Client Advisory: A Tale of Two Cyberattacks: MGM and Caesars
November 2023
Cyberattacks continue to dominate headlines. The recent ransomware attacks at MGM Resorts International and Caesars Entertainment, Inc. are just two recent examples of the ongoing challenges businesses face in defending against motivated and resourceful threat actors. Both companies appear to have been targeted by the same ransomware-as-a-service group and have experienced challenging and costly consequences.1
Here are the incidents by the numbers:
|
MGM |
Caesars |
---|---|---|
Annual Revenue |
$13B |
$11B |
Extortion Payment |
NIL |
$15M* |
Business Interruption Loss |
$100M |
Not specifically disclosed |
Incident Response Costs |
$10M |
Not specifically disclosed |
Theft of Personally Identifiable information |
Driver’s license information & Social Security Numbers |
Entire Loyalty Program Database including Social Security Numbers |
*as reported - see footnote 2 below
Caesars appears to have made the better bet in its response (or was it luckier?), as they apparently have not suffered the same extensive outages as MGM. According to news reports, Caesars says it quickly negotiated with the threat actors, made a $15 million negotiated payment,2 and avoided a material impact on its operations, although further loss may develop over time.3 MGM, on the other hand, reportedly refused to pay the demanded ransom and appears to have suffered significant operational disruption.4
In the Securities & Exchange Commission (SEC) 8-K that Caesars filed on Sept. 7, 2023, Caesars stated: “Although we are unable to predict the full impact of this incident on guest behavior in the future, including whether a change in our guests’ behavior could negatively impact our financial condition and results of operations on an ongoing basis, we currently do not expect that it will have a material effect on the Company’s financial condition and results of operations.”5
In its more detailed 8-K filed on Oct. 5, 2023, MGM said, “the operational disruption experienced at its affected properties during the month of September will have a negative impact on its third quarter 2023 results,” estimating that “negative impact” at “approximately $100 million to Adjusted Property EBITDA for the Las Vegas Strip Resorts and Regional Operations.” MGM nonetheless stated that it “believe[d] it [wa]s well-positioned to have a strong fourth quarter …. and to fully rebound in November for the Las Vegas Strip Resorts.” MGM further disclosed that it “currently believes that its cybersecurity insurance will be sufficient to cover the financial impact to its business as a result of the operational disruptions,” hedging that the full scope of the costs and related impacts of this issue had not yet been fully determined.6
So why did MGM and Caesars reach different conclusions on the existential “to pay or not pay” ransom question?
How did each company come to the decisions they made and how should other companies prepare in case they find themselves in a similar position to MGM or Caesars?
It’s reasonable to conclude that the threat actors may have had very different levels of success with respect to the two incidents. In the Caesar’s incident, it appears that the threat actors were able to circumvent the security controls protecting the loyalty client database. Their leverage point might have centered on the risk of releasing very high profile clientele information, especially the volume and sensitivity of the types of Personal Identifiable Information (PII) that Caesar’s collects on these members/players.
Presumably, the threat actors threatened to publish this highly confidential information in a dark web forum, or worse, in an even more visible and accessible location. If this were the case, it would certainly prompt a company to take the risk in trusting the “honor of thieves” and pay the ransom on the promise that the data would never see the light of day.
In the MGM incident, it was disclosed that the threat actors had a stranglehold on the networks and systems that manage hotel operations, including slot machines. Might we reasonably conclude, based on the information that has been disclosed, that the MGM loyalty database was not accessed and that the threat actors found their best leverage in threatening to keep systems inoperable for an extended period, causing more business income loss if the ransom demands were not met swiftly?
Perhaps this was the calculus the MGM CEO referred to in his statement: “It’s going to take us as long to figure this out anyway, even if they gave us the [decryption] keys. And so, let’s just more forward [not pay the ransom] and put ourselves, when we get through this, in a much different and better place.”
While we are only speculating based on the limited publicly disclosed information, it’s worth noting that the nature of any incident and the options available to the victim company will vary significantly. All the more reason to conduct a business impact analysis from a cyber incident perspective so some of these variables come to light, the right decision-makers are rehearsed and well prepared, and they have a nimble and adaptive response playbook.
Most notably, proactively evaluating the cascading impacts cyber incidents may have on your organization is essential to effectively managing risk. A Business Impact Analysis (BIA) should be an integral part of your Incident Response Plan (IRP) / Business Continuity Plan (BCP) because it encourages key stakeholders to examine various loss scenarios, including how each scenario may cause disruption to different parts of the business and how those disruptions affect ongoing operations, supply chain, delivery obligations, company reputation, customer churn, and risks to life and property.
A BIA provides invaluable insight into which assets are critical for core operations, a roadmap to recover compromised critical assets, and the links in the supply chain that require robust redundancies. NIST Incident Response 8286D provides a comprehensive guide for organizations conducting a thorough BIA (see www.csric. nist.gov for more information).
