Last week, we reported on a Roblox data breach that first happened in 2020, and was apparently shared in some nefarious places in 2021, but only became widely known about when the leak was posted again on July 18. There was a wealth of identifying information about individuals who attended the Roblox Developer's Conference in this hacked data, and some might find the length of time between the hack happening and Roblox Corporation acknowledging it pretty surprising.
Gaming companies are hardly alone in being targets for bad actors, with cybercrime now an omnipresent threat in every business sector. And no matter how good the defences get, we'll be reading about successful hacks on high-profile targets for the rest of our lives. The US Security and Exchanges Commission clearly thinks so and as reported by The Register has voted to adopt new requirements, first proposed in March 2022, that any public company suffering a computer crime that's likely to cause any kind of a "material" hit will now have a four-day time limit in which to disclose the incident. A material hit is basically anything investors should be concerned about.
Given that the vast majority of the big gaming companies in the US are publicly traded, this means the new rule (which comes into effect in 30 days) will apply to companies such as: Activision Blizzard, Electronic Arts, Microsoft, Nexon, Nintendo, Paradox Interactive, Riot Games, Roblox Corporation, Sony, and Take-Two Interactive. Nested within those are plenty of other famous studios like Blizzard, Bungie, Rockstar, and Zynga.
Any company that's suffered a cybersecurity incident that could have a material impact now has to determine whether it should be disclosed "without reasonable delay" and, if it should, immediately has to submit a Form 8-K report which now has a new cybersecurity section. This will see the company declare what it believes to be the "nature, scope, and timing" of the breach and what it thinks the impact on the business will be. These 8-K forms are made public by the SEC.
There are some exemptions that probably won't apply to gaming companies, such as risks to national security or public safety, and the disclosure rules come alongside a new reporting requirement, whereby public companies have to outline their processes for identifying and managing cyber-threats. Foreign companies doing business in the US will not be exempt and similar rules are being applied to their set of forms (6-K and 20-F, fact fans).
The focus here is on investors rather than the little people, but the outcome should be a public good. The exact definition of the word "material" is going to become pretty important, and there are of course a multitude of different possible cyber crimes that this rule will cover, but the example of customer data being compromised feels like something that should be disclosed as soon as it's known about.
Helpfully, the SEC agrees, saying in the rules that: "By way of illustration, harm to a company's reputation, customer or vendor relationships, or competitiveness may be examples of a material impact on the company."
US state laws already require companies to notify users whose data may have been compromised, so this new regulation is additive rather than entirely novel, another layer of compliance that may catch unreported breaches. It may also illuminate the details of breaches which don't involve user data, such as last year's GTA 6 hack, which companies are usually buttoned-up about. Not everyone is a fan of these new rules, with some pointing out that publicity can be the last thing you want in the wake of a potentially disastrous hack. But the new rules have exemptions baked-in for just such eventualities, and fast public disclosure feels well worth the try.