Aflac Discloses Data Breach After Subsidiary Hack

Plus, new Pearl Meyer poll explores opportunities, risks, and the role of compensation committees in AI incentive plans.

Good morning! Here’s what’s up.

People

Yue Yang has been appointed managing director of cyber solutions for EMEA at Aon. Yang joins Aon from Marsh, where she served as head of U.K. retail cyber.

Clips ✂️

Insurance giant Aflac discloses data breach after subsidiary hack

American insurance giant Aflac has disclosed a new data breach after attackers breached its Japan subsidiary's systems and stole personal and bank account information.

Aflac (short for American Family Life Assurance Company) is a Fortune 500 company and the largest supplemental insurance provider in the United States, serving millions of customers in the U.S. and Japan.

In a filing with the U.S. Securities and Exchange Commission (SEC) on Monday, the company revealed that threat actors gained access to Aflac Japan's systems earlier this month.

"On June 30, 2026, Aflac Life Insurance Japan Ltd. ("Aflac Japan"), a wholly owned subsidiary of Aflac Incorporated, a Georgia corporation (the "Company"), issued a press release announcing that, on June 25, 2026, Aflac Japan discovered an unauthorized third-party had unlawfully accessed certain of Aflac Japan's systems between June 15, 2026, and June 25, 2026," the insurance company said.

by Bleeping Computer

AI in Incentive Plans: Opportunity, Risk, and the Role of the Compensation Committee

AI investment is accelerating across industries, while only a limited number of companies have chosen to reflect it in their incentive frameworks. For many committees, the question is not whether AI matters, but how its impact is captured within existing performance measures.

Companies are moving quickly to deploy AI to improve productivity, reshape cost structures, and position for future growth. Most, however, continue to rely on traditional financial and strategic metrics in their incentive plans. This creates a practical challenge: not simply whether to incorporate AI into incentive plans, but whether organizations are prepared to measure and govern it in a way that supports sound pay decisions.

Recent research reinforces this tension. Pearl Meyer’s Q1 2026 Leadership Quick Poll, based on a survey of 108 executives and board members, finds that while AI is advancing, leadership systems are not evolving fast enough to support either strategy or AI. For most companies, the question is not how to design AI metrics, but whether AI is sufficiently central and measurable to warrant inclusion in incentive plans at all.

by Pearl Meyer

How Do You Counter a Threat Actor Who Just Wants to Fight?

Most businesses prepare for a scenario where attackers want something, whether that’s access to proprietary information, money — or both. But what do you do when an attacker has no motive? Avani Desai of Schellman explores how organizations can reorient their risk management approach to prepare for a new age of geopolitical threats.

Fraud, unauthorized access to IT systems, data breaches, there is no shortage of risks for businesses today. Last year, IBM reported that the cost of a data breach was, on average, $4.4 million, and that number isn’t getting lower anytime soon. For business leaders, security professionals and boardrooms, these threats aren’t new. If an attack, like a case of ransomware, did succeed, there were still options to recover. Ransoms can be paid and data or systems can be restored. But now a new problem is emerging. How do you plan for, and respond to, an adversary that has no motive?

by Corporate Compliance Insights

Cyber risk falls flat without business translation

Executive board members understand that cyber risk can be expensive and disruptive, but they often lack a clear explanation of which exposures warrant immediate attention, how those risks compare with other priorities, and which situations require their support. They need to understand which risks matter most, what tradeoffs come with delay, and where management believes action should come first.

Reporting is not the same as communicating

Many board updates fail because they deliver information without clarifying the decision that underlies it.

Directors may hear that a key control is weak or that remediation is behind schedule. Yet those facts alone do not tell them whether the business is operating outside its tolerance for financial loss, disruption or regulatory exposure. Those facts also do not help directors understand what management is asking them to support, what can wait and what cannot.

by Information Week

Cyber Risk is Growing Faster Than Risk Transfer

Cyber risk has evolved from a narrow technical concern into a material enterprise risk. What once focused primarily on data breaches and notification costs now encompasses operational disruption, supply chain dependency and sustained revenue impact across entire organizations.

This shift is driven by deepening technology reliance. Cloud platforms, shared infrastructure and third-party software ecosystems now underpin core business operations. As a result, a single cyber event can trigger cascading failures that extend well beyond the affected system, disrupting production, service delivery and cash flow.

Artificial intelligence (AI) is accelerating change across the cyber risk landscape. It increases threat actor speed, scale and sophistication, while also offering organizations new ways to strengthen detection, response and resilience. For leaders, the issue is not whether AI changes the risk landscape, but how quickly they can adapt their security strategy to capture its benefits while managing the additional exposure.

by Aon

How ransomware syndicates weaponize corporate-style organization

Similar to the events that unfolded with the Conti ransomware group’s demise in 2022, leaked internal chat logs of the Black Basta cybercrime group last year gave us a peek behind the curtain of modern ransomware operations. We found that these groups have continued to evolve into highly sophisticated and organized syndicates, taking a corporate-style approach to extortion.

According to our analysis, Black Basta members carefully studied victims to launch advanced phishing and malware campaigns, exploit vulnerabilities and intimidate victims into paying via panic-triggering tactics. They were exceptionally organized: A call team responsible for social engineering schemes worked a set schedule from 6 p.m. to 2 a.m. Moscow time. Additional tasks were outsourced to third parties — malware services, phone operators and spammers — as if they were hiring contractors. Internal performance assessments weighed heavily in determining wages and ransom payment distributions to teams, just like profit sharing in the corporate world.

by CyberScoop

X