We’ve written extensively about the SEC regulations requiring public companies to disclose material cyber events (see full regs and legal analysis of it here.) Analysis of the legal and business ramifications of the disclosure regime have raised a number of issues, including potential conflicts between the cyber and D&O or other policies of insureds hit by reportable hacks.
Another issue sure to arise is the level of detailed required in the 8K disclosures. Compare and contrast the disclosures of MGM Resorts and Caesars Entertainment, Inc., both gambling and hospitality companies hit around the same time by attacks attributed to the Okta penetration.
MGM’s disclosure is in essence a vague one-paragraph press release. Caesars’ is far more detailed, includes an apology and help-line for impacted customers and even alludes to an ransomware payment (see bold below).
We wonder if litigation and/or regulatory action around these hacks may include complaints of inadequate disclosure. We’re also interested in whether the companies issue additional 8Ks, or consider they’ve met the cyber disclosure requirement and communicate from here on via press releases and normal, scheduled regulatory filings.
MGM Resorts 8K disclosure on 9/13/23: The 8K simply links to a press release, which reads:
“Las Vegas, September 12, 2023 – MGM Resorts International (the “Company” or “MGM Resorts”) today issued the following statement: MGM Resorts recently identified a cybersecurity issue affecting certain of the Company’s systems. Promptly after detecting the issue, we began an investigation with assistance from leading external cybersecurity experts. We also notified law enforcement and are taking steps to protect our systems and data, including shutting down certain systems. Our investigation is ongoing, and we are working diligently to resolve the matter. The Company will continue to implement measures to secure its business operations and take additional steps as appropriate.”
Caesar’s 8K disclosure on 9/14/23: “Caesars Entertainment, Inc. (the “Company,” “we,” or “our”) recently identified suspicious activity in its information technology network resulting from a social engineering attack on an outsourced IT support vendor used by the Company. Our customer-facing operations, including our physical properties and our online and mobile gaming applications, have not been impacted by this incident and continue without disruption.
After detecting the suspicious activity, we quickly activated our incident response protocols and implemented a series of containment and remediation measures to reinforce the security of our information technology network. We also launched an investigation, engaged leading cybersecurity firms to assist, and notified law enforcement and state gaming regulators. As a result of our investigation, on September 7, 2023, we determined that the unauthorized actor acquired a copy of, among other data, our loyalty program database, which includes driver’s license numbers and/or social security numbers for a significant number of members in the database. We are still investigating the extent of any additional personal or otherwise sensitive information contained in the files acquired by the unauthorized actor. We have no evidence to date that any member passwords/PINs, bank account information, or payment card information (PCI) were acquired by the unauthorized actor.
We have taken steps to ensure that the stolen data is deleted by the unauthorized actor, although we cannot guarantee this result (Cyber Insurance News bold highlighting.) We are monitoring the web and have not seen any evidence that the data has been further shared, published, or otherwise misused. Nonetheless, out of an abundance of caution, we are offering credit monitoring and identity theft protection services to all members of our loyalty program. To sign up for these services, members may call (888) 652-1580 from 9:00 a.m. to 9:00 p.m. Eastern Time, Monday through Friday other than holidays.
Additionally, we will be notifying individuals affected by this incident consistent with our legal obligations. These notifications will be made on a rolling basis in the coming weeks. In the meantime, individuals with questions may contact the dedicated incident response line we have established to address questions about this incident, which can be reached at (888) 652-1580 from 9:00 a.m. to 9:00 p.m. Eastern Time, Monday through Friday other than holidays.
While no company can ever eliminate the risk of a cyberattack, we believe we have taken appropriate steps, working with industry-leading third-party IT advisors, to harden our systems to protect against future incidents. These efforts are ongoing. We have also taken steps to ensure that the specific outsourced IT support vendor involved in this matter has implemented corrective measures to protect against future attacks that could pose a threat to our systems.
We have incurred, and may continue to incur, certain expenses related to this attack, including expenses to respond to, remediate and investigate this matter. The full scope of the costs and related impacts of this incident, including the extent to which these costs will be offset by our cybersecurity insurance or potential indemnification claims against third parties, has not been determined. Although we are unable to predict the full impact of this incident on guest behavior in the future, including whether a change in our guests’ behavior could negatively impact our financial condition and results of operations on an ongoing basis, we currently do not expect that it will have a material effect on the Company’s financial condition and results of operations.
The trust of our valued guests and members is deeply important to us, and we regret any concern or inconvenience this may cause.
For additional information, please visit https://response.idx.us/caesars. Information set forth on that website is not incorporated herein by reference.”