New Disclosure Rules Prove Timely Amid Crippling Cyber Attacks

Here’s a case of what may be fortunate timing for both investors and gamblers. The Securities and Exchange Commission’s new cybersecurity disclosure rules went into effect this month within days of hackers launching crippling cyber-attacks on big names in the gaming industry, including MGM Resorts International and Caesars Entertainment.

The attacks hit the two casino giants especially hard by targeting the companies’ cybersecurity systems to disrupt operations, then demanding millions of dollars in ransom payments. MGM is still scrambling to get its systems back online across the globe. Caesars quietly opted to cough up a $15 million ransom to avoid a similar fate.

In a Form 8-K report dated September 12, MGM referred to a press release from the same day announcing it “recently identified a cybersecurity issue” affecting some of the company’s systems. “Promptly after detecting the issue, we began an investigation with assistance from leading external cybersecurity experts. We also notified law enforcement and are taking steps to protect our systems and data, including shutting down certain systems,” the release said.

It probably isn’t a coincidence that Caesars put out a Form 8-K the day after MGM with notification of the attack on its own IT infrastructure. However, Caesars’ disclosure had some notable differences from what other companies have done. For instance, on the timing of the incident in question, Caesars’ 8-K revealed less than other 8-Ks regarding cyberattacks searchable on the Intelligize database. Caesars disclosed only the date on which its investigation was complete. After suffering its own attack, Tempur Sealy International went further and disclosed the date it identified the attack. Enzo Biochem, meanwhile, went further still and disclosed the precise date that it suffered its ransomware attack. (Caesars also failed to mention in its 8-K that it ponied up the ransom money.)

To be fair, the Caesars filing matched up with others in terms of what the hackers got away with. It specified that the “unauthorized actor acquired a copy of, among other data, our loyalty program database, which includes driver’s license numbers and/or social security numbers for a significant number of members in the database.” Enzo gave actual numbers, revealing it had identified “unauthorized access to or acquisition of clinical test information” for nearly 2.5 million people, approximately 600,000 of whom may have had their Social Security numbers accessed. Tempur’s disclosure suggests that it didn’t know if any personal information had been stolen as of the time of the filing.

Note that the new SEC rules will take effect on December 18 and require companies to disclose “material” cybersecurity incidents to the agency on a Form 8-K within four business days. The disclosures should include a “description of the incident’s nature, scope and timing” and how the incident could affect the company’s “financial conditions and operations.”

In other words, critical details about the security breaches might have gone unreported but for the new requirements. And given that the company was far from transparent about the details of its attack, who’s to say we would have known about the cyberattack on Caesars if one of its chief competitors didn’t make its disclosure?