SEC Cyber Disclosure Rules: MGM Resorts and Caesars Entertainment Under Spotlight


The recent dual cyber breaches involving MGM Resorts and Caesars Entertainment have shed light on how organizations interpret and adhere to the Securities and Exchange Commission’s (SEC) new regulatory requirements for disclosing “material” cyber incidents within four days of discovery. Despite both breaches having similar origins and occurring in close proximity, the two organizations took distinct approaches to compliance.

SEC Caesars’ Disclosure

Caesars filed its 8-K disclosure form on September 14, providing extensive information about the nature and scope of the cyberattack. It included details about the use of a social engineering attack on an outsourced IT support vendor. However, Caesars noted that the incident was discovered on September 7, falling outside the SEC’s established four-day deadline for reporting.

SEC MGM Resorts’ Disclosure

MGM Resorts, on the other hand, filed its disclosure within the four-day window on September 12. However, the disclosure did not provide additional information beyond what was initially conveyed in a press release. The statement mentioned the cybersecurity issue, investigations with external cybersecurity experts, notification of law enforcement, and steps taken to protect systems and data.

The differing approaches raise questions about whether MGM under-disclosed details or if Caesars provided more information than required. The SEC declined to comment on these discrepancies.

Cybersecurity Experts Weigh In

Cybersecurity experts have offered insights into these varying approaches:

Chenxi Wang, Founder and General Partner of Rain Capital: Wang suggests that MGM’s disclosure may not meet the SEC’s guidelines as it lacks details about the incident’s nature. In contrast, Caesars’ disclosure aligns more closely with the regulatory spirit. She also points out that the four-day timeline begins with determining materiality, not the breach itself. Caesars did not clarify the incident’s materiality in its disclosure.

Jon Clay, Vice President of Threat Intelligence for Trend Micro: Clay indicates that MGM may have been cautious in disclosing more details due to ongoing investigations and the uncertainty about whether threat actors still had access to its systems. However, he raises the question of whether underdisclosure constitutes a violation.

SEC Disclosure Rules

The SEC has not provided specific guidance on the minimum requirements for 8-K disclosures in the context of cybersecurity incidents. However, other regulatory bodies, such as the Nevada Gaming Board, are adopting the approach. While these regulations remain somewhat vague, organizations like MGM Resorts and Caesars Entertainment must navigate multiple entities, including law enforcement, amid ongoing cyber incidents.

As both organizations navigate regulatory compliance and legal challenges, their experiences will serve as precedents for other entities dealing with future cyberattacks. In the meantime, the rules surrounding cyber incident disclosure remain ambiguous, and enforcement parameters remain unclear.

For more news and updates on Cybersecurity, visit The Cybersecurity Club.

Post navigation

Leave a Reply

Your email address will not be published. Required fields are marked *

DORA: An Overview of the EU’s Digital Operational Resilience Act

FTC Mandates Data Breach Reporting for Non-Banking Institutions

Bank of England’s Operational Resilience Framework of Critical Third Parties

US Department of Justice Intensifies Fight Against Cybercrimes