Last week we reported on the Roblox data breach, which first occurred in 2020 and was apparently shared in some nefarious places in 2021. The hacked data contains a wealth of identifying information about individuals who attended Roblox developer conferences, and some may be quite surprised at the length of time between the hack happening and Roblox admitting it.

Cybercrime is now an omnipresent threat across all business sectors, and gaming companies are hardly the only targets of malicious actors. And no matter how hard our defenses are bolstered, we will continue to read about successful hacks against high-profile targets for the rest of our lives. The Securities and Exchange Commission clearly thinks so, and has decided to adopt the new requirements, first proposed in March 2022, as reported by The Register. A material blow is essentially one that investors should be concerned about.

Given that most major U.S. gaming companies are publicly traded, the new rules (which take effect in 30 days) would apply to companies such as: Activision Blizzard, Electronic Arts, Microsoft, Nexon, Nintendo, Paradox Interactive, Riot Games, Loblox Corporation, Sony, and Take-Two Interactive. Among them are many well-known studios such as Blizzard, Bungie, Rockstar, and Zynga.

All companies that suffer a cybersecurity incident that could have a material impact must determine "without reasonable delay" whether to disclose it and, if so, must immediately file a Form 8-K report. The report would disclose the "nature, scope, and timing" of the breach, as well as what the company believes the impact on its business will be. These 8-K forms will be made public by the SEC.

There are several exemptions that probably do not apply to gaming companies, such as risks to national security and public safety, and these disclosure rules will be provided in conjunction with new reporting requirements that public companies must outline their processes for identifying and managing cyber threats. Foreign companies doing business in the U.S. are not exempt, and similar rules apply to foreign company forms (6-K and 20-F, fact fans).

The focus here is on the investor rather than the small citizen, but the result should be in the public interest. Of course, there are many possible cybercrimes that this rule would cover, but the example of customer data being compromised seems like something that should be disclosed as soon as it is known.

The SEC agrees, stating in the rule: "By way of illustration, damage to a company's reputation, customer and vendor relationships, and competitiveness can be examples of material effects on a company.

This new regulation is not entirely new, but rather additional, as U.S. state laws already require companies to notify users whose data may have been compromised. It may also reveal more details about breaches that do not involve user data, such as the GTA 6 hack last year. Not everyone is in favor of the new rules, with some pointing out that after a potentially disastrous hack, public disclosure is the last thing they want. However, the new rules include a disclaimer for such an eventuality, and a quick release of information seems worth a try.