Cyber risks to and concerns about customer data are increasingly relevant across many leisure sectors given increasing data privacy regulations and the volume of customer and payment data operators collect and sometimes store in their loyalty program databases. Data breaches can result in regulatory actions or fines, brand or reputational risk, lawsuits, or business disruption. Most recently, two issuers in the global gaming sector--MGM Resorts International and Caesars Entertainment Inc.--both rated 'B+' with stable outlooks, reported they experienced cyberattacks. Each attack affected the issuers differently.
MGM's cyberattack created significant operational disruption for an extended period, resulting in a notable third-quarter financial impact along with potential reputational harm. The impact of the cyberattack on Caesars appeared to be limited primarily to potential reputational harm resulting from significant stolen customer data. Like many companies, both MGM and Caesars carry cybersecurity insurance, which may offset some of the financial fallout. Following the disclosure of these attacks, S&P Global Ratings maintained the ratings on MGM and Caesars because both issuers were able to absorb the impacts (see MGM Resorts International Operations Affected By Significant Cybersecurity Breach; Credit Quality Not Currently Affected, Sept. 13, 2023; MGM Resorts International Has The Financial Flexibility To Absorb Negative Impact To Cash Flow From Cybersecurity Breach, Oct. 10, 2023; and Caesars Entertainment Inc.'s Exposure To Cybersecurity Breach Poses Reputation Risk; Credit Quality Currently Unaffected, Sept. 14, 2023).
Here, we explore the answers to some common questions from investors about these breaches, as well as address overall cybersecurity risk in the U.S., as these cyberattacks have become more prevalent across all sectors.
Frequently Asked Questions
How were these two cyber incidents both similar and different?
In its 8-K filing with the Securities and Exchange Commission (SEC) dated Sept. 13, MGM reported a cybersecurity breach and that it had begun an investigation with external cybersecurity experts, notified law enforcement, and had taken steps to protect its systems and data, including shutting down certain systems. Although MGM's casinos and resorts continued operating during that time, news reports and social media indicated they weren't operating at the level to which MGM customers are accustomed. Customers faced significant disruption, as the company's website was down and they had to call to make hotel room and dining reservations at its casino resorts across the U.S. Customers had to check in or out of its hotels and make dining or entertainment reservations at the front desk rather than online. It's our understanding that MGM's casino floors also faced some operating disruptions. Nearly two weeks after the cyber incident, MGM reported that its casinos and resorts were operating normally and that its online reservation system had been restored. On Oct. 5, 2023, MGM disclosed that its investigation determined that the criminal actors also obtained personal information for some customers that transacted with it prior to March 2019. MGM reported that it doesn't believe the criminal actors obtained customer passwords, bank account numbers, or payment card information.
In its 8-K filing dated Sept. 14, Caesars reported it had experienced a cybersecurity breach at one of its outsourced information technology (IT)-support vendors that resulted in significant stolen customer data. After detecting suspicious activity in its network, Caesars also began an investigation with external cybersecurity experts, notified law enforcement and state gaming regulators, and implemented a series of containment and remediation measures to reinforce the security of its IT network. As a result of its investigation, and prior to its Sept. 14 8-K filing, Caesars determined on Sept. 7, 2023, an unauthorized actor acquired a copy of, among other data, its loyalty program database, which includes driver's license numbers and/or social security numbers for a significant number of members. The company indicated at that time there was no evidence the unauthorized actor acquired any member passwords or personal identification numbers (PINs), bank account information, or payment card details. However, Caesars disclosed in its 8-K there was no impact to its customer-facing operations, including its physical casinos and online and mobile gaming applications. As such, it continued operating without disruption.
Did MGM's cyber event harm its financial results?
MGM disclosed in a second 8-K filing on Oct. 5 that the operational disruption it experienced at its properties in September will significantly harm its third quarter results, primarily in Las Vegas, underpinned by a 500 basis point decrease in occupancy at its resorts. The company expects the fourth quarter impact will be minimal. MGM estimates the cyber event will hurt its third quarter 2023 domestic property EBITDAR by $100 million, approximately 10% of the company's third quarter 2022 EBITDAR. MGM also incurred less than $10 million in one-time expenses related to the event, consisting of technology-consulting services, legal fees, and third-party advisory expenses. Despite the significant third quarter impact, we estimate there will be modest impairment of 2%-3% to our full-year forecasted EBITDA from lost revenue and additional costs. This translates to about a 0.1x-0.2x increase in leverage. MGM will likely be able to absorb the pressure on EBITDA and leverage and stay below our 7.5x downgrade threshold given outperformance at its domestic resorts in the first half of 2023 compared to our base case forecast and a more accelerated Macao recovery. Additionally, we believe MGM could pull back on share repurchases to offset the strain on cash flow. MGM also believes its cybersecurity insurance will be sufficient to cover the financial losses resulting from the operational disruptions, the one-time expenses incurred at the time, and future expenses.
