Cybersecurity Incidents Shake MGM and Caesars: A Deep Dive into the SEC Disclosures

Ransomware Attacks on MGM Resorts and Caesars Entertainment Prompt SEC Disclosures

The Background

Last March, the Security and Exchange Commission (SEC) implemented new rules requiring publicly traded companies to promptly report any “material” cybersecurity incidents. Recently, both MGM Resorts and Caesars Entertainment have filed disclosures with the SEC following ransomware attacks on their casino empires.

The Incidents

Caesars‘ disclosure, dated September 14, indicated that an unauthorized actor had exfiltrated a copy of the company’s loyalty program database on September 7. The compromised database contained sensitive information, including Social Security and driver’s license numbers, of a significant number of members. On the other hand, MGM Resorts’ filing, dated September 13, was less informative. The hospitality company reiterated its previous press release from September 12, stating that it had identified a “cybersecurity issue” and that an ongoing investigation was underway.

Differences in Impact

While MGM Resorts continues to experience system outages even days after the incident, Caesars reported that its customer-facing operations, including physical properties and online and mobile gaming applications, remained unaffected. Interestingly, Caesars‘ SEC disclosure seemed to refer to reports of a ransom payment: “We have incurred, and may continue to incur, certain expenses related to this attack,” Caesars noted in its filing. The disclosure also mentioned potential indemnification claims against third parties as well as the use of cybersecurity insurance to offset costs.

Cybersecurity Insurance and Indemnification Claims

The mention of cybersecurity insurance and potential indemnification claims raises questions about the extent to which companies prepare for cyber incidents. While insurance can provide some financial protection, it is crucial for companies to prioritize proactive cybersecurity measures to prevent attacks in the first place. Insurances claims and indemnification may not fully cover the associated costs and potential reputational damage.

The Scattered Spider Connection

Although MGM declined to provide additional details on the September 10 cyberattack, sources familiar with the incidents have pointed to a threat group called Scattered Spider as being responsible for both the system outages at MGM Resorts and the data breach at Caesars. The involvement of a known threat group raises questions about the vulnerability and preparedness of the hospitality industry to defend against sophisticated cyber threats.

Expert Analysis and Advice

Internet Security and the Hospitality Industry

The recent ransomware attacks on MGM Resorts and Caesars Entertainment highlight the ongoing threat to the global hospitality industry. As organizations in this sector increasingly rely on information systems and online services, they become attractive targets for cybercriminals seeking financial gain or notoriety. Despite being aware of the risks, the industry has been slow to invest in robust cybersecurity measures.

Hotels and casinos collect vast amounts of personal and financial data from their customers, making them attractive targets for data breaches. The stolen information, such as Social Security and driver’s license numbers, can be used for various purposes, including identity theft, financial fraud, and even espionage.

The Need for Proactive Measures

While it is important for companies to promptly disclose cyber incidents in compliance with SEC regulations, it is equally crucial for them to take proactive steps to prevent such incidents from occurring in the first place. It is no longer enough to rely solely on traditional cybersecurity defenses. Organizations must adopt a multi-layered approach that includes regular security assessments, employee training, robust network security, and encrypted data storage.

Cyber Insurance and Risk Assessment

Cybersecurity insurance can provide some financial protection in case of a breach or attack. However, companies should not view it as a substitute for comprehensive cybersecurity measures. Relying solely on insurance may create a false sense of security. Instead, companies should conduct thorough risk assessments to identify potential vulnerabilities and develop strategies to mitigate them. Cybersecurity should be treated as a critical investment rather than an optional expense.

The Role of Government and Industry Collaboration

The recent incidents also raise questions about the role of government and industry collaboration in addressing cyber threats. While the SEC’s requirement for reporting material cyber incidents is a step in the right direction, more proactive measures are needed. Government agencies should work closely with industry experts to develop and implement cybersecurity best practices specific to the hospitality sector. This collaboration could include sharing threat intelligence, conducting joint simulations and exercises, and providing guidance on incident response and recovery.

Editorial Opinion

The ransomware attacks on MGM Resorts and Caesars Entertainment reveal the urgent need for stronger cybersecurity measures within the hospitality industry. The incidents highlight the potential consequences of inadequate cybersecurity practices, including financial losses, reputational damage, and compromised customer trust.

While regulations like those implemented by the SEC are an important step towards transparency and accountability, they should be complemented by proactive cybersecurity strategies. The hospitality industry must prioritize investments in state-of-the-art cybersecurity defenses, employee training, and regular risk assessments. The focus should be on prevention rather than just response and recovery.

Additionally, government and industry collaboration is essential to effectively combat cyber threats. The government can provide guidance, support, and resources, while industry experts can contribute their in-depth knowledge of the sector to develop tailored solutions. By working together, they can create a more resilient and secure environment for both businesses and consumers.