Notes on the MGM Cyber Attack

As you may have already heard, earlier this week MGM Resorts suffered a ransomware attack that disabled multiple MGM properties, including its flagship MGM Grand and Bellagio casinos in Las Vegas. This raises an interesting question for compliance and audit professionals: How would the SEC’s new rules for disclosure of cybersecurity attacks apply to something like this? 

To be clear, the SEC’s new rules do not apply to this week’s attack; they won’t go into effect until the end of this year. But all evidence so far suggests that the attack was particularly nasty — the sort of thing that likely would qualify as a “material cybersecurity event” that the rules will, soon enough, force companies to report to investors. So what challenges and issues does the MGM attack bring into sharp relief?

Plenty, I fear. 

Let’s start with what we know about the attack so far. MGM first detected the attack on Sunday evening, according to numerous reports that surfaced on Twitter that day. The attack left guests unable to use their mobile app or digital key cards, so they were locked out of their rooms for hours. It disabled ATMs, cashier offices on the casino floors, paid parking systems, and even slot machines. 

The recovery since then has not gone well. As of today, Thursday morning, MGM’s website and mobile app were still down. Guests and employees have had to rely on manual processes to check in and out of rooms, make reservations, and place food orders. I’m not even sure how people get into their rooms, short of having physical keys. 

 

MGM Resorts has been hit with a cyber security attack. Everything from gaming machines to hotel communications have mostly been inoperable for four days now. pic.twitter.com/88zTqb2piU

— Las Vegas Issues (@VegasIssues) September 13, 2023

 

Who did this? So far we’re not sure. A ransomware gang known as ALPHV has claimed responsibility, saying that it searched LinkedIn to find an MGM employee who worked in the IT department. The group then called the MGM help desk, obtained whatever credentials they needed, and launched the attack. Other reports say that a separate ransomware group called Scattered Spiders is the culprit, also by means of a social engineering attack. 

MGM did release a bland 80-word statement about the attack on Tuesday, saying that it is “taking steps to protect our systems and data” and working with law enforcement to investigate. 

Whatever, MGM. We already have plenty of material to start reverse-engineering the compliance and audit issues afoot here. 

Questions of Disclosure and Materiality

First is the question of whether a breach like this is even material. We could answer that from several perspectives, which is exactly the point for audit and compliance professionals. 

We could ask whether this breach is quantitatively material. That would be a rather straightforward exercise of tracking how much revenue is not coming through the door thanks to disabled sales functions, how much additional cost is piling up to resolve the breach, and comparing the total amounts to your best estimates for revenue and operating expenses. 

For example, MGM reported $5.73 billion in casino revenue for 2022. Assuming its casinos are open every hour of every day (it’s the gambling industry, after all), that works out to $654,500 of casino revenue per hour. If we also assume a materiality threshold of 1.5 percent, then a material hit to casino revenue would be $86 million — which, at $654,500 of lost revenue per hour, MGM would hit in about 5.5 days. 

Obviously my calculations above are a crude approximation. The larger point here is that to calculate quantitative materiality, finance and audit teams will need exquisite visibility into revenue streams and expense categories. You’ll need to track those lost revenues and increased costs against budget forecasts for normal operations, absent the attack.

A good real-world example of all this is Hanesbrands. In 2022 the company reported a ransomware attack that shut down its order fulfillment system for three weeks and cost the company $100 million in lost sales for a single quarter. That was 6.2 percent of total quarterly sales, clearly material. But if materiality is closer to 1 or 2 percent of the line item, then Hanesbrands probably crossed that threshold within the first week of that three-week disruption. Under the SEC’s new cyber disclosure rules, a company in Hanesbrands’ predicament would have to disclose the attack within four days of hitting that quantitative threshold, even while the disruption was still ongoing.

If reports out of Las Vegas are accurate, with manual processes everywhere, I have no doubt this attack is quantitatively material, and will be disclosed on those grounds alone. 

But we still have another perspective to consider. 

Let’s Get Qualitative

Regardless of the quantitative materiality of this attack, measured in dollar terms, there is also the question of whether this attack is qualitatively material. 

That is, does the nature and scope of the attack suggest something so wrong in the company’s control system that investors should know about it, regardless of the financial damage? 

That can be a very difficult question for companies to answer, but it’s a question that can’t be ignored. You could suffer a cyber attack that causes a relatively small amount of damage, but something in its nature is so alarming that the attack would be qualitatively material anyway, and you should disclose it.

Let’s go back to MGM as an example. 

• The attack disabled everything from slot machines, to room access, to ATM withdrawals, to room service orders, to reservation systems. How could so many separate systems all be vulnerable to one attack? Shouldn’t those systems be segregated more thoroughly?
• Let’s say the attackers did obtain unauthorized credentials by researching an IT employee’s LinkedIn profile and then impersonating that employee in a call to the help desk. What authentication procedures either failed, or didn’t exist in the first place, to let this social engineering attack work? 
• MGM is using clipboards, pens, and scraps of paper to manage all those disabled systems. How did its backup systems and business continuity plans fail so severely? 

We don’t know the answers to those questions, but they’re all reasonable to ask. They also suggest severe failures in MGM’s cybersecurity regime, which points to an even bigger question: How did this happen? How did management and the board either allow such a weak control environment for cybersecurity, or miss that such weaknesses existed? 

Several weeks ago SEC chief accountant Paul Munter published a statement urging companies to do better at risk assessments, and specifically floated the idea that several small, quantitatively immaterial weaknesses could add up to one qualitatively material weakness in the company’s control environment. Munter was talking about financial reporting, but the meltdown at MGM is the cybersecurity equivalent of that concept. 

I don’t know what MGM will ultimately disclose about this attack, but wow — it does give other public companies plenty to think about, since you’re all likely to face a similar situation eventually.