MGM Must Disclose Ransomware Demand if it Pays One

Posted on: September 11, 2023, 08:28h. 

Last updated on: September 12, 2023, 07:49h.

Todd Shriber @etfgodfather Read More
Expertise: Financial, Gaming Business, Mergers and Acquisitions.

As of late Monday, MGM Resorts International (NYSE: MGM) is still grappling with the effects of what appears to be a large-scale cybersecurity breach.

MGM hack
If MGM faces a ransomware demand and pays it, that must be disclosed to investors, per SEC rules. (Image: Shutterstock.com)

Should it become clear that the perpetrators made a ransom demand — a common tactic in cybercrime — and that the demand was paid by the gaming company, the casino operator would be under regulatory obligation to disclose to investors such an expenditure.

Currently, there is speculation regarding a ransom demand, but MGM hasn’t publicly confirmed as much. Casino.org reached out to the Bellagio operator on the matter but didn’t receive comment before publication of this article.

Guidelines recently established by the Securities and Exchange Commission (SEC) hold that publicly traded firms, of which MGM is one, must make disclosures regarding material information pertaining to cybersecurity risk management, strategy, and governance.

Whether a company loses a factory in a fire — or millions of files in a cybersecurity incident — it may be material to investors,” said SEC Chair Gary Gensler in July statement. “Currently, many public companies provide cybersecurity disclosure to investors. I think companies and investors alike, however, would benefit if this disclosure were made in a more consistent, comparable, and decision-useful way.”

Media chatter surfaced Monday afternoon that MGM has been in contact with the FBI, but it’s not clear if that’s due to ransom demand nor has the company confirmed it’s working with federal law enforcement agencies.

Why SEC Rules Matter

Broadly speaking, Monday was a rough day for gaming equities as market participants mulled the specter of a slowdown in consumer spending weighing on casino stocks. However, MGM was one of the worst performers in the group, sliding 2.38% on above-average volume on news of the data breach.

That puts the gaming stock in an extensive group of companies, including Capital One Financial (NYSE: COF), Equifax (NYSE: EFX) and Sony (NYSE: SNE), among others, that have experienced share price declines on the back of negative cybersecurity headlines.

Those examples and many more equivalents have accrued over the years, and that’s compelled the SEC to require public companies to share the costs of adverse cyber events with shareholders.

“An Item 1.05 Form 8-K will generally be due four business days after a registrant determines that a cybersecurity incident is material,” added the commission. “The disclosure may be delayed if the United States Attorney General determines that immediate disclosure would pose a substantial risk to national security or public safety and notifies the Commission of such determination in writing.”

Companies Have Paid to Halt Ransomware Attacks

To reiterate, it’s unclear whether or not MGM is dealing with a ransomware issue — a cyberattack where the perpetrators demand financial compensation. However, while the US government doesn’t negotiate with terrorists, corporations and other entities do pay ransomware criminals to relent.

“Ransomware attacks spiked exponentially through 2021, increasing by 350% since 2018. The number of times firms paid settlement fees also increased by over 100%, and downtime incidents rose 200% through 2021,” according to cybersecurity provider Fortinet.

Examples of corporations and other large entities that have paid ransomware demands in recent years include insurance provider CNA Financial, Colonial Pipeline and the University of California San Francisco (UCSF).