Tribal Gaming Regulator Chides Caesars, MGM on Ransomware Attacks

Posted on: September 27, 2023, 04:15h. 

Last updated on: September 28, 2023, 02:03h.

Todd Shriber @etfgodfather Read More
Expertise: Financial, Gaming Business, Mergers and Acquisitions.

In what appears to be a clear instance of kicking them while they’re down, the National Indian Gaming Commission (NIGC) recently took some shots at Caesars Entertainment and MGM Resorts International. The jibes were regarding recent ransomware attacks on those commercial operators.

National Indian Gaming Commission
The National Indian Gaming Commission (NIGC) logo. The group boasted of strong cybersecurity protocols. (Image: NIGC)

The Washington, DC-based NIGC, which is a federal regulatory agency under the purview of the Department of Interior, believes its “defense in depth” approach to cybersecurity, while not infallible, is superior to what rival commercial operators deploy.

(NIGC utilizes) a progression of layered defensive mechanisms to safeguard data, information, and information systems,” according to a statement recently issued by the commission.

Caesars and MGM recently endured ransomware attacks at the hands of a group known as “Scattered Spider.” In a recent regulatory filing, Caesars acknowledged paying an undisclosed sum, covered by an insurance provider, to end the attack. MGM took a different approach that resulted in its employees and guests throughout the U.S. enduring 10 days of chaos.

NIGC Right on Some Issues

In the statement, the NIGC highlighted its three-prong approach to cyber security, including an emphasis on administrative, physical, and technical controls.

When it comes to cybersecurity, regardless of industry or organization, an ounce of prevention can be worth a pound of cure, and on that note, MGM’s vulnerabilities were known prior to the recent attack. Gaming operators are prime targets for cybercriminals because the companies are stewards of massive amounts of sensitive customer data, including contact and financial information, Social Security numbers, and the like.

“Cyber-related attacks impact organizations, big and small, have increased in recent years, and are not going away,” added the NIGC. “To significantly reduce risk to IT systems, it is prudent for organizations to employ a layered, redundant approach to cybersecurity.”

There could be value in commercial operators following the cybersecurity approaches deployed by tribal rivals. After all, cybersecurity companies want to generate revenue, and they’re not likely to keep a product or service away from a firm simply because it’s a competitor to an existing client.

NIGC Might Want to Consider More Tact

The NIGC is entitled to its “victory lap” in the wake of the ransomware attacks on two of its members’ largest commercial rivals. But the commission might want to consider the virtues of grace in this situation.

To date, there hasn’t been a reported large-scale cyber attack on tribal gaming entities. But Native American casinos generated nearly $41 billion in revenue last year, a number large enough to entice bad cyber actors who don’t play “favorites” when selecting targets.

Additionally, ransomware attacks are increasing in frequency, and the technology used by perpetrators is becoming increasingly sophisticated. That makes it difficult for even highly advanced cybersecurity software to bat .1000 against hackers.