New SEC regulations will force any public games company in the US to disclose 'material' hacks within four days

The Pip Boy from the Fallout series being the benevolent hacker he is
(Image credit: Bethesda)

Last week, we reported on a Roblox data breach that first happened in 2020, and was apparently shared in some nefarious places in 2021, but only became widely known about when the leak was posted again on July 18. There was a wealth of identifying information about individuals who attended the Roblox Developer's Conference in this hacked data, and some might find the length of time between the hack happening and Roblox Corporation acknowledging it pretty surprising. 

Gaming companies are hardly alone in being targets for bad actors, with cybercrime now an omnipresent threat in every business sector. And no matter how good the defences get, we'll be reading about successful hacks on high-profile targets for the rest of our lives. The US Security and Exchanges Commission clearly thinks so and as reported by The Register has voted to adopt new requirements, first proposed in March 2022, that any public company suffering a computer crime that's likely to cause any kind of a "material" hit will now have a four-day time limit in which to disclose the incident. A material hit is basically anything investors should be concerned about.

Given that the vast majority of the big gaming companies in the US are publicly traded, this means the new rule (which comes into effect in 30 days) will apply to companies such as: Activision Blizzard, Electronic Arts, Microsoft, Nexon, Nintendo, Paradox Interactive, Riot Games, Roblox Corporation, Sony, and Take-Two Interactive. Nested within those are plenty of other famous studios like Blizzard, Bungie, Rockstar, and Zynga.

Any company that's suffered a cybersecurity incident that could have a material impact now has to determine whether it should be disclosed "without reasonable delay" and, if it should, immediately has to submit a Form 8-K report which now has a new cybersecurity section. This will see the company declare what it believes to be the "nature, scope, and timing" of the breach and what it thinks the impact on the business will be. These 8-K forms are made public by the SEC.

There are some exemptions that probably won't apply to gaming companies, such as risks to national security or public safety, and the disclosure rules come alongside a new reporting requirement, whereby public companies have to outline their processes for identifying and managing cyber-threats. Foreign companies doing business in the US will not be exempt and similar rules are being applied to their set of forms (6-K and 20-F, fact fans).

The focus here is on investors rather than the little people, but the outcome should be a public good. The exact definition of the word "material" is going to become pretty important, and there are of course a multitude of different possible cyber crimes that this rule will cover, but the example of customer data being compromised feels like something that should be disclosed as soon as it's known about.

Helpfully, the SEC agrees, saying in the rules that: "By way of illustration, harm to a company's reputation, customer or vendor relationships, or competitiveness may be examples of a material impact on the company."

US state laws already require companies to notify users whose data may have been compromised, so this new regulation is additive rather than entirely novel, another layer of compliance that may catch unreported breaches. It may also illuminate the details of breaches which don't involve user data, such as last year's GTA 6 hack, which companies are usually buttoned-up about. Not everyone is a fan of these new rules, with some pointing out that publicity can be the last thing you want in the wake of a potentially disastrous hack. But the new rules have exemptions baked-in for just such eventualities, and fast public disclosure feels well worth the try.

Rich Stanton
Senior Editor

Rich is a games journalist with 15 years' experience, beginning his career on Edge magazine before working for a wide range of outlets, including Ars Technica, Eurogamer, GamesRadar+, Gamespot, the Guardian, IGN, the New Statesman, Polygon, and Vice. He was the editor of Kotaku UK, the UK arm of Kotaku, for three years before joining PC Gamer. He is the author of a Brief History of Video Games, a full history of the medium, which the Midwest Book Review described as "[a] must-read for serious minded game historians and curious video game connoisseurs alike."

Read more
Mister Fantastic giving a thumbs up
A Marvel Rivals player has uncovered 'one of the most dangerous vulnerabilities a game can have' that'll let cheaters take over your PC and find your passwords
Path of Exile 2 early access class key art
Around 66 accounts in Path of Exile 2 were compromised, due to a one-two punch of an old unused Steam account and a backend bug
A Path of Exile 2 sorceress casting flaming skulls in a hellish landscape
'We are incredibly sorry': Path of Exile 2 devs apologise for data breach that saw 66 accounts snatched and personal info potentially stolen
Hacker
$1.5 billion crypto heist could be the biggest yet, more than doubling the previous record, but don't worry: The affected firm says it can take the hit
Final Fantasy 7 Rebirth PC
Square Enix launches new anti-harassment policy to protect its employees and partners from abusive fans
Koana, a main character in Final Fantasy 14: Dawntrail, stares thoughtfully at a book in his hands.
After a controversial coding slip-up fed stalkers info on their victim's alts, FF14 wipes the slate clean to try and fix its mistakes
Latest in Gaming Industry
A still from a video announcement of Game Informer's return, featuring the magazine's Halo 2 issue.
Game Informer is back from the dead: 'The whole team has returned'
Typing on internet search toolbar: What am I doing?
How a Microsoft exec managed to pitch Microsoft Word through the genius tactic of being able to actually use it in a 'type-off' demanded by clients: 'I was the only one who'd actually been a secretary'
Half-Life wallpaper - Gordon Freeman
Former Valve exec says the company struggled to sell Half-Life until coming up with the ultimate 'one simple trick' of marketing manoeuvres: slapping a 'Game of the Year' sticker on the box
Gabe Newell looks into the camera, behind him is a prop of a turret from Team Fortress 2.
Gabe Newell's cult of personality is intense, but a Valve exec who worked with him says his superpower is how he 'delighted in people on the team just being really good at what they did'
The Spy from Team Fortress 2 holds up a folder with an accusatory expression.
One of Valve's original executives shares a very simple secret to its success: 'You can't use up your credibility' by trying to make bad games work
Gabe Newell in a Valve promotional video, on a yacht.
Gabe Newell had his eyes on a social network in the '90s that 'was not in a games context at all'—meaning Valve-owned social media could've been a very real thing
Latest in News
An image of a golden first place award from Geoguessr
'We're actually getting GeoGuessr on Steam before GTA 6': the Google Street View puzzler arrives on Valve's platform this April
Napster client circa 1999
Former music-pirating platform Napster to be reborn rather ironically as a metaverse for musicians to connect with their fans after $207 million deal
The snazzy red and black HyperX Cloud Alpha wireless headphones float in a teal void. The microphone is attached to the headset.
The best wireless gaming headset is now even better in the Amazon Big Spring Sale, boasting a more than $50 discount
A chip being held up in an Intel fab
Intel is reportedly 'working to finalize commitments from Nvidia' as a foundry partner, suggesting gaming potential for the 18A node
Amazon box
Don't panic! The 'Do Not Send Voice Recordings' option Amazon just removed was only used by 0.03% of customers and they can still have it
Digital generated image of people surrounded by interactive transparent and glowing panels with data. Visualising smart technology, blockchain and artificial intelligence
Now I shall demand the cookies! Proposed new browsing agreement turns the tables and lets users dictate terms to websites