In the wake of the new Securities and Exchange Commission (SEC) regulatory requirements to disclose “material” cyber incidents within four days of discovery, the dual cyber breaches of MGM Resorts and Caesars Entertainment have demonstrated how differently those rules can be interpreted.
Both breaches resulted from abuse of an Okta Agent, and both were reportedly carried out by the same ransomware threat actor. Both occurred within days of one another. But how each organization handled the new SEC disclosure rules was distinct.
Caesars filed its disclosure, SEC form 8-K, on Sept. 14. It was filled with details about the nature and scope of the cyberattack, including the use of a social engineering attack on an outsourced IT support vendor. However, the disclosure added that the incident was discovered on Sept. 7, outside the SEC established four-day deadline to report.
MGM Resorts was more prompt in its disclosure, filing within the four-day window on Sept. 12 but didn’t include any details about the compromise beyond what it had already laid out in an initial press release.
“MGM Resorts recently identified a cybersecurity issue affecting certain of the Company’s systems. Promptly after detecting the issue, we began an investigation with assistance from leading external cybersecurity experts,” the disclosure said. “We also notified law enforcement and are taking steps to protect our systems and data, including shutting down certain systems. Our investigation is ongoing, and we are working diligently to resolve the matter. The Company will continue to implement measures to secure its business operations and take additional steps as appropriate.”
Reading both disclosures, it would seem either MGM is underdisclosing details of the incident or Caesars provided more information than was required. Asked about the discrepancies between the disclosures, the SEC declined to comment.
Meanwhile, the SEC has ramped up its enforcement of its former disclosure policy, threatening legal action against individual executives involved in the 2020 SolarWinds supply chain cyberattacks, for instance.
MGM’s Cyber Disclosure Lacks Incident Details
Founder and general partner of Rain Capital Chenxi Wang offers a more frank evaluation of the two disclosures.
“It’s difficult to tell which style of disclosure would become the norm, but it’s almost certain that MGM’s is not going to be sufficient,” Wang says. “The guideline stated that you need to disclose the nature of the incident. MGM didn’t quite do that.”
She adds that the Caesars disclosure is more in line with the spirit of the regulation. “Not sure if Caesars over-disclosed,” Wang says. “What they wrote seems to be appropriate and with enough details to understand their process.”
Regarding the timing of the Caesars disclosure falling outside the four-day window, Wang says there’s a lot of necessary leeway there.
“As for the timing, it is four days from determining materiality, not from determining there was a breach,” Wang says. “Caesars never said whether the incident was material, so perhaps that was the reason.”
Wang argues that the SEC is likely to give more latitude to organizations in the middle of recovery, like MGM Resorts. Caesars had already recovered much of its systems when it issued its SEC 8-K and probably in a better position to provide details, Wang explains.
“Should the SEC be more clear about what should be in a disclosure? Perhaps, but there is merit in a loosely defined guideline, which gives some flexibility in what information goes into the disclosure,” Wang says. “This could be important for an ongoing breach or unfinished investigation.”
In MGM’s case, the organization was likely still trying to determine if the threat actors still had access to its systems and therefore couldn’t disclose more details, explains John Clay, vice president of threat intelligence for Trend Micro.
“But are companies in violation if they underdisclose?” Clay asks. “That’s a different question.”
SEC Disclosure Rules Remain Vague but Adopted by Other Regulators
While the SEC has not yet provided guidance around the minimum requirements for 8-K disclosures, the implementation of the approach is spreading outside the regulator’s purview. Clay says the Nevada Gaming Board is also using the SEC guidelines as a blueprint for oversight, for instance.
The Nevada Gaming Board wouldn’t comment directly about its interactions with MGM Resorts or Caesars Entertainment but provided a link to a regulation 5.260, which requires gaming operators to secure data from a cyberattack. The regulation provided does not include any provisions for disclosure following a cyber incident.
“Another layer to this is that casinos are having to deal with the Nevada Gaming Control Board, which is following the SEC’s guidance,” Clay adds. “What this means for the impacted companies is they now have a couple of different entities they have to deal with, including law enforcement. There’s a lot of groups that have converged on MGM and Caesars.”
Sidebar: Class-Action Lawsuit Filed Against Caesars
Regulators aren’t the only paperwork hassle facing the casinos. On Monday, just days following Caesars disclosure of a cyberattack, a class-action lawsuit was filed in the US District Court in Nevada by Miguel Rodriguez, accusing the casino of operating with “inadequate data security.”
While the Caesars and MGM Resorts disclosures churn toward their conclusion, how the two organizations weather the litany of regulations and litigation will offer critical precedent other groups can use to navigate future cyberattacks. In the meantime, rules remain vague and enforcement parameters unclear.