MGM, Caesars Face Regulatory, Legal Maze After Cyber Incidents

MGM and Caesars are putting new SEC incident disclosure regulations to a real-world test in the aftermath of twin cyberattacks on the casinos, as class-action lawsuits loom.

In the wake of the new Securities and Exchange Commission (SEC) regulatory requirements to disclose "material" cyber incidents within four days of discovery, the dual cyber breaches of MGM Resorts and Caesars Entertainment have demonstrated how differently those rules can be interpreted.

Both breaches resulted from abuse of an Okta Agent, and both were reportedly carried out by the same ransomware threat actor. Both occurred within days of one another. But how each organization handled the new SEC disclosure rules was distinct.

Caesars filed its disclosure, SEC form 8-K, on Sept. 14. It was filled with details about the nature and scope of the cyberattack, including the use of a social engineering attack on an outsourced IT ...