MGM Resorts International, as of late Monday, is contending with the repercussions of a potentially significant cybersecurity breach. An ongoing puzzle revolves around whether the gaming company has been subjected to a ransom request – often a salient feature in cybercrimes – and if they have acquiesced to it. As stipulated by SEC regulations, if MGM yielded to a ransomware demand, they are duty-bound to disclose such an expenditure to their investors. Despite extensive conjecture about a possible ransom demand, MGM has not validated those rumors publicly. In fact, an enquiry by casino.org to gain insights on the situation was left unanswered.
Recent directives by the Securities and Exchange Commission (SEC) stipulate that publicly traded entities, MGM included, are required to disclose all information pertinent to cybersecurity risk management, strategy, and governance. SEC Chair Gary Gensler emphasized the importance of such disclosures in his July statement saying, “Whether a company loses a factory in a fire — or millions of files in a cybersecurity incident — it may be material to investors.”
Reports emerged on Monday afternoon suggesting MGM’s engagement with the FBI, though it remains unclear whether this engagement is related to a potential ransom demand or if the company has confirmed collaboration with federal law enforcement agencies.
Monday proved to be a challenging day for the gaming sector as it battled the dual threats of a potential consumer spending decline weighing on casino stocks, and news of the data breach. MGM was indeed one of the hardest hit, as its shares slid 2.38% on higher than average volume in light of the data breach news. MGM now finds itself amid an expanding group of enterprises, including heavyweights like Capital One Financial, Equifax, and Sony, that have seen their share prices impacted due to damaging cybersecurity headlines.
This ripple effect has prompted the SEC to mandate public companies to share the cost implications of cyber events with their shareholders, a move designed to ensure utmost transparency about the impact on their bottom lines.
While MGM has not confirmed whether it is contending with a ransomware issue, it’s important to remember that despite the US government’s stance of not negotiating with terrorists, corporations have been known to pay ransomware offenders to cease their cyber onslaughts. Cybersecurity provider Fortinet reports that, “Ransomware attacks spiked exponentially through 2021, increasing by 350% since 2018,” revealing an increasing willingness by companies to pay up, a trend manifesting in a 100% hike in companies settling fees, and an astounding 200% jump in downtime incidents through 2021. Examples of notable organizations submitting to ransomware demands in recent years include CNA Financial, Colonial Pipeline, and the University of California, San Francisco.