The recent cyber breaches at MGM Resorts and Caesars Entertainment have highlighted the varying interpretations of the new Securities and Exchange Commission (SEC) regulatory requirements regarding the disclosure of “material” cyber incidents. Both breaches were the result of an abuse of an Okta Agent and were carried out by the same ransomware threat actor. However, the way in which each organization handled the SEC disclosure rules differed.
Caesars filed its disclosure, known as SEC form 8-K, on September 14. The disclosure provided detailed information about the nature and scope of the cyberattack, including the use of a social engineering attack on an outsourced IT support vendor. However, it was noted that the incident was discovered on September 7, which was beyond the SEC’s established four-day deadline for reporting.
On the other hand, MGM Resorts promptly filed its disclosure within the four-day window on September 12. However, the disclosure did not provide any additional details about the attack beyond what had already been mentioned in an initial press release.
Upon reading both disclosures, it appeared that either MGM was not fully disclosing the incident or that Caesars had provided more information than what was required. When asked about the discrepancies between the disclosures, the SEC declined to comment.
Meanwhile, the SEC has increased its enforcement of its former disclosure policy, as seen with the threat of legal action against individual executives involved in the 2020 SolarWinds supply chain cyberattacks.
According to Chenxi Wang, founder and general partner of Rain Capital, MGM’s disclosure was insufficient. The guideline states that the nature of the incident should be disclosed, which MGM did not do. On the other hand, Wang believes that Caesars’ disclosure was more aligned with the spirit of the regulation and provided enough details to understand their process.
Regarding the timing of Caesars’ disclosure falling outside the four-day window, Wang suggests that organizations are given some leeway in determining materiality. Caesars never stated whether the incident was material, which may have been the reason for the timing.
Wang argues that the SEC is likely to be more lenient with organizations in the midst of recovery, like MGM Resorts. Caesars had already recovered most of its systems, putting them in a better position to provide details.
John Clay, vice president of threat intelligence for Trend Micro, explains that MGM may not have disclosed more details because they were still determining if the threat actors had ongoing access to their systems. However, it remains unclear whether companies are in violation if they underdisclose.
Although the SEC has not provided guidance on the minimum requirements for 8-K disclosures, other regulators, such as the Nevada Gaming Board, are adopting the SEC guidelines for oversight. This means that impacted companies like MGM Resorts and Caesars Entertainment have multiple entities to deal with, including law enforcement and regulatory boards.
In addition to regulatory hurdles, the casinos are also facing legal challenges. A class-action lawsuit was filed against Caesars in the US District Court in Nevada, accusing the company of operating with “inadequate data security.”
As these disclosures and legal battles unfold, the way in which MGM Resorts and Caesars Entertainment navigate the regulatory landscape and handle litigation will set a precedent for other organizations dealing with cyberattacks. However, the rules surrounding disclosure remain vague, and the parameters for enforcement are still unclear.