327 views 3 mins 0 comments

Twin cyberattacks but different incident responses: Comparing MGM Resorts and Caesars

In Cyberattack, Data Breach News, News
September 25, 2023
Twin cyberattacks but different incident responses: Comparing MGM Resorts and Caesars
Image: Dreamstime

As an article in DarkReading highlights, it’s tempting to compare the incident responses by MGM Resorts and Caesars Entertainment to their recent cyberattacks because both are the same kind of entity and both were victims of the same threat actors (Scattered Spider/AlphV). But:

Caesars quickly negotiated with the cyberattackers, and handed over a $15 million ransom payout, which allowed it to proceed with business in relatively short order. MGM meanwhile flatly refused to pay, and just announced that its operations have been recovered after 10+ days of casino and hotel operational downtime (tens of millions of dollars in lost revenue later).

(The Data Breach Times notes that while MGM reported operations were recovered, employees and guests continued to note problems).

Trying to compare the two incident responses is complex. While superficially, it might be tempting to jump to the conclusion that Caesars had a better response as their business kept operating and they incurred fewer losses and costs than MGM, there are other factors to consider. As cyber threat researcher Callie Guenther explains:

…. Caesars’ reaction shows that keeping operations running was the priority, while the MGM response demonstrates that the organization is willing to endure short-term financial pain for long-term cybersecurity gains.

“MGM’s choice not to pay the ransom, despite financial losses, might stem from a broader perspective on the implications of ransom payments,” Guenther says. “The duration of their disruption might also reflect a comprehensive internal review and restoration process, ensuring all threats are fully mitigated.

Read the full article at DarkReading.

Another consideration in evaluating incident response choices is impact on stock prices. Here’s what one investment columnist wrote in attempting to compare Caesars and MGM Resorts:

Caesars, which opted to pay a ransom and keep its systems running in the face of a similar attack, is down about the same amount as MGM during this window. Las Vegas Sands Corp. (LVS), which has no known or confirmed cyberattacks at the moment, is down 7.28%.

So, making a relative comparison, the market seems to be implying that Caesars and MGM have had a similar value loss based on their cyberattacks. If one believes that to be true, then their investment thesis on MGM preceding the cyberattack should probably remain about the same – it’s already been fairly priced in.

However, it seems obvious to me that MGM has suffered far more significant disruptions to their business than Caesars, and should probably be suffering more significant losses in market cap. That would either mean that Caesars should be trading higher, or MGM should be trading lower.

Analyses of these breaches and incident response strategies will continue to make news over time, and it is wise not to jump to conclusions yet.