Cyber risks to and concerns about customer data are increasingly relevant across many leisure sectors given increasing data privacy regulations and the volume of customer and payment data operators collect and sometimes store in their loyalty program databases. Data breaches can result in regulatory actions or fines, brand or reputational risk, lawsuits, or business disruption. Most recently, two issuers in the global gaming sector--MGM Resorts International and Caesars Entertainment Inc.--both rated 'B+' with stable outlooks, reported they experienced cyberattacks. Each attack affected the issuers differently.

MGM's cyberattack created significant operational disruption for an extended period, resulting in a notable third-quarter financial impact along with potential reputational harm. The impact of the cyberattack on Caesars appeared to be limited primarily to potential reputational harm resulting from significant stolen customer data. Like many companies, both MGM and Caesars carry cybersecurity insurance, which may offset some of the financial fallout. Following the disclosure of these attacks, S&P Global Ratings maintained the ratings on MGM and Caesars because both issuers were able to absorb the impacts (see MGM Resorts International Operations Affected By Significant Cybersecurity Breach; Credit Quality Not Currently Affected, Sept. 13, 2023; MGM Resorts International Has The Financial Flexibility To Absorb Negative Impact To Cash Flow From Cybersecurity Breach, Oct. 10, 2023; and Caesars Entertainment Inc.'s Exposure To Cybersecurity Breach Poses Reputation Risk; Credit Quality Currently Unaffected, Sept. 14, 2023).

Here, we explore the answers to some common questions from investors about these breaches, as well as address overall cybersecurity risk in the U.S., as these cyberattacks have become more prevalent across all sectors.

Frequently Asked Questions

How were these two cyber incidents both similar and different?

In its 8-K filing with the Securities and Exchange Commission (SEC) dated Sept. 13, MGM reported a cybersecurity breach and that it had begun an investigation with external cybersecurity experts, notified law enforcement, and had taken steps to protect its systems and data, including shutting down certain systems. Although MGM's casinos and resorts continued operating during that time, news reports and social media indicated they weren't operating at the level to which MGM customers are accustomed. Customers faced significant disruption, as the company's website was down and they had to call to make hotel room and dining reservations at its casino resorts across the U.S. Customers had to check in or out of its hotels and make dining or entertainment reservations at the front desk rather than online. It's our understanding that MGM's casino floors also faced some operating disruptions. Nearly two weeks after the cyber incident, MGM reported that its casinos and resorts were operating normally and that its online reservation system had been restored. On Oct. 5, 2023, MGM disclosed that its investigation determined that the criminal actors also obtained personal information for some customers that transacted with it prior to March 2019. MGM reported that it doesn't believe the criminal actors obtained customer passwords, bank account numbers, or payment card information.

In its 8-K filing dated Sept. 14, Caesars reported it had experienced a cybersecurity breach at one of its outsourced information technology (IT)-support vendors that resulted in significant stolen customer data. After detecting suspicious activity in its network, Caesars also began an investigation with external cybersecurity experts, notified law enforcement and state gaming regulators, and implemented a series of containment and remediation measures to reinforce the security of its IT network. As a result of its investigation, and prior to its Sept. 14 8-K filing, Caesars determined on Sept. 7, 2023, an unauthorized actor acquired a copy of, among other data, its loyalty program database, which includes driver's license numbers and/or social security numbers for a significant number of members. The company indicated at that time there was no evidence the unauthorized actor acquired any member passwords or personal identification numbers (PINs), bank account information, or payment card details. However, Caesars disclosed in its 8-K there was no impact to its customer-facing operations, including its physical casinos and online and mobile gaming applications. As such, it continued operating without disruption.

Did MGM's cyber event harm its financial results?

MGM disclosed in a second 8-K filing on Oct. 5 that the operational disruption it experienced at its properties in September will significantly harm its third quarter results, primarily in Las Vegas, underpinned by a 500 basis point decrease in occupancy at its resorts. The company expects the fourth quarter impact will be minimal. MGM estimates the cyber event will hurt its third quarter 2023 domestic property EBITDAR by $100 million, approximately 10% of the company's third quarter 2022 EBITDAR. MGM also incurred less than $10 million in one-time expenses related to the event, consisting of technology-consulting services, legal fees, and third-party advisory expenses. Despite the significant third quarter impact, we estimate there will be modest impairment of 2%-3% to our full-year forecasted EBITDA from lost revenue and additional costs. This translates to about a 0.1x-0.2x increase in leverage. MGM will likely be able to absorb the pressure on EBITDA and leverage and stay below our 7.5x downgrade threshold given outperformance at its domestic resorts in the first half of 2023 compared to our base case forecast and a more accelerated Macao recovery. Additionally, we believe MGM could pull back on share repurchases to offset the strain on cash flow. MGM also believes its cybersecurity insurance will be sufficient to cover the financial losses resulting from the operational disruptions, the one-time expenses incurred at the time, and future expenses.

Did Caesars' cyber event hinder its financial results?

