SEC rule ‘changes the game,’ could shed light on MGM cybersecurity issues
A recently implemented rule from the Securities and Exchange Commission could soon provide insight into MGM Resorts International’s cybersecurity incident that is causing problems at its properties nationwide.
The SEC now requires publicly traded companies to disclose a cybersecurity incident that they determine “to be material” — meaning a shareholder would consider it important in making an investment decision — in a special filing, according to a rule adopted on July 26. The rule became effective Sept. 5 and most companies must comply with the disclosure requirements on Dec. 18.
The filing should include the incident’s nature, scope, timing and impact. It’s generally expected within four business days after the company determines the incident is material, according to the SEC, but could be delayed if an immediate disclosure would pose a “substantial risk to national security or public safety.”
John T. Moran III, a gaming attorney with Clark Hill, said the expanded rule “changes the game” for companies because it sets up requirements for significant cybersecurity problems.
“It shows how pervasive this harm can be,” Moran said. “It’s a harm that’s palpable but it’s not physical in nature. But it can be very dangerous.”
The ruling also set up expectations for reporting on how the publicly traded company assesses and manages risk from cybersecurity threats in the form of an annual report.
“Whether a company loses a factory in a fire — or millions of files in a cybersecurity incident — it may be material to investors,” SEC Chair Gary Gensler said in a news release announcing the changes. “Currently, many public companies provide cybersecurity disclosure to investors. I think companies and investors alike, however, would benefit if this disclosure were made in a more consistent, comparable, and decision-useful way.”
MGM Resorts said Monday that the company was working to recover from a “cybersecurity issue” that affected credit card transactions and other computerized systems throughout its hotel-casinos across the country. The company’s websites were still down as of Tuesday afternoon, and customers seeking hotel reservations were directed to call properties because the online system was inoperative.
Properties in Las Vegas include MGM Grand, The Cosmopolitan of Las Vegas, Bellagio, Park MGM, Delano, Excalibur, Luxor, Mandalay Bay, Aria and New York-New York.
The company has been tight-lipped so far about the extent of the cybersecurity issues. They have not called it a cyberattack, but have reported the matter to authorities, suggesting it’s possible.
Industry watchers say a formal disclosure from MGM, traded on the New York Stock Exchange, will provide insight into the problem.
“On the surface, it appears like it was a wide-ranging compromise of their technology,” Josh Swissman, managing director of Las Vegas-based GMA Consulting, said. “It’ll be interesting to see in this disclosure if it was as far-reaching as it appeared or if they did this out of an abundance of caution.”
Others say that this can provide a cautionary tale. As cybersecurity threats become increasingly common – MGM’s cloud server was hacked in 2019 – large companies have to constantly strengthen their security protocols, Brendan Bussmann, managing partner of B Global, said.
“I think we need to figure out how this happened and as an industry, how we can get better at dealing with these,” Bussmann said. “This isn’t the first time and nor will it be the last time.”
McKenna Ross is a corps member with Report for America, a national service program that places journalists into local newsrooms. Contact her at mross@reviewjournal.com. Follow @mckenna_ross_ on X.
