New cybersecurity disclosure requirements mandated by the U.S. Securities and Exchange Commission (SEC) are now in effect, requiring public companies including gaming operators and suppliers to disclose cybersecurity incidents, with some exceptions, within four days.
The final rule has two components, according to Erik Gerding, director of the SEC’s division of corporate finance.
The first is a mandatory requirement to disclose “material cybersecurity incidents” by filing an 8-K form within four business days of the incident. The second component requires companies to disclose information annually regarding cybersecurity risk management, strategy and governance.
Gerding noted that cybersecurity risks have increased alongside the ever-increasing share of economic activity that depends on electronic systems, the growth of remote work, the ability of cybercriminals to monetize cybersecurity incidents, and the use of digital payments.
The increasing reliance on third-party service providers for information technology services, including cloud computing technology, is also considered a cybersecurity risk by the stock exchange regulator.
“The commission also observed that the cost to companies and their investors of cybersecurity incidents is rising at an increasing rate,” Gerding said in a speech titled Cybersecurity Disclosure published on Thursday (December 14) on the SEC’s website.
“All of these trends highlight investors’ need for improved disclosure. The final rules meet this need,” he added.
Gerding said the SEC “is not seeking to prescribe particular cybersecurity defenses, practices, technologies, risk management, governance, or strategy”, while publicly traded companies maintain the “flexibility to decide how to address cybersecurity risks and threats based on their own particular facts and circumstances.”
Gerding stressed that investors have indicated, however, that they need consistent and comparable disclosures to evaluate how successfully public companies are doing so.
The requirement to report a cybersecurity incident within four days is effective starting Monday (December 18), while the need to disclose cybersecurity management details in annual reports went into effect on Friday (December 15).
Casino Cybersecurity Vulnerabilities
The new SEC rules have taken effect less than three months after leading U.S. casino operators MGM Resorts International and Caesars Entertainment were both victims of successful social engineering attacks, as hackers targeted employees claiming they needed to re-authenticate their identities or update account information.
In October, the New York State Gaming Commission also confirmed a cybersecurity attack temporarily closed or disrupted several casinos that operate video lottery terminals (VLTs) that are connected to a central system.
Everi Holdings operates the VLT systems for New York regulators. A cyber incident against Everi caused the network disruption, but there is no evidence that customer information was seized in the incident.
Both Caesars and MGM submitted 8-K filings with the SEC detailing their incidents. MGM CEO Bill Hornbuckle said the incident that crippled the operator's casino systems in eight states in September would cost $100m, although cyber insurance should pick up most of the costs.
Under the new SEC rules, all three publicly listed companies would have four days to notify the agency of a cybersecurity incident after they determine the incident to be material to their operations.
The deadline is not four business days after the incident occurred or is discovered.
“It is narrower than what the commission originally proposed, which would have required additional details that were not explicitly limited by materiality,” Gerding said. “In revising the disclosure requirement, the commission took into account not only the company’s compliance costs but also its need to respond and remediate incidents.”
Through separate state-level regulations set by the Nevada Gaming Control Board, Nevada casinos have about two weeks left to perform a risk assessment of the vulnerability of their computer systems to cyberattacks.
The amendments to Regulation 5, which governs the operation of gaming establishments, took effect on January 1 of this year and gave some 400 non-restricted gaming licensees until December 31 to perform a risk assessment of their systems and take necessary and ongoing steps to protect infrastructure.
Properties are also required under the new regulations to report any successful breach that compromises player or employee data, credit card information, or other records or infrastructure to gaming regulators within 72 hours.
The amended regulations give licensees some latitude in how they must develop appropriate cybersecurity practices. The new regulations were also changed to allow licensees to use an affiliate or third-party company to conduct assessments and monitoring.