A Tale of Two Cybersecurity Incidents

It Was the Best of Times; It Was the Worst of Times…

Two of the largest companies in Nevada suffered cybersecurity incidents earlier this month, and their responses differed significantly. First, MGM Resorts International experienced a noticeable cybersecurity incident that crippled company systems over several days, causing issues with digital room keys, electronic games, and even company websites. MGM’s cybersecurity attack is believed to be the result of a vishing expedition—a telephone call to MGM’s IT helpdesk requesting assistance with an employee’s log-in credentials—from a well-known hacking group called Scattered Spider. Returning to the age of manual hotel check-ins and paper receipts for gambling winnings, MGM suffered significant lost revenue because of the shuttered systems. MGM is believed to have refused ransom requests from the hacker.

Next, Caesars Entertainment Corporation revealed it “identified suspicious activity in its information technology network” and discovered an unidentified actor accessed the loyalty programs database for the company containing driver’s license numbers, social security numbers, dates of birth, and other personally identifiable information (PII). Caesars is believed to have paid a sizeable ransom to the hacker to ensure the information was not released.

Both companies are also now facing consumer class actions from aggrieved customers.

MGM & Caesars’ 8-K Filings

The SEC recently promulgated a final rule regarding the disclosure of cybersecurity incidents, which requires public companies to disclose incidents within four days after the incident is determined to be material. Although both companies promptly filed 8-Ks with the SEC, the submissions from MGM and Caesars differ significantly.

On September 12, 2023, MGM was the first to file an SEC Form 8-K under the SEC’s new rule disclosing its cybersecurity incident. MGM’s Form 8-K filing referred to a press release issued by the company stating MGM “recently identified a cybersecurity issue,” “began an investigation” of the incident with experts, “notified law enforcement,” and was taking steps to “protect our systems and data.” Based on the press release and the Form 8-K filing, it remains unclear what information may have been accessed, used, or disclosed because of the MGM cybersecurity incident. By taking the less is more approach, MGM appears to have interpreted the new SEC filing regulations very narrowly to require prompt reporting of an incident but disregarded aspects of the new rule requiring a description of the material aspects of the breach.

Caesars took the opposite approach by filing its 8-K approximately a week after the discovery of the breach and identified extensive details about the date it discovered the cybersecurity incident (September 7, 2023), the information accessed during the breach, the investigation efforts the company undertook following the identification of the breach, and provided contact information for an incident report team that has been dedicated to answering customer questions about the incident. Although Caesars’ 8-K filing may have been filed more than four days after Caesars determined the breach to be material, its filing appears to interpret the new SEC rules broadly to require submissions to contain significant detail about the nature of the incident, the information that was accessed, the type of PII that may have been obtained, and efforts to remediate the issues.

Lessons From Two SEC Filings Disclosing Cybersecurity Incidents: Is There a Middle Ground Between Too Little, Too Much, and Too Late?

The reactions of both companies to their respective data breaches demonstrate (unfortunately) the necessity for companies to plan and prepare for cybersecurity incidents and data breaches. While responding to a technological crisis that has crippled several company systems, coordinating with law enforcement, appeasing agitated guests, complying with disclosure requirements under local, state, and federal law, preparing 8-K filings, and attempting to investigate, remediate, and mitigate a data breach, companies are oftentimes faced with ransom demands from the individuals responsible for the breach. Further, once the cybersecurity incident is disclosed—either in an SEC filing or because of media attention—companies may then be faced with numerous class action lawsuits filed by aggrieved customers regarding the data breaches.

So how does a company juggle remediation of a cybersecurity incident, ransom demands, investigations by authorities, media campaigns, angry customers, and an onslaught of lawsuits?

1. Prepare for a Breach: draft and implement cybersecurity and data breach response policies and protocols. Ensure a designated team includes members of the board of directors, information technology, human resources, finance/accounting, and legal to respond to any incidents.
2. Train Employees and Officers: preparing a plan is not enough, employees will need to receive training on how to implement a plan in the event of a cybersecurity incident. Regular training can prepare employees to identify cybersecurity threats and mitigate breaches once they are discovered.
3. Review Your Cybersecurity Coverage: ensure you have adequate coverage to meet your business needs in case of a breach. More importantly, ensure you are implementing the appropriate protocols required by your insurance carrier.
4. Audit your Cybersecurity Programs: hire a third-party cybersecurity consulting firm to audit your technology systems. An external third party may be able to identify weaknesses in a company’s systems that an internal specialist may not be able to identify and can provide guidance on how to establish appropriate procedures going forward.
5. Prepare for Lawsuits: once a cybersecurity incident has occurred, the company will also likely need to prepare for lawsuits. It’s essential to hire trained cybersecurity experts immediately to assist with documenting the incident and the company’s remediation efforts. Legal advisors and counsel will need to immediately begin working on disclosures to various governmental authorities, and ensure the company is prepared for any lawsuits that may be filed by consumers.