Casino Ransomware Attacks Could Stoke Higher Insurance Costs

Posted on: September 21, 2023, 03:58h. 

Last updated on: September 23, 2023, 09:26h.

Todd Shriber @etfgodfather Read More
Expertise: Financial, Gaming Business, Mergers and Acquisitions.

Following a recent ransomware attack, Caesars Entertainment (NASDAQ: CZR) announced in a regulatory filing that an unidentified insurance provider will cover the costs of a payment to cyber criminals. Analysts widely expect rival MGM Resorts International (NYSE: MGM) to soon make a similar proclamation. The bad news is that it could lead to high cyber insurance costs.

VICI S&P 500
MGM’s Excalibur on the Las Vegas Strip. That operator and rival Caesars Entertainment could see cyber insurance rates increase following ransomware attacks. (Image: YouTube)

Ransomware attacks — cyber infiltrations in which perpetrators make monetary demands — have surged in frequency in recent years. That spike has been accompanied by insurance carriers raising client rates, noted Guy Carpenter LLC.

After a wave of ransomware activities starting in 2019, cyber insurance companies responded swiftly with major price hikes, as evidenced by Guy Carpenter cyber client group’s average 183% cumulative rate increase since 2020,” according to the research firm.

One of Caesars’ insurance carriers is believed to have paid the hacking group “Scattered Spider” $15 million to $30 million. Separately, a sell-side analyst recently noted that MGM likely has a $200 million cyber insurance policy. That could cover all or most damages associated with the ransomware attack that the operator endured. Analysts expect the casino giants to be subject to higher cyber insurance costs in both cases.

Industries React to Casino Ransomware Attacks

While companies spend tens of billions of dollars annually on cybersecurity, the history of cyber attacks on corporate entities is often reactive more than proactive.

For example, evidence suggests that in the wake of the cyber breaches against Caesars and MGM, more gaming companies are reaching out to cybersecurity firms to take preventative steps. Likewise, insurance carriers are proving reactive in their own way by increasing rates as ransomware attacks and payments surge.

“Ransomware activity has escalated since the start of 2023, with ransom payments spiking to near the level of fourth quarter 2021,” added Guy Carpenter. “The recent headline-grabbing attacks on these Las Vegas casino resorts will again heighten the industry’s attention to the ongoing threat from ransomware groups. Resulting losses for many insurers participating in the MGM and Caesars cyber towers could also lead to a more cautious approach on pricing and terms.”

The research firm also pointed out that while Scattered Spider hit both Caesars and MGM using the same methodology known as social engineering, the insurance industry will likely classify the breaches as two distinct events, not a single catastrophe.

Predictable Response by Insurance Industry

It wouldn’t be surprising if insurers boost cyber insurance rates on Caesars, MGM, and other casino operators. As anyone at fault in an automotive accident knows, insurance companies often raise rates following a negative event.

There are also instances of insurance providers halting new policies following catastrophic events. For example, State Farm recently announced it will stop selling new homeowners insurance policies in California because of wildfire risk. Similar policies from various companies are increasingly pricey in hurricane-prone Florida.

For now, it appears unlikely that casino operators will see access to cyber insurance diminished. But the breaches at Caesars and MGM are reminders that being proactive is better than being reactive.

“While the cyber insurance industry confronts systemic risk through quantification and policy wording, insurers and insureds should view the Vegas attacks as garden-variety cybercrimes that are financially motivated,” concluded Guy Morris.