Finance encourages the company to disclose that cybersecurity incident under a different item of Form 8-K (for example, Item 8.01).” We will be mindful of this guidance if and when we consider disclosure of future cybersecurity incidents.
Please feel free to call Brian Spitser, the Company’s Chief Disclosure Counsel, at (973) 802-7848 if you have any questions about this response letter.
|Very truly yours,
|
/s/ Ann Kappler
|Ann Kappler
Executive Vice President, General Counsel & Chief Compliance Officer