Sign up for smart news, insights, and analysis on the biggest financial stories of the day.
MGM is letting the chips fall with cybersecurity.
After a cyber attack this weekend that knocked several important systems offline across the hospitality company’s Las Vegas properties, MGM on Wednesday filed an 8-K report with the SEC — a.k.a., a formal announcement of a major event that shareholders should know about. Fittingly, also on Wednesday, Moody’s said the cyber attack could lead to a credit ratings downgrade for MGM, something shareholders probably also would want to hear about.
MGM resorts and casinos such as the Bellagio and the Cosmopolitan are really taking matters into their own hands, which may not be doing wonders for guest experiences. Check-ins with credit card payments are being conducted entirely by hand, according to Bloomberg’s on-the-scene reporting, while the MGM Grand’s sportsbook has been forced to close, slot machine players are being cashed out by in-person attendants, and restaurants and bars are only accepting cash — all while many on-site ATMs have been offline.
Unfortunately, the cyber attack shouldn’t exactly be surprising:
- In a recent report from cybersecurity ratings and analytics company BitSight, MGM scored an ‘F’ thanks to its poor patching cadence, or the speed at which it fixes known vulnerabilities.
- In 2020, a different cyber attack snatched the personal information of over 10 million guests who had stayed at MGM Resorts hotels, which were later published on an online hacking forum.
Moody’s on Wednesday said this week’s attack shows there wasn’t a Plan B. It said the breach “highlights key risks related to business operations’ heavy reliance on technology and the operational disruption caused when systems need go offline or are inoperable.” An FBI spokesperson told CNBC that the agency is aware of the attacks and is monitoring the “ongoing” situation, which we think is what they always say when something beats the heck out of them.
Just Under the Wire: MGM would’ve been forced to disclose way more information to the SEC if the attack had occurred a few months from now. That’s because starting next year, the SEC is implementing new rules requiring far more disclosure of cybersecurity risk and management strategies so that casino empires don’t gamble with our personal information.