MGM Must Disclose Ransomware Demand if it Pays One

As of late Monday, MGM Resorts International (NYSE: MGM) is still grappling with the effects of what appears to be a large-scale cybersecurity breach.

MGM hack
If MGM faces a ransomware demand and pays it, that must be disclosed to investors, per SEC rules. (Image: Shutterstock.com)

Should it become clear that the perpetrators made a ransom demand — a common tactic in cybercrime — and that the demand was paid by the gaming company, the casino operator would be under regulatory obligation to disclose to investors such an expenditure.

Currently, there is speculation regarding a ransom demand, but MGM hasn’t publicly confirmed as much. Casino.org reached out to the Bellagio operator on the matter but didn’t receive comment before publication of this article.

Guidelines recently established by the Securities and Exchange Commission (SEC) hold that publicly traded firms, of which MGM is one, must make disclosures regarding material information pertaining to cybersecurity risk management, strategy, and governance.

Whether a company loses a factory in a fire — or millions of files in a cybersecurity incident — it may be material to investors,” said SEC Chair Gary Gensler in July statement. “Currently, many public companies provide cybersecurity disclosure to investors. I think companies and investors alike, however, would benefit if this disclosure were made in a more consistent, comparable, and decision-useful way.”

Media chatter surfaced Monday afternoon that MGM has been in contact with the FBI, but it’s not clear if that’s due to ransom demand nor has the company confirmed it’s working with federal law enforcement agencies.

Why SEC Rules Matter

Broadly speaking, Monday was a rough day for gaming equities as market participants mulled the specter of a slowdown in consumer spending weighing on casino stocks. However, MGM was one of the worst performers in the group, sliding 2.38% on above-average volume on news of the data breach.

That puts the gaming stock in an extensive group of companies, including Capital One Financial (NYSE: COF), Equifax (NYSE: EFX) and Sony (NYSE: SNE), among others, that have experienced share price declines on the back of negative cybersecurity headlines.

Those examples and many more equivalents have accrued over the years, and that’s compelled the SEC to require public companies to share the costs of adverse cyber events with shareholders.

“An Item 1.05 Form 8-K will generally be due four business days after a registrant determines that a cybersecurity incident is material,” added the commission. “The disclosure may be delayed if the United States Attorney General determines that immediate disclosure would pose a substantial risk to national security or public safety and notifies the Commission of such determination in writing.”

Companies Have Paid to Halt Ransomware Attacks

To reiterate, it’s unclear whether or not MGM is dealing with a ransomware issue — a cyberattack where the perpetrators demand financial compensation. However, while the US government doesn’t negotiate with terrorists, corporations and other entities do pay ransomware criminals to relent.

“Ransomware attacks spiked exponentially through 2021, increasing by 350% since 2018. The number of times firms paid settlement fees also increased by over 100%, and downtime incidents rose 200% through 2021,” according to cybersecurity provider Fortinet.

Examples of corporations and other large entities that have paid ransomware demands in recent years include insurance provider CNA Financial, Colonial Pipeline and the University of California San Francisco (UCSF).

Todd Shriber
Todd Shriber Financial Reporter

Todd Shriber is a senior news reporter covering gaming financials, casino business, stocks, and mergers and acquisitions for Casino.org.

Todd got his start in financial markets as a reporter with Bloomberg News. Later, he became a trader at a Southern California-based long/short hedge fund, where he specialized in the trading sector and international ETFs leading up to and during the financial crisis. He joined Casino.org in 2019.

Currently, Todd analyzes, researches, and writes on ETFs for various web-based publications and financial services firms. Shriber has been featured and quoted in Barron's, CNBC.com, and The Wall Street Journal. His work can also be found on Benzinga, ETF Daily News, ETF Trends, MarketWatch, Fox Business, and Nasdaq.com.

He currently resides in Las Vegas, where he enjoys golf and taking his black lab to the dog park. He's also an avid sports fan and likes to wager on college football and the NBA. You can also find him at the three-card poker and roulette table, even though he knows better.

Contact Todd at todd.shriber@casino.org.

Comments icon

Conversation (0)

+ Add a comment

Be the first to comment on this article.

Write a comment

Your email address will not be published.