MGM, Caesars Face Regulatory, Legal Maze After Cyber Incidents

  /     /     /  
Publicated : 23/11/2024   Category : security


MGM, Caesars Face Regulatory, Legal Maze After Cyber Incidents


MGM and Caesars are putting new SEC incident disclosure regulations to a real-world test in the aftermath of twin cyberattacks on the casinos, as class-action lawsuits loom.



In the wake of the new Securities and Exchange Commission (SEC) regulatory requirements to disclose material cyber incidents within four days of discovery, the dual cyber breaches of MGM Resorts and Caesars Entertainment have demonstrated how differently those rules can be interpreted.
Both breaches resulted from
abuse of an Okta Agent
, and both were reportedly carried out by the
same ransomware threat actor
. Both occurred within days of one another. But how each organization handled the
new SEC disclosure rules
was distinct.
Caesars filed its disclosure
, SEC form 8-K, on Sept. 14. It was filled with details about the nature and scope of the cyberattack, including the use of a social engineering attack on an outsourced IT support vendor. However, the disclosure added that the incident was discovered on Sept. 7, outside the SEC established four-day deadline to report.
MGM Resorts
was more prompt in its disclosure, filing within the four-day window on Sept. 12 but didnt include any details about the compromise beyond what it had already laid out in an initial press release.
MGM Resorts recently identified a cybersecurity issue affecting certain of the Company’s systems. Promptly after detecting the issue, we began an investigation with assistance from leading external cybersecurity experts, the disclosure said. We also notified law enforcement and are taking steps to protect our systems and data, including shutting down certain systems. Our investigation is ongoing, and we are working diligently to resolve the matter. The Company will continue to implement measures to secure its business operations and take additional steps as appropriate.
Reading both disclosures, it would seem either MGM is underdisclosing details of the incident or Caesars provided more information than was required. Asked about the discrepancies between the disclosures, the SEC declined to comment.
Meanwhile, the
SEC has ramped up its enforcement of its former disclosure policy
, threatening legal action against individual executives involved in the 2020 SolarWinds supply chain cyberattacks, for instance.
Founder and general partner of Rain Capital Chenxi Wang offers a more frank evaluation of the two disclosures.
Its difficult to tell which style of disclosure would become the norm, but its almost certain that MGMs is not going to be sufficient, Wang says. The guideline stated that you need to disclose the nature of the incident. MGM didnt quite do that.
She adds that the Caesars disclosure is more in line with the spirit of the regulation. Not sure if Caesars over-disclosed, Wang says. What they wrote seems to be appropriate and with enough details to understand their process.
Regarding the timing of the Caesars disclosure falling outside the four-day window, Wang says theres a lot of necessary leeway there.
As for the timing, it is four days from determining materiality, not from determining there was a breach, Wang says. Caesars never said whether the incident was material, so perhaps that was the reason.
Wang argues that the SEC is likely to give more latitude to organizations in the middle of recovery, like MGM Resorts. Caesars had already recovered much of its systems when it issued its SEC 8-K and probably in a better position to provide details, Wang explains.
Should the SEC be more clear about what should be in a disclosure? Perhaps, but there is merit in a loosely defined guideline, which gives some flexibility in what information goes into the disclosure, Wang says. This could be important for an ongoing breach or unfinished investigation.
In MGMs case, the organization was likely still trying to determine if the threat actors still had access to its systems and therefore couldnt disclose more details, explains Jon Clay, vice president of threat intelligence for Trend Micro.
But are companies in violation if they underdisclose? Clay asks. That’s a different question.
While the SEC has not yet provided guidance around the minimum requirements for 8-K disclosures, the implementation of the approach is spreading outside the regulators purview. Clay says the Nevada Gaming Board is also using the SEC guidelines as a blueprint for oversight, for instance.
The Nevada Gaming Board wouldnt comment directly about its interactions with MGM Resorts or Caesars Entertainment but provided a link to a regulation 5.260, which requires gaming operators to
secure data from a cyberattack
. The regulation provided does not include any provisions for disclosure following a cyber incident.
Another layer to this is that casinos are having to deal with the Nevada Gaming Control Board, which is following the SEC’s guidance, Clay adds. What this means for the impacted companies is they now have a couple of different entities they have to deal with, including law enforcement. There’s a lot of groups that have converged on MGM and Caesars.
Regulators arent the only paperwork hassle facing the casinos. On Monday, just days following Caesars disclosure of a cyberattack, a class-action lawsuit was filed in the US District Court in Nevada by Miguel Rodriguez, accusing the casino of operating with inadequate data security. 
While the Caesars and MGM Resorts disclosures churn toward their conclusion, how the two organizations weather the litany of regulations and litigation will offer critical precedent other groups can use to navigate future cyberattacks. In the meantime, rules remain vague and enforcement parameters unclear.

Last News

▸ Debunking Machine Learning in Security. ◂
Discovered: 23/12/2024
Category: security

▸ Researchers create BlackForest to gather, link threat data. ◂
Discovered: 23/12/2024
Category: security

▸ Travel agency fined £150,000 for breaking Data Protection Act. ◂
Discovered: 23/12/2024
Category: security


Cyber Security Categories
Google Dorks Database
Exploits Vulnerability
Exploit Shellcodes

CVE List
Tools/Apps
News/Aarticles

Phishing Database
Deepfake Detection
Trends/Statistics & Live Infos



Tags:
MGM, Caesars Face Regulatory, Legal Maze After Cyber Incidents