Image via MIT Sloan Management Review
In today’s digital age, cyber-attacks are no longer just about data breaches.
Recent events have shown a shift in the narrative, with cyber attackers targeting key business processes and disrupting operations.
High-profile companies such as MGM Resorts, Caesars Entertainment, Clorox, and Johnson Controls have found themselves in recent headlines, not just for data compromises but for extended operational interruptions due to cyber attacks.
Some even cite the events as material in preparation for SEC’s Rule on Cyber Risk Management, Governance, and Material Incident Disclosure going into effect later this year on December 15th.
In this whitepaper, we will explore each attack, identify commonalities in both the hackers’ approach and the impact on business, and offer actionable strategies on how to develop a comprehensive business resilience and risk management framework, directly addressing the concerns and challenges leadership faces in today’s rapidly evolving digital and threat landscape.
MGM Resorts: The Devastation of “Corporate Terrorism”
MGM Resorts’ cyber attack wasn’t just about data; it was about disrupting operations.
What Happened?
On September 11, 2023, MGM announced a cybersecurity issue after being infected with ransomware. Hacker group “Scattered Spider” claims they gained access to MGM’s systems after impersonating an employee at their IT help desk using details from Linkedin to gain credentials. MGM Resorts faced major technology outages after refusing to pay the ransom and announced normal operations again on September 20th.
On October 5th, MGM announced data had been breached for an undisclosed amount of customers, including names, contact information, gender, date of birth, driver’s license, passport, and Social Security numbers.
What Was The Financial Impact?
MGM has cited losing $100 million dollars in earnings for Q3 2023 as well as $10 million in expenses for risk remediation, legal fees, third-party advisory, and incident response measures. MGM also faces an ongoing class action lawsuit.
What Was The Response?
Bill Hornbuckle, the CEO of MGM Resorts, described their recent cyber attack as “corporate terrorism at its finest.”This wasn’t just a data breach; it was a socially engineered attack that wreaked havoc on MGM’s operations for weeks.
How Did This Impact Critical Business Operations?
This attack first came into the spotlight due to its catastrophic business impact, while breached data was only reported on weeks later. MGM was not able to operate numerous systems, including hotel check-in systems, telephones, point of sale systems, slot machines, casino cashout systems, and even digital hotel room keys.
MGM reverted back to manual mode, losing weeks of productivity issuing physical room keys, manually checking in customers, manually writing payout slips at the casino, and refusing credit cards at most resort establishments for days. MGM had to take to social media to ensure the resort remained open.
This loss of key operations made this attack notable and potentially material as MGM filed an 8-K disclosure with the SEC.
Caesars Entertainment: The Dilemma of Ransom Payments
Caesars Entertainment’s cyber attack wasn’t just about data; it was about disrupting operations.
What Happened?
Caesars Entertainment also suffered a major cyber attack perpetrated by “Scattered Spider,” again using the social engineering of a third-party IT help desk. Attackers were able to download the personal records of over 65 million loyalty members and held Caesars at ransom after detection.
What Was The Financial Impact?
Caesars has already paid millions of dollars of losses first through ransom, where they reportedly paid $15 million to relinquish their data from the hackers. They have also posted remediation costs to victims, including identity protection services that include two years of credit and dark web monitoring to help detect any misuse of information, as well as a $1,000,000 insurance reimbursement policy. Caesars also faces an ongoing class action lawsuit.
What Was The Response?
“We have incurred, and may continue to incur, certain expenses related to this attack, including expenses to respond to, remediate, and investigate this matter.” – excerpt from Caesars Entertainment SEC Filing.
How Did This Impact Critical Business Operations?
The SEC’s recent guidelines on disclosures for “material” events have put companies in a challenging position. Caesars chose to pay ransom to avoid system shutdown and loss of critical operations. Caesars now incurs the loss of ransom as well as the financial impacts surrounding a major data breach but is projected to lose significantly less than the similar MGM Resorts attack.
Join Thousands of Weekly Readers
Enter your email for instant access to our EXCLUSIVE ebook & discover the Roadmap for Moving to ROI-Led Cyber Risk Management.
Clorox: The Ripple Effect of Operational Disruption
Clorox’s cyber attack wasn’t just about data; it was about disrupting operations.
What Happened?
On August 14th, Clorox disclosed they had detected unauthorized activity in their IT infrastructure that was causing disruption across business operations. Clorox followed up on September 18th, stating that the hack was contained, but they were still suffering from slower production and product availability issues. There was no reported data breach with this incident.
What Was The Financial Impact?
Clorox Co. announced preliminary financial information for Q1 2024. Net sales are expected to decrease between about $487 million and $593 million. Clorox expects operational impacts from the cyberattack to continue into Q2 and continues to assess the impacts of the attack on the remainder of FY 2024. Clorox stock prices have dropped over 20% since the announcement of the incident.
What Was The Response?
“The now-contained cyberattack had brought wide-scale disruption of Clorox’s operations, including order processing delays and significant product outages.” – Clorox Statement.
How Did This Impact Critical Business Operations?