Did Caesars' cyber event hinder its financial results?
While we don't expect Caesars' financial position to be materially affected by the breach, it relies upon its loyalty program to sustain its substantial ability to attract loyal guests to its properties. If similar events were to occur in the future, we believe this could hurt Caesars' reputation if it diminishes guests' confidence in the security of their personal information, although the company has indicated it is offering credit-monitoring and identity-theft protection services to all members of its loyalty program. Caesars has incurred, and may continue to incur, certain expenses related to the breach, including expenses to respond to, remediate, and investigate the matter. The company has not confirmed any payment made to the attackers, but in its 8-K filing with the SEC, it indicated it had taken steps to ensure the stolen data was deleted. Caesars carries cyber security insurance, which may offset some of the costs incurred with credit monitoring, depending on its policy's coverage and limitations.
Who are the typical engineers of these type of attacks?
A well-known ransomware group, ALPHV, claimed responsibility for the MGM attack on its leak site (a website where a group publicly "shames" its victims in an effort to force payment). ALPHV is a highly active ransomware group, and its malware was listed as the fourth most prevalent in 2022 according to cybersecurity provider IBM X-Force in its 2023 Threat Intelligence Index. ALPHV's attacks have been detected in multiple locations globally, but organizations based in the U.S. lead the victim count, followed by some in Europe and Asia Pacific.
Although there's no public announcement claiming the attack on Caesars, open source reporting states it might have been a group called Scattered Spider (a name given to the group by security researchers). The group has gone after telecommunications, business process outsourcing organizations, and critical infrastructure organizations. Scattered Spider leverages a range of social engineering tactics including phishing (a variety of attacks, usually via email, that intend to convince the recipient to undertake a compromising activity such as clicking on a malicious link, or giving out a password) and attempts to cause multifactor authentication (MFA) fatigue (a tactic whereby an attacker generates numerous MFA authentication requests, to try to entice the recipients to confirm their identity, which results in the attacker getting unauthorized access to accounts and data). They have also been observed impersonating IT personnel to trick their way into getting credentials or remote access to computers.
Understanding what these groups do helps to better assess the potential threat and end results of their activities. Ransomware groups pursue a variety of means to compromise systems and steal data including:
- Demanding ransom after encrypting data and withholding the means to unlock it until payment is received;
- Using extortion as a means to coerce victims into making payments by threatening to leak data; and
- Employing a distributed denial of service attack, which is a malicious attempt to disrupt the normal operations of a system with a flood of internet traffic to cause a crash or severe slowdown.
A company's level of cyber preparedness can help to understand the extent of the impact, if any, of these activities to issuers' credit quality. More robust cyber preparedness can reduce the damages caused by an attack.
How did the attackers compromise MGM and Caesars?
ALPHV claims they gained access to MGM identity and access management systems to capture user passwords. This could allow them to gain access to accounts they could then use to carry out further attacks. They also state they have compromised MGM's virtual server infrastructure with ransomware. In its 8-K filing, published Sept. 14, Caesars stated that attackers used "a social engineering attack on an outsourced IT support vendor." While it's unknown who the vendor is, an IT support vendor may have access to internal systems that an attacker can exploit to further the attack.
Have we witnessed any general cyber attack trends in the U.S.?
The U.S. was the most attacked country via ransomware between July 2022 and June 2023, with 43% of ransomware attacks identified globally as per the 2023 State of Ransomware report released by cybersecurity company Malwarebytes. ALPHV was the second most active group during this period. According to the 2023 Verizon Data Breach Investigations Report, 100% of the attacks seen in the accommodation and food services sector were financially motivated. As per an IBM X-Force study, there was a 94% reduction in the average time it took to deploy ransomware, declining from two months in 2019, to just under four days in 2021.
How do we see issuers responding to cybersecurity risks in the U.S.?
Companies are focusing on the need to ensure employees can identify attempts at social engineering tactics, including phishing and MFA fatigue. Companies have also been compelled to better manage the risk from third-party vendors, especially those that have access to their data. As seen in the Caesars attack, vendors can be a weak point that hackers can exploit to gain access. Also on companies' radars are implementing disaster recovery and business continuity plans in the event ransomware is discovered and/or data is encrypted. Companies are focused on maintaining backups of critical data and testing backup processes on a regular basis to ensure business operations aren't interrupted.
