Articles Neil Hodge Nov 16, 2023
Cybersecurity breaches at MGM Resorts and Caesars Entertainment have been costly for the casino operators while spotlighting the need for gaming companies to sharpen their focus on cyber risks.
On Sept. 12, major U.S. casino operator MGM Resorts International announced it had suffered a cybersecurity breach, but it provided few details about how or when the attack occurred, or the extent of the hack. Some of those details came in an October U.S. Securities and Exchange Commission (SEC) filing, in which MGM Resorts reported that it expected the breach to cost the company $100 million — though it hopes cybersecurity insurance will cover the financial impact.
The company added that it had already paid close to $10 million to third-party cybersecurity advisors to deal with the issue, as well as legal fees. It also expects its third-quarter earnings to take a hit.
According to MGM Resorts, there is no evidence yet that any customers’ payment or bank account information has been accessed or affected. However, it said personal data belonging to people who transacted with the company before 2019 — including email addresses, dates of birth, home addresses, and (in some cases) passport and social security numbers — were stolen.
The data hack at one of the U.S.’s biggest casino and gaming operators is shining a spotlight on the levels of preparedness and resilience large companies need to detect — and rebound from — major cybersecurity breaches. The incident also should act as a prompt for internal auditors to ask more questions about the state of their organizations’ legacy IT systems, what data third-party vendors have access to, and what security arrangements are in place for both.
MGM Resorts is not the only gaming company dealing with the effects of a recent breach. In September, just days before MGM Resorts announced its breach, Caesars Entertainment disclosed to the SEC that it had identified suspicious activity in its IT network resulting from a social engineering attack on one of the company’s outsourced IT support vendors. Hackers stole customer information from Caesars’ loyalty program database, which included drivers’ license and social security numbers. Caesars added that its customer-facing operations — including its physical properties and online and mobile gaming applications — were not impacted.
Like MGM, Caesars hopes its cybersecurity insurance policies will offset some of the remedial costs. Unlike MGM, Caesars paid roughly half of a $30 million ransom demand, while MGM refused to pay, according to reports in The Wall Street Journal.
Besides levels of cybersecurity, the Caesars and MGM Resorts incidents also raise questions about the suitability and viability of cyber insurance, whether paying hackers’ ransom demands is justifiable, and how companies disclose cyber breaches to regulators. Reporting is a particular concern in light of the SEC’s announcement in July that publicly listed companies must disclose the nature, scope, timing, and impact of material cybersecurity incidents within four business days. Large companies must begin making the new disclosures in December.
Bryant Richards, associate professor of Accounting and Finance and director of the Center for Intelligent Process Automation at Nichols College in Dudley, Mass., was formerly a director of internal audit in the casino industry. He says, “If an industry as heavily focused on compliance as the casino industry can be hacked, then any organization can be.”
Richards says the industry will need to re-evaluate how it focuses on cybersecurity risk management so that casinos look at prevention, detection, and response. “No organization will prevent all hacks, but organizations need to detect them and respond to them quickly to limit the damage,” he says. “Companies also should avoid being over-confident. Just because they have not faced a ransomware demand or a freeze in their IT services, it does not mean they have not been hacked — they just may not have discovered it yet.”
When it comes to cybersecurity, online casinos’ customer-facing technology will likely be cutting-edge, says Bob Rudloff, a retired senior vice president of Internal Audit for a casino operator in Las Vegas. However, brick-and-mortar casinos’ customer support and back-office IT functions, such as payroll and administrative-focused tasks, probably are not as cyber-resilient, he cautions. This is because over the past two decades many casinos have been through mergers and acquisitions. As part of that process, they have cobbled together a variety of disparate legacy IT systems that still have not been fully integrated or updated.
Going forward, Rudloff says gaming regulators will likely impose more governance and cyber risk management reporting requirements, initially on casinos like MGM Resorts and Caesars but eventually for the industry more widely. But he warns that regulation and oversight of the gaming industry — from an IT perspective — is fragmented, out of date, and low-level in several areas, including cybersecurity. “The rules regarding IT risk are probably 20 years out of date by now,” he notes.
Complicating things, every U.S. state has its own gaming laws, making it difficult for regulators to enact rules that are appropriate for both large and small casino operators. “Regulators have tended to adopt a ‘one size fits all’ approach to accommodate the fact that smaller casinos can’t possibly spend on IT investment and controls what Caesars and MGM can, so the requirements are generally too low-level,” Rudloff explains.
James Bone, executive director at risk specialist GRCIndex, based in Lincoln, R.I., says the wider problem is that cybersecurity professionals are not well-versed in risk management generally. “Very often, cybersecurity experts see cybersecurity as a tech issue rather than a people risk and fail to recognize that the human element — employees — is usually the weak link in the chain,” Bone said.
Other common problems, Bone says, are that organizations’ cybersecurity efforts “focus on robustness rather than fragility” and “look at the areas where they or other organizations have suffered breaches in the past rather than look at possible areas of vulnerability where they may be attacked in the future.”
Both approaches are “prone to failure,” Bone says. “The typical response is for organizations to panic and invest in new tech solutions without trying to understand the heart of the problem — how hackers got in.” For example, although legacy systems are vulnerable, “the reason they are breached is because employees open emails and click on web links they shouldn’t or reuse the same passwords for work and for their social media accounts,” he adds.
Bone says internal auditors can help improve cybersecurity by examining how the organization assesses flaws and prioritizes areas of focus. Audit functions also could look at how the organization balances robustness with fragility and review where cybersecurity spending is targeted.
Ultimately, he says, “internal auditors need to ask more questions, better questions, and deeper questions.”