Clorox faced significant operational challenges during the incident, having to resort to manually fulfilling orders, leading to processing delays and product outages. The attack had a cascading effect on Clorox’s supply chain, affecting retailer inventories and potentially leading to market share losses.
Johnson Controls: Beyond Financial Implications to National Security
Johnson Controls International’s cyber attack wasn’t just about data; it was about disrupting operations.
What Happened?
Johnson Controls International (JCI), a manufacturer of industrial control systems, suffered a ransomware attack that encrypted 27 terabytes of data on many of the company devices, including VMware ESXi servers, with impacts on the company’s and its subsidiaries’ operations. The attack was perpetrated by a ransomware gang, Dark Angels after they gained access by hacking systems in their Asia office. This attack could have implications for national security as they are a government contractor that services the Department of Homeland Security.
What Was The Financial Impact?
JCI is assessing whether the incident will impact its ability to release its fourth quarter and full fiscal year results, as well as the impact on its financial results.
What Was The Response?
“To date, many of the Company’s applications are largely unaffected and remain operational. To the extent possible and in line with its business continuity plans, the Company implemented workarounds for certain operations to mitigate disruptions and continue servicing its customers. However, the incident has caused, and is expected to continue to cause, disruption to parts of the Company’s business operations. “ – excerpt from JCI 8-K SEC filing.
How Did This Impact Critical Business Operations?
While JCI claims many applications remained operational, the attack impacted not only their infrastructure but many of their subsidiaries that experienced application outages worldwide, including York, Simplex, and Ruskin. This attack underscores the expanding cyber threat landscape.
As companies integrate digital technologies into their core operations, the attack surface broadens, encompassing non-traditional IT assets and even extending to national security apparatus.
Organizations need to accept the evolving nature of cyber threats and focus on the importance of understanding and managing these risks to safeguard both business operations and national security.
Managing Cyber Risk to Reduce Business Impact
Amidst all this mayhem, most organizations are still focusing on protecting individual technologies, which, over the years, have not proven to be effective, and these recent attacks bear a good testament to this fact.
To create successful defenses against cyber attacks and pre-empt escalating situations, it is important to understand the criminal mindset – which has lately been to make money by taking over critical business operations so that organizations are crippled and are obligated to give in to criminals’ demands.
Today, a shift in perspective toward cyber risk is key to thwarting potential targeted attacks. Here, we delve deeper into understanding this shift and strategies that can help organizations manage cyber risks effectively.
1. Inventory Key Business Processes and Assets to Understand Material Risks
Before an organization can defend itself, it must understand what it is defending. As Thomas Parenty, author of HBR’s A Leader’s Guide to Cybersecurity, says, “You cannot protect if you don’t know how it works?.” Understanding critical business processes and associated assets and understanding the business’ risk threshold is the first step in building a robust cyber defense strategy.
It is absolutely imperative that organizations are in a position to answer the following:
- Do we have visibility into all the critical business processes and supporting assets, which, if disrupted, can hold our firm hostage?
- What is the business’ risk threshold – How much loss in dollars and downtime is acceptable to the business for critical processes?
- What cyber risks associated with critical business processes, does the business really care about?
- Do we understand the business impact of a cyber risk materializing?
- How do we validate with leadership what is critical regarding financial and reputational impacts?
2. Strategically Implement Mitigation Measures
Once you’ve identified key assets and processes, the next step is implementing measures to protect them. While strategically implementing technical measures and best practices layer by layer is pertinent, organizations need to keep in mind the following questions when building a cyber program to defend themselves:
- Is our cyber program currently reducing critical risks identified by the business?
- How can we ensure our cyber security program plan is aligned with business risks?
3. Plan Cyber Initiatives with the Goal to Reduce Material Risk to the Business
Cybersecurity is not just an IT issue; it’s a business issue. Therefore, cyber initiatives should align with business objectives. A cyber initiative without a clear business goal is like a ship without a rudder. It might look impressive, but it’s not going to get you where you need to go.
Organizations need to follow through with the following considerations while planning their cyber initiatives:
- How do we prioritize our cyber investments to meet business needs?
- Where can we get the maximum reduction in enterprise risk with the least investment?
- How do we get buy-in and budget from management for the initiatives we are planning?
- What additional investments are needed to keep the organization secure?
Join Thousands of Weekly Readers
Enter your email for instant access to our EXCLUSIVE ebook & discover the Roadmap for Moving to ROI-Led Cyber Risk Management.
Conclusion
Recent cyber incidents at MGM Resorts, Caesars Entertainment, and others are not just cautionary tales but pivotal moments in the digital transformation journey. For organizations, it’s not just about defense anymore; it’s about resilience.
Transitioning from mere defenders and technologists, it’s time to evolve into strategists and collaborators. By partnering with businesses and sharing knowledge across sectors, understanding the intricacies of business operations, pinpointing what’s critical, and safeguarding those processes is paramount for a holistic business-driven cyber risk solution.
With cyber as a catalyst for sustainable growth, businesses are empowered to take calculated risks, expand to new markets, and harness the full potential of the digital age while protecting their high-value assets and reputation.
If you’re ready to evolve your cyber program into an enabler for your business to grow securely, check out our latest solution: Business-Led Cyber Risk Governance.
Written by: