Navigating the Regulatory and Legal Quagmire: MGM and Caesars Seek Solutions Following Cyber Incidents

The Interpretation and Implementation of SEC Cyber Incident Disclosure Rules

Introduction

In the wake of the new Securities and Exchange Commission (SEC) regulatory requirements to disclose “material” cyber incidents within four days of discovery, the recent cyber breaches of MGM Resorts and Caesars Entertainment have highlighted the differing interpretations of these rules. Both breaches involved the abuse of an Okta Agent and were carried out by the same ransomware threat actor. However, the way each organization handled the new SEC disclosure rules varied significantly. Caesars filed its disclosure outside the SEC’s established four-day deadline, providing detailed information about the nature and scope of the cyberattack. On the other hand, MGM Resorts filed within the four-day window but did not provide detailed incident information beyond its initial press release. This discrepancy raises questions about the adequacy and transparency of these disclosure practices.

Understanding the Divergence

Caesars‘ disclosure, while falling outside the four-day reporting window, was praised for its comprehensive nature. It detailed the cyberattack’s nature and scope and even mentioned the use of a social engineering attack on an outsourced IT support vendor. MGM Resorts, on the other hand, provided limited information beyond what had already been communicated in its press release. Chenxi Wang, founder and general partner of Rain Capital, suggests that MGM‘s disclosure does not comply with the SEC’s guidelines, which require disclosing the nature of the incident. Wang considers Caesars‘ disclosure more aligned with the regulatory spirit.

It is worth noting that the four-day reporting window starts from the determination of materiality rather than the discovery of a breach. Wang speculates that Caesars did not disclose the incident’s materiality, which might explain the delayed reporting. Additionally, Wang argues that the SEC is likely to be more lenient toward organizations in the midst of recovery, such as MGM Resorts. Caesars had already recovered most of its systems by the time it issued its disclosure, enabling it to provide more detailed information. However, the SEC has not clarified what information should be included in a disclosure, leaving some ambiguity in the guidelines.

Vagueness of SEC Disclosure Rules

While the SEC has not provided specific guidance on the minimum requirements for 8-K disclosures, the approach has gained traction outside the regulator’s jurisdiction. John Clay, vice president of threat intelligence for Trend Micro, identifies the Nevada Gaming Board as another entity that has adopted the SEC guidelines for oversight. Although the Nevada Gaming Board did not comment directly on its interactions with MGM Resorts or Caesars Entertainment, it referred to regulation 5.260, which emphasizes the need for gaming operators to secure data from cyberattacks but does not include provisions for post-cyber incident disclosure.

The convergence of different entities, including law enforcement, the SEC, and the Nevada Gaming Control Board, poses a significant burden for impacted companies like MGM Resorts and Caesars Entertainment. The inclusion of multiple regulatory bodies further complicates the compliance landscape for these organizations.

Implications and Recommendations

The differing approaches taken by MGM Resorts and Caesars Entertainment in response to the SEC’s disclosure rules highlight the need for clearer guidelines and standards. The SEC must provide more specific instructions regarding the content and timing of cyber incident disclosures, addressing issues such as the determination of materiality and the reporting window. This clarification would ensure consistency in reporting practices and facilitate better transparency for investors and the public.

It is crucial for companies to adopt a proactive approach to cybersecurity, focusing not only on prevention and detection but also on incident response and disclosure procedures. Implementing robust cybersecurity measures, including regular vulnerability assessments, employee training, and third-party vendor management, can help prevent cyber incidents. Furthermore, organizations should establish clear incident response plans, including protocols for prompt disclosure and ongoing investigations. This proactive stance will help mitigate potential legal and reputational risks associated with cyber incidents.

Regulatory bodies should collaborate to harmonize and streamline reporting requirements across different sectors and jurisdictions. This collaboration would help alleviate the burden on organizations facing multiple reporting obligations and ensure consistent disclosure practices that protect both businesses and stakeholders.

Ultimately, ensuring the adequacy and effectiveness of cybersecurity disclosures requires a careful balance between transparency and protecting ongoing investigations or unfinished breaches. Striking this balance will be crucial as organizations navigate future cyber incidents and adapt to evolving regulatory requirements.

Keywords: Cybersecurity, regulatory requirements, legal, MGM Resorts, Caesars Entertainment, cyber incidents, solutions, SEC, disclosure rules.