While we don't expect Caesars' financial position to be materially affected by the breach, it relies upon its loyalty program to sustain its substantial ability to attract loyal guests to its properties. If similar events were to occur in the future, we believe this could hurt Caesars' reputation if it diminishes guests' confidence in the security of their personal information, although the company has indicated it is offering credit-monitoring and identity-theft protection services to all members of its loyalty program. Caesars has incurred, and may continue to incur, certain expenses related to the breach, including expenses to respond to, remediate, and investigate the matter. The company has not confirmed any payment made to the attackers, but in its 8-K filing with the SEC, it indicated it had taken steps to ensure the stolen data was deleted. Caesars carries cyber security insurance, which may offset some of the costs incurred with credit monitoring, depending on its policy's coverage and limitations.

Who are the typical engineers of these type of attacks?

A well-known ransomware group, ALPHV, claimed responsibility for the MGM attack on its leak site (a website where a group publicly "shames" its victims in an effort to force payment). ALPHV is a highly active ransomware group, and its malware was listed as the fourth most prevalent in 2022 according to cybersecurity provider IBM X-Force in its 2023 Threat Intelligence Index. ALPHV's attacks have been detected in multiple locations globally, but organizations based in the U.S. lead the victim count, followed by some in Europe and Asia Pacific.

Although there's no public announcement claiming the attack on Caesars, open source reporting states it might have been a group called Scattered Spider (a name given to the group by security researchers). The group has gone after telecommunications, business process outsourcing organizations, and critical infrastructure organizations. Scattered Spider leverages a range of social engineering tactics including phishing (a variety of attacks, usually via email, that intend to convince the recipient to undertake a compromising activity such as clicking on a malicious link, or giving out a password) and attempts to cause multifactor authentication (MFA) fatigue (a tactic whereby an attacker generates numerous MFA authentication requests, to try to entice the recipients to confirm their identity, which results in the attacker getting unauthorized access to accounts and data). They have also been observed impersonating IT personnel to trick their way into getting credentials or remote access to computers.

Understanding what these groups do helps to better assess the potential threat and end results of their activities. Ransomware groups pursue a variety of means to compromise systems and steal data including:

• Demanding ransom after encrypting data and withholding the means to unlock it until payment is received;
• Using extortion as a means to coerce victims into making payments by threatening to leak data; and
• Employing a distributed denial of service attack, which is a malicious attempt to disrupt the normal operations of a system with a flood of internet traffic to cause a crash or severe slowdown.

A company's level of cyber preparedness can help to understand the extent of the impact, if any, of these activities to issuers' credit quality. More robust cyber preparedness can reduce the damages caused by an attack.

How did the attackers compromise MGM and Caesars?

ALPHV claims they gained access to MGM identity and access management systems to capture user passwords. This could allow them to gain access to accounts they could then use to carry out further attacks. They also state they have compromised MGM's virtual server infrastructure with ransomware. In its 8-K filing, published Sept. 14, Caesars stated that attackers used "a social engineering attack on an outsourced IT support vendor." While it's unknown who the vendor is, an IT support vendor may have access to internal systems that an attacker can exploit to further the attack.

Have we witnessed any general cyber attack trends in the U.S.?

The U.S. was the most attacked country via ransomware between July 2022 and June 2023, with 43% of ransomware attacks identified globally as per the 2023 State of Ransomware report released by cybersecurity company Malwarebytes. ALPHV was the second most active group during this period. According to the 2023 Verizon Data Breach Investigations Report, 100% of the attacks seen in the accommodation and food services sector were financially motivated. As per an IBM X-Force study, there was a 94% reduction in the average time it took to deploy ransomware, declining from two months in 2019, to just under four days in 2021.

How do we see issuers responding to cybersecurity risks in the U.S.?

Companies are focusing on the need to ensure employees can identify attempts at social engineering tactics, including phishing and MFA fatigue. Companies have also been compelled to better manage the risk from third-party vendors, especially those that have access to their data. As seen in the Caesars attack, vendors can be a weak point that hackers can exploit to gain access. Also on companies' radars are implementing disaster recovery and business continuity plans in the event ransomware is discovered and/or data is encrypted. Companies are focused on maintaining backups of critical data and testing backup processes on a regular basis to ensure business operations aren't interrupted.

We seek to gain an understanding of a corporate issuer's cyber preparedness as part of our management and governance assessment. After an incident, analysts will assess how an incident may impact an entity's business and financial risk profiles as well as liquidity.

Related Research

• Corporates Up Their Cyber Preparedness As Cyber Attacks Become More Widespread, Oct. 25, 2023
• Cyber Brief: Multifactor Authentication Remains Effective But Not Impenetrable, Oct. 18, 2022
• Cyber Risk Insights: IT Asset Management Is Central To Cyber Security, Aug. 15, 2023
• Cyber Risk Insights: Detection Is Key To Defense, May 10, 2023
• Cyber Risk Insights: Navigating Digital Disruption, Feb. 22, 2023