Regulators aren't the only paperwork hassle facing the casinos. On Monday, just days following Caesars disclosure of a cyberattack, a class-action lawsuit was filed in the US District Court in Nevada by Miguel Rodriguez, accusing the casino of operating with "inadequate data security."
While the Caesars and MGM Resorts disclosures churn toward their conclusion, how the two organizations weather the litany of regulations and litigation will offer critical precedent other groups can use to navigate future cyberattacks. In the meantime, rules remain vague and enforcement parameters unclear.
SEC Disclosure Rules Remain Vague but Adopted by Other Regulators
While the SEC has not yet provided guidance around the minimum requirements for 8-K disclosures, the implementation of the approach is spreading outside the regulator's purview. Clay says the Nevada Gaming Board is also using the SEC guidelines as a blueprint for oversight, for instance.
Nevada Gaming Control Board members George Assad, left, Brittnie Watkins and Chairman Kirk Hendrick during a Nevada Gaming Commission meeting in Las Vegas
The Nevada Gaming Board wouldn't comment directly about its interactions with MGM Resorts or Caesars Entertainment but provided a link to a regulation 5.260, which requires gaming operators to secure data from a cyberattack. The regulation provided does not include any provisions for disclosure following a cyber incident.
"Another layer to this is that casinos are having to deal with the Nevada Gaming Control Board, which is following the SEC’s guidance," Clay adds. "What this means for the impacted companies is they now have a couple of different entities they have to deal with, including law enforcement. There’s a lot of groups that have converged on MGM and Caesars."
