MGM and Caesars data breach in terms of insurance

September 26, 2023 6:30 AM

Signage outside the MGM Grand hotel and casino in Las Vegas, Nevada, US, on Friday, July 28, 2023. MGM Resorts International is scheduled to release earnings figures on August 2. Photographer: Bridget Bennett/Bloomberg — Signage outside the MGM Grand hotel and casino in Las Vegas on July 28, 2023.

MGM Resorts International and Caesars Entertainment suffered major cybersecurity incidents last week. MGM announced system outages likely caused by a social engineering breach of its IT help desk. A data breach that included loyalty member personal data was reported in a regulatory filing by Caesars. The company also reportedly paid a ransomware payment.

Okta, an identity and access management company, issued an advisory in August about similar attacks where hackers were tricking IT service staff into resetting multi-factor authentication. MGM and Caesars are both clients of Okta.

Jason Rosenthal, an Illinois-based attorney at the law firm Much Shelist, spoke with Digital Insurance about the recent cybersecurity incidents, the insurance ramifications and best practices for cybersecurity training.

The following responses have been lightly edited for clarity.

What kind of incident response plan is typical in situations like this?

Normally, such a plan should be in place prior to an incident occurring because once an incident occurs, it's too late usually to formulate a plan. As things are unfolding, and when things move fast when a data breach, or hacking occurs, it's often too late to develop a plan.

The plan needs to include what immediate internal and external steps need to be taken. It could be prudent to think about whether or not making a ransomware payment is something you're willing to do. If you are hit with an attack like this, and certainly it's best to consider the risks, before you're faced with that situation.

One of the first steps is to ask who needs to be notified? Usually that's upper management, the IT staff and legal counsel, the insurer and the authorities. If you do have cyber insurance, carriers will often have a hotline that policyholders can call in the event that there is a cyber incident and oftentimes the insurer will have resources available that many companies don't have internally, particularly smaller companies. So for example, the insurer may be able to immediately put you in touch with legal counsel who is experienced in these areas. They will likely be able to direct you as to what steps need to be taken to contact local authorities, et cetera. But those are all sort of step one, you know, who needs to be notified who needs to be contacted.

Companies should be working with their IT professionals, whether it's in-house or external if they don't have the internal staff or capabilities to determine what needs to be done depending on the nature of an attack. So, for example, if it is an actual attack and hacking of the system, they need to know what can and needs to be taken offline. Is there a backup system? Or backup data that the company can switch to? Is there a way to shut off some external connection? It's really dependent on the company and what type of technology they use.

How does insurance coverage work for attacks like these?

Cyber coverage can provide various forms of relief. For example, the policy might cover response costs, such as notifying customers that their data has been compromised, it might cover costs needed to restore a customer's personal information. It can cover costs of recovering data, which again, sometimes might include ransomware payments, which certain policies may cover, you know if that's needed, or an appropriate course of action.

Cyber policies can also provide for defense and indemnification of third-party claims or third-party liability resulting from the incident. It's a type of coverage that, unlike some other lines of insurance, has both a sort of first-party coverage and third-party liability coverage. For example, if the company is sued in a class action for a data breach, you know, the policy may provide for defense and indemnification of those third-party claims. But if similarly, the company's computer system is damaged by an attack, the cyber policy may cover the cost of repairing those systems.

Some policies can also cover reputational damage, which can be particularly important when a breach becomes public news as you have with the MGM and Caesars situations. That can include crisis management costs, public relations and media costs, things like that. Those are the types of things that cyber insurance can cover. Of course, it depends on the specific policy and policy language. Typically with most claims, you want to notify the insurer as soon as possible. And most insurance policies, whether it's cyber or anything else, require the policyholder to notify the insurance company as soon as possible or as soon as practicable, depending on the policy language.

With cyber coverage it's particularly important because things move quickly, and there are certain actions that need to be taken. With some types of accidents, the accident happens, there's an injury, but the incident is done. It's over with, you know. With many cyber attacks, the first notice of the attack is just the beginning and it can be important to take prompt action when these things occur.

Many cyber policies typically provide some form of business interruption insurance and that can cover a number of things including loss of income, while a computer system is down where the business is otherwise interrupted.

What advice would you give to other companies to mitigate incidents like this–what kind of training should employees receive on cybersecurity best practices?

When insurers started issuing cyber insurance years ago it was very expensive, and for many companies, it was cost prohibitive. I think the premiums have come down. Although, given the proliferation of cyber attacks these days, it's possible they may be on the rise again, but I do think cyber insurance at least needs to be a part of the discussion when you're buying insurance for your business.

There's a cost associated with it, but given that so much of what we do, so much of your company's information, customer information, employees information is stored online, you need to think about potential costs if those systems go down, or they're attacked, and that can be devastating to many businesses. I think it absolutely needs to be a part of the conversation and considerations when you're buying insurance.

Training and prevention is obviously the best defense. Insurance is there as a backup, an important backup, when there's a loss, but it's best to try to avoid the loss in the first place. So, most companies, particularly if they have an online presence, or are using computer networks to store information, which constitutes most businesses these days, you need to have a security plan in place. Some of that is on the IT professionals to make sure those systems and security protocols are in place.

There's also sort of the user end side of things, and that's probably where most companies are most vulnerable. And that's particularly true with the rise of social engineering, fraud or attacks. Because those don't necessarily depend on some sophisticated hacker, it really sort of preys on human vulnerability to get into a system and it's important to train users on best practices, how to look for red flags like verifying financial instructions and banking information. There are a lot of steps. There's a lot of training that's been developed by professionals in this area that companies should consider. Caesars and MGM are big vulnerable targets but we've seen companies of all sizes subjected to these attacks.