MGM: casino hack shows investors need to think more about cyber security risks

Receive free Lex updates

We’ll send you a myFT Daily Digest email rounding up the latest Lex news every morning.

Tying executive pay to performance on social and environmental goals is an increasingly common practice among big US companies. Is it time to add cyber security into the mix? It is a question that investors should ask as cyber attacks occur with increasing frequency and severity.

Casino operators MGM Resorts and Caesars Entertainment are the latest high-profile victims.

MGM, the biggest hotel casino operator on the Las Vegas Strip, suffered widespread disruptions across its properties this week after a cyber security breach forced it to shut down large parts of its internal networks. Slot machines and digital hotel room keys stopped working. Online reservations and credit card systems failed. 

Then on Thursday, Caesars revealed it had been the target of a cyber attack this summer. Hackers accessed information including driver’s license numbers and possibly social security numbers for a “significant number of members” in its loyalty programme.

The full extent of the breaches is unknown. Caesars has reportedly paid a $15mn ransom to the hackers. Moody’s deemed the breach at MGM a “credit negative” for the company. It said it may suffer lost revenue and remediation costs. This week at least the damage to their respective market values has been limited, with falls of less than 5 per cent.

Even so, the inclusion of cyber security performance metrics in incentive plans has gained some credibility. Nine Fortune 100 companies did so last year, according to an analysis of proxy statements and Form 10-K filings by EY. That compares with zero in 2018.

The issue has become serious enough that regulators have stepped up disclosure requirements for cyber security breaches. America’s litigious culture does not help. Hacks can end up costing companies dearly. Credit ratings company Equifax has spent at least $1.4bn to settle consumer and state lawsuits, and made technology upgrades following a massive data breach in 2017. Company boards should take note.