Updated September 18, 2023 - 7:45 pm
Businesses insure themselves against losses from fires, on-premise injuries, even hurricanes.
But financial losses from cybersecurity attacks, such as the ones experienced by two major casino companies within the past month, are rising faster than others, surpassing financial losses from pandemics and employee skills shortages.
MGM Resorts International, now in its eighth day of a cybersecurity problem the company has yet to label as a ransomware attack, offered no updates on bringing systems back online when contacted Monday, and its “frequently asked questions” internet page had not been updated.
MGM is continuing to take hotel-room and restaurant reservations by phone or through third parties. Guests can access their rooms with key cards instead of the MGM app; slot machine winnings are hand paid instead of through slot ticket kiosks; and paid parking systems are offline, allowing cars to enter parking garages for free.
The company has given no updates on whether it’s in negotiations with extortionists.
In a Sunday report to investors, gaming industry analyst David Katz, an equity analyst with New York-based Jefferies Group, said damages from the cyberattack at MGM would be claimed against insurance, but it’s unclear just how much of the damage would be covered.
MGM did not respond to an inquiry about whether MGM has cybersecurity insurance or how much it would cover in the current attack. Katz said MGM is believed to be losing between $4.2 million and $8.4 million in revenue per day while under siege.
It’s also unclear whether MGM has any intention of paying a suspected ransomware demand or how much that might be.
In a June report from the National Association of Insurance Commissioners’ Center for Insurance Research and Policy on ransomware, the organization said many cyber policies cover ransom money, extortion-related expenses and repair costs.
But the report also said that, although the temptation to pay a ransom is great, the FBI recommends against paying and warned that payment carries its own risks.
“There is no guarantee the data will be restored after the ransom is paid,” the report said. “Ransom demands can be incredibly costly and are rising, with average demands increasing 500 percent from 2020 to the first half of 2021. The average ransomware payment is also increasing, rising from $312,000 in 2019 to $570,000 in 2020. Premiums for cyber insurance policies that cover ransomware payments are climbing as well, with double-digit increases every month in the first quarter of 2021.”
Most ransom demands from cybercriminals are sought in untraceable cryptocurrency.
The FBI confirmed last week that it is investigating the MGM matter.
Katz said there were unconfirmed reports that Caesars Entertainment Inc., in August, paid around $15 million in ransom money to extortionists to regain control of its computerized systems.
Dustin Carlson, an expert in cybersecurity insurance, said it’s likely MGM also has a self-insurance component in its protection — a tactic he recommends for the many small-business clients he serves. He said he suspects even big insurers aren’t going to supply policies for $15 million ransom asks.
There likely are gaps in the coverage of large companies such as MGM Resorts, said Carlson, president of 831(b) Admin, an Idaho-based company that advises small businesses on cybersecurity insurance.
“Any fallout, identity theft or anything that comes from this breach, they’ll be responsible for. They have liability for that,” Carlson said.
“This type of policy … typically will have liability coverage,” he said. “I would imagine MGM being as large as they are, they probably do have a self-insurance component where they have money set aside for this type of event. The remediation becomes so costly that the risk just isn’t worth the reward for these insurance companies and that’s why you’re starting to really restrict that space.”
Carlson said he has no inside knowledge of MGM’s or Caesars’ workings but suspects a major insurance company player, such as a Lloyd’s of London, would be involved in insuring casino companies from cyberattack losses.
Carlson and small-business-centered insurers such as Hiscox, an underwriter for Lloyd’s, said any company that accepts credit cards or other digital payment types, uses computers and mobile devices such as tablets or smartphones, collects or stores financial data, or collects or stores confidential customer information could be vulnerable to cyberattacks. MGM and Caesars fit the bill for all four.
According to the FBI, in 2022, the Internet Crime Complaint Center received 800,944 complaints, with reported financial losses of $10.3 billion. Of those, 2,385 were identified as ransomware complaints with adjusted losses exceeding $34.3 million.
While insurance is a backstop to protect against breaches, Carlson said there’s no substitute for training.
“The problem with these social engineering attacks is that they’re (criminals) are always changing their tactics,” he said. “We always harp on our clients to have employee training and you need to stay on top of it. That one-time-a-year training for your employees is just not enough. You almost need it on a monthly basis.”