MGM Resorts and Caesars Entertainment, two major players in the casino industry, have recently disclosed cyber incidents to the Security and Exchange Commission (SEC) following ransomware attacks on their casino empires. This move comes after the SEC passed new rules last March, requiring publicly traded companies to report “material” cybersecurity incidents to the regulator within four days.
Caesars’ SEC filing, dated September 14, reveals that an unauthorized actor was able to exfiltrate a copy of the company’s loyalty program database on September 7. This database contained sensitive information, including Social Security and driver’s license numbers, belonging to a significant number of members. On the other hand, MGM Resorts’ SEC report, dated September 13, provides less information, as it only reiterates its previous press release stating that a “cybersecurity issue” has been identified, and an investigation is underway.
Unlike MGM Resorts, which is still experiencing system outages days after the attack, Caesars reported to the SEC that its customer-facing operations, including physical properties and online and mobile gaming applications, have not been impacted and continue without disruption. Caesars also made reference to potential expenses related to the attack in its disclosure, stating that they may incur costs in responding to, remediating, and investigating the incident. They are unsure of the full scope of costs and impacts, as it is yet to be determined whether these costs will be offset by their cybersecurity insurance or potential indemnification claims against third parties.
Although MGM Resorts declined to provide further details regarding the cyberattack on its systems, sources familiar with the incidents have mentioned that the threat group Scattered Spider is responsible for both the system outages at MGM Resorts International and the breach at Caesars, which occurred just a few days apart. The SEC has refused to comment on the disclosure filings.
These incidents raise concerns about the cybersecurity measures in place within the casino industry. With the increasing reliance on digital platforms and the sensitive nature of customer data, ensuring robust cybersecurity protocols has become critical. The SEC’s new rules emphasize the importance of promptly reporting cyber incidents to allow for a quicker response and mitigate potential damages.
This news serves as a reminder that cyber threats can impact any industry, and companies must stay vigilant to protect their systems and customers’ information effectively. Implementing comprehensive cybersecurity strategies that include the latest technologies, employee training, and incident response plans is essential for all organizations, especially those handling sensitive data.
The disclosure filings from MGM Resorts and Caesars also highlight the financial implications of cyber incidents. The expenses related to responding, remediating, and investigating these attacks can be substantial. Companies must consider investing in cybersecurity insurance and establishing relationships with third-party vendors who can provide indemnification against potential damages.
As cybercriminals continue to evolve their tactics and target new industries, it is crucial for companies to prioritize cybersecurity. Regular assessments of existing security measures, proactive monitoring of threats, and ongoing employee education are key components of a robust cybersecurity posture.
In conclusion, MGM Resorts and Caesars Entertainment have complied with the SEC’s new rules by filing disclosures for cyber incidents they experienced. The details provided in the filings demonstrate the significant impact these attacks can have on both the affected companies and their customers. As the casino industry becomes increasingly digital, it is imperative for organizations to continuously update their cybersecurity defenses to protect sensitive data and mitigate the risk of future cyber incidents.