We seek to gain an understanding of a corporate issuer's cyber preparedness as part of our management and governance assessment. After an incident, analysts will assess how an incident may impact an entity's business and financial risk profiles as well as liquidity.
- Corporates Up Their Cyber Preparedness As Cyber Attacks Become More Widespread, Oct. 25, 2023
- Cyber Brief: Multifactor Authentication Remains Effective But Not Impenetrable, Oct. 18, 2022
- Cyber Risk Insights: IT Asset Management Is Central To Cyber Security, Aug. 15, 2023
- Cyber Risk Insights: Detection Is Key To Defense, May 10, 2023
- Cyber Risk Insights: Navigating Digital Disruption, Feb. 22, 2023
This report does not constitute a rating action.
|Primary Credit Analyst:||Melissa A Long, New York + 1 (212) 438 3886;|
|Secondary Contacts:||Paul Alvarez, Washington D.C. +1 2023832104;|
|Nicole Delz Lynch, New York + 1 (212) 438 7846;|
No content (including ratings, credit-related analyses and data, valuations, model, software, or other application or output therefrom) or any part thereof (Content) may be modified, reverse engineered, reproduced, or distributed in any form by any means, or stored in a database or retrieval system, without the prior written permission of Standard & Poor’s Financial Services LLC or its affiliates (collectively, S&P). The Content shall not be used for any unlawful or unauthorized purposes. S&P and any third-party providers, as well as their directors, officers, shareholders, employees, or agents (collectively S&P Parties) do not guarantee the accuracy, completeness, timeliness, or availability of the Content. S&P Parties are not responsible for any errors or omissions (negligent or otherwise), regardless of the cause, for the results obtained from the use of the Content, or for the security or maintenance of any data input by the user. The Content is provided on an “as is” basis. S&P PARTIES DISCLAIM ANY AND ALL EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, ANY WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE OR USE, FREEDOM FROM BUGS, SOFTWARE ERRORS OR DEFECTS, THAT THE CONTENT’S FUNCTIONING WILL BE UNINTERRUPTED, OR THAT THE CONTENT WILL OPERATE WITH ANY SOFTWARE OR HARDWARE CONFIGURATION. In no event shall S&P Parties be liable to any party for any direct, indirect, incidental, exemplary, compensatory, punitive, special or consequential damages, costs, expenses, legal fees, or losses (including, without limitation, lost income or lost profits and opportunity costs or losses caused by negligence) in connection with any use of the Content even if advised of the possibility of such damages.
Credit-related and other analyses, including ratings, and statements in the Content are statements of opinion as of the date they are expressed and not statements of fact. S&P’s opinions, analyses, and rating acknowledgment decisions (described below) are not recommendations to purchase, hold, or sell any securities or to make any investment decisions, and do not address the suitability of any security. S&P assumes no obligation to update the Content following publication in any form or format. The Content should not be relied on and is not a substitute for the skill, judgment, and experience of the user, its management, employees, advisors, and/or clients when making investment and other business decisions. S&P does not act as a fiduciary or an investment advisor except where registered as such. While S&P has obtained information from sources it believes to be reliable, S&P does not perform an audit and undertakes no duty of due diligence or independent verification of any information it receives. Rating-related publications may be published for a variety of reasons that are not necessarily dependent on action by rating committees, including, but not limited to, the publication of a periodic update on a credit rating and related analyses.
To the extent that regulatory authorities allow a rating agency to acknowledge in one jurisdiction a rating issued in another jurisdiction for certain regulatory purposes, S&P reserves the right to assign, withdraw, or suspend such acknowledgement at any time and in its sole discretion. S&P Parties disclaim any duty whatsoever arising out of the assignment, withdrawal, or suspension of an acknowledgment as well as any liability for any damage alleged to have been suffered on account thereof.
S&P keeps certain activities of its business units separate from each other in order to preserve the independence and objectivity of their respective activities. As a result, certain business units of S&P may have information that is not available to other S&P business units. S&P has established policies and procedures to maintain the confidentiality of certain nonpublic information received in connection with each analytical process.
S&P may receive compensation for its ratings and certain analyses, normally from issuers or underwriters of securities or from obligors. S&P reserves the right to disseminate its opinions and analyses. S&P's public ratings and analyses are made available on its Web sites, www.spglobal.com/ratings (free of charge), and www.ratingsdirect.com (subscription), and may be distributed through other means, including via S&P publications and third-party redistributors. Additional information about our ratings fees is available at www.spglobal.com/usratingsfees.