BIA is a process that assesses the security risks associated with potential system breakdowns and identifies resiliency strategies that ensure business continuity during a cyber incident. By combining an IRP with a comprehensive BIA, organizations can minimize the effects of a cyber incident.7
A BIA will provide you with invaluable insight to develop accurate recovery and remediation objectives, as well as realistic steps for achieving those objectives. In conjunction with the IRP and BCP, it also will guide your approach in how to best recover from a cyber incident while minimizing operational impact. The BIA can also offer perspective on how best to communicate with various constituencies and provide the necessary information to your cyber insurance carrier to maximize coverage.
If your organization has not already conducted a BIA or would like additional resources, we recommend you refer to NIST/ISO to begin establishing or updating your BIA framework. Conducting a BIA is an important step in identifying risk areas and recovery and remediation paths. This process of risk identification and analysis must begin with identifying the types of assets that could be affected (including viable redundancies, backups, and cutovers), determining their value and the financial impact if those assets are affected by a cyber incident, and recovering from the incident as quickly as possible.
A comprehensive BIA should address interdisciplinary topics such as:
Companies also should regularly test their BIA, IRP, and BCP with tabletop exercises that include scenarios involving material operational impacts. In addition to providing essential training to key responders, as well as allowing them to familiarize themselves with the BIA, IRP, and BCP, the testing enables organization to ensure their plans are in line with company practices and culture.
This all comes at a time of heightened regulatory oversight of companies and their executives. The SEC recently finalized rules that will for the first time require U.S. public companies to periodically disclose information about their cybersecurity risk management and governance.8
Like MGM and Caesar’s, when a public company experiences a material cybersecurity incident, they now must publicly disclose that incident within four business days of determining materiality, subject to very narrow exceptions.9 The SEC views cybersecurity as a core pillar of its mission and has been vocal in its intention to investigate and bring enforcement actions against companies with lax cybersecurity standards and practices. The SEC’s recent charges against SolarWinds and its CISO for fraud and internal control failures relating to the Company’s 2020 data breach exemplifies this muscular approach.10 The SEC also has updated its whistleblower program and announced significant awards to encourage reporting through that channel as well.11
Outside cyber counsel can assist organizations develop thoughtful BIAs, IRPs, and BCPs tailored to business needs and operational footprint. As part of the undertaking, outside cyber counsel will:
Under advice of counsel, a forensic accountant can help supplement cyber incident findings by:
A forensic accountant’s involvement should no longer be limited to the period after a cyber incident. Instead, McGriff recommends the role of the forensic accountant to include serving on the incident response team and assisting in reviewing the BIA.
Lost income and extra expenses related to business interruptions account for some of the most significant damages following a cyber incident. In fact, one of the primary considerations for organizations when deciding whether or not to pay a cyber extortion is the potential business impact that would result from refusing such a payment. Considerations include more than just the estimated loss of income during the outage period. Risk to life and property, extended impacts from reputation harm, loss of highly sensitive data, and an inability to meet contractual obligations in production and delivery or service schedules will weigh heavily in determining whether or not a ransom payment could reduce or mitigate these risks.
While a significant number of cyber policies provide coverage for, among other things, cyber extortion, business income losses, and reasonable and necessary extra expenses, make sure you review your policy’s terms and conditions.
Since many policies define the covered period as the end of the “waiting period” until the end of the “period of restoration,” it is important that you review the policy’s definition of the “period of restoration” and that you adhere to any deadlines and secure extensions with respect to providing proof of loss. Since your coverage may include the cost of retaining a forensic accountant if worded properly, it may also allow for the forensic accounting fees to be treated as part of the incident response. Forensic accountants bring more to the table than just proof of loss preparation; their expert perspective can inform decision- making with respect to response and recovery.
Make sure you also obtain insurer pre-approval of your chosen outside cyber counsel. Or if you’re planning to use a law firm from the insurer panel, vet and select them before there is an incident.
Do not overlook the rest of your insurance program when assessing BIA as part of your IRP and BCP. We recommend conducting a thorough gap analysis across all lines of coverage including non-cyber policies such as general liability, property, directors and officers liability coverage, kidnap and ransom, and commercial crime insurance. These policies may include a duty to defend and may contribute to cyber-related losses depending on the nature of the incident and the extent of impact both on the first- and third-party sides of loss.
Relying on your organization’s BIA from a cyber incident perspective will serve your incident response team well. A tested IRP and BCP – with key stakeholders setting the criteria for achieving an effective response based on enterprise impact considerations – will also lead to a thoughtful containment strategy and adaptive recovery outcome. Proper planning and preparation are essential to organization vitality before and after a crisis.
Scott Ferber Founding Partner Raj Ferber PLLC
1629 K Street NW, Ste 300
Washington, D.C. 20006
202-868-0035
scott@rajferber.com
Jessica Daehler Senior Vice President, Sales Executive
Executive Risk Advisors, McGriff JDaehler@McGriff.com
Natalia Santiago Senior Vice President & Claims Manager
Executive Risk Advisors, McGriff NSantiago@McGriff.com
Suzanne Gladle
Senior Vice President, Cyber Insurance Practice Leader Executive Risk Advisors, McGriff
SGladle@McGriff.com