This year marks the 20th anniversary of October being Cybersecurity Awareness Month, facilitating a discussion as to how one industry in particular, the casino industry, has been significantly impacted by recently reported cyber incidents. No industry is exempt from experiencing a cyber incident that could cripple essential business operations, and sometimes this occurs in a manner of minutes … rather than hours, days, weeks or months. In the incident that involved MGM Resorts, it was reported by the Cyber Express that the cyber breach occurred following a brief ten-minute conversation with a member of its Help Desk.
While no industry is immune from such a cyberattack, an Artic Wolf Survey found that only 60 percent of organizations utilize a comprehensive cyber insurance policy whereas 40 percent do not have such cyber protections in place. In addition, this same survey discovered that the hospitality industry actually has the lowest rate of comprehensive cyber insurance policy adoption, coming in at 35 percent. There is also variation in cyber insurance adoption rates based on the location of the organization; the United States came in first at 63 percent followed closely by the United Kingdom at 62 percent and Canada at 55 percent. Still, there is room for growth.
Current Events in the Industry
Next, we’ll explore the recent cyberattacks that affected both MGM Resorts International (“MGM”) and Caesars Entertainment, Inc. (“Caesars”). The hospitality sector overall is not only vast in size, but it’s also a high-revenue generator. For example, the Statista Research Department determined that as of 2023 the global hospitality market attained 4.7 trillion in revenue and is projected to reach 5.8 trillion by 2027. According to Future Market Insights, the global casino hotel industry alone is projected to reach $214.5 billion in 2023 and then it’s set to reach $321.4 billion by 2033, equating to a 4.8 percent increase in the anticipated growth rate over that ten-year span.
- MGM Resorts International
According to the class action complaint filed on September 21, 2023, Kirwan v. MGM Resorts International, MGM suffered a cyberattack on September 11, 2023, in which its systems were accessed following an individual impersonating an employee so that access credentials could be obtained. Once network access was achieved, ransomware was deployed, and a ransom payment was demanded before the systems could be restored. This cyberattack was estimated to last for ten days in total, affecting a multitude of services including but not limited to everything from key card access to the slot machines to even ATM kiosks.
Apart from this aspect of the attack, one of the hacking groups involved, “The Scatter Spider,” allegedly acquired six terabytes of MGM’s data while the other group known as ALPHV claimed responsibility for initiating the ransomware attack that allowed for it to download and then to exfiltrate information, including that of personally identifiable information (“PII”).
The primary focus of this subsequent class action lawsuit was that of the lack of adequate protection utilized to sufficiently protect the PII that was compromised. The complaint pointed out the lack of proper information security practices employed and how the hardware utilized was insufficient to protect against various cyber incidents and related vulnerabilities. As noted in the complaint, “[a] ransomware attack, like that experienced by Defendant is a type of cyberattack that is frequently used to target companies due to the sensitive … data they maintain. In a ransomware attack the attackers use software to encrypt data on a compromised network, rendering it unusable and demanding payment to restore control over the network.”
The class action suit brought here encompassed over 100 similarly situated class members. This incident demonstrates how one cyberattack can have both varied and long-lasting consequences. It also serves as an opportunity for those within the casino industry to examine the policies that they currently have in place and to also explore what other risk management strategies that could be employed, such as multifactor authentication, data encryption, and cyber insurance. The vulnerabilities that were exposed here could serve as an impetus for others to improve and/or modify their current cyber security policies in place; it’s important to have these discussions before a cyber incident occurs rather than after the fact.
NBC News reported that based on MGM’s filing with the Securities and Exchange Commission (“SEC”) on October 5, 2023, it lost an estimated $100 million from this criminal cyberattack. In this same 8-K filing with the SEC, MGM noted that “Although the Company currently believes that its cybersecurity insurance will be sufficient to cover the financial impact to its business as a result of the operational disruptions, the one-time expenses described above and future expenses, the full scope of the costs and related impacts of this issue has not been determined.” Going forward, MGM noted that “While no company can ever eliminate the risk of a cyber-attack, the Company has taken significant measures, working with industry-leading third-party experts, to further enhance its system safeguards. These efforts are ongoing.”
- Caesars Entertainment, Inc.
The next cyber incident, involving Caesars, also illustrates how cyber attackers can capitalize on various cyber vulnerabilities within the casino industry, and how outsourced information technology vendors utilized by a company can also be susceptible to cyberattacks. On September 7, 2023, it was determined by Caesars following an investigation that an outside actor had acquired its data, including but not limited to information contained within its loyalty program database. Caesars also noted in its 8-K filing with the SEC that “We have taken steps to ensure that the stolen data is deleted by the unauthorized actor, although we cannot guarantee this result. We are monitoring the web and have not seen any evidence that the data has been further shared, published, or otherwise misused.”
In this situation, a third-party information technology support vendor was involved, and the social engineering attack that resulted was aimed at this vendor as reported by Security Week.
When examining the potential future impacts of this cyber event, Caesars anticipated in this same SEC filing that “We have incurred, and may continue to incur, certain expenses related to this attack, including expenses to respond to, remediate and investigate this matter. The full scope of the costs and related impacts of this incident, including the extent to which these costs will be offset by our cybersecurity insurance or potential indemnification claims against third parties, has not been determined.”
What’s the Aftermath?
After a cyber incident occurs, the next logical question is as follows: what’s the aftermath? There are many answers to this one simple question. The examples above illustrate just some of the consequences for businesses that experience such an event, including but not limited to business interruption costs, reputational/public relations costs, and various reporting/filing requirements for cyber incidents. As noted above, subsequent litigation is also another potential and very impactful consequence. The second article in this series will highlight proactive cyber approaches and explain how utilizing four key behaviors can potentially reduce cyber risk.
Synapse Services does offer cyber insurance coverage options for casinos. Please contact one of our producers if you are interested in receiving additional information about the availability of cyber insurance options specifically tailored to the casino industry.
By: Jessica Cambridge