Following September’s ransomware attack on MGM Resorts, the hospitality and casino giant swiftly decided not to engage or negotiate with cybercriminals — and based on its most recent Securities and Exchange Commission (SEC) disclosure, the gamble paid off.
MGM’s incident response strategy was a sharp left turn from Caesars Entertainment, which after it was breached by the same threat actors, decided to pay a negotiated ransom of $15 million and move on. In the days following the casino cyberattacks, Caesars was back to day-to-day operations, while MGM struggled to claw back operations for more than a week.
In its revised SEC disclosure form 8-K, MGM reports it lost about $100 million as a result of the breach, which seems like a hefty price tag at first blush. However, the company noted that the losses will only slightly impact the company’s third quarter financials, with minimal potential spillover into the fourth quarter. For comparison’s sake, MGM hauled in nearly $4 billion in revenue in the second quarter of the year, across its global operations — and $2.1 billion in revenue from its Las Vegas properties alone.
“The Company does not expect that it will have a material effect on its financial condition and results of operations for the year,” MGM said. The casino juggernaut is already looking forward to November Formula 1 racing coming to the Vegas Strip, which it added will boost its fourth quarter earnings significantly.
Caesars, on the other hand, made the choice to pay, despite widespread guidance against meeting ransom demands.
“Paying a ransom to cybercriminals does not guarantee a full return of an organization’s systems and data, and only furthers the ransomware ecosystem,” according to Anne Cutler, cybersecurity evangelist with Keeper Security. “Although the $100 million in losses are costly on the surface, MGM’s decision not to pay the ransom followed the course of action recommended by cybersecurity experts, government, and law enforcement.”
The outcome makes a surprising business case for telling cybercriminals to pound sand following a ransomware attack.
Do Deep Pockets Make Orgs Better or Worse Targets?
Are some organizations just too rich to ransomware?
“No company is too big to hack; the key issue is a business too resilient to hack,” Viakoo CEO Bud Broomhead says. “MGM may have invested heavily in backup and recovery, and may use this attack to learn where their weakness[es] are so next time they will be even more resilient to attack.”
Cutler points out that for small- and midsize businesses, a ransomware attack “could force them out of business entirely.” Larger businesses are more financially equipped to absorb remediation costs.
But instead of gambling on whether to pay after a ransomware attack already happens, it’s smarter for businesses to continually invest in cybersecurity technology to keep up with evolving threat actors, according to Omri Weinberg, co-founder of DoControl.
“No company will ever be fully bulletproof, and just like the casino, you need to bet where to invest the resources and funds into your cybersecurity practice,” Weinberg says. “Adversaries will always be more sophisticated with new technologies, and it’s a never-ending game.”
Cybersecurity Kevlar aside, Broomhead commends MGM’s incident response to the ransomware attack.
“MGM deserves credit for not paying the ransom; hopefully their example will push more organizations to focus on resiliency and business continuity,” Broomhead says. “It’s never a question of will you be hacked, just when you’ll be hacked and how prepared you are for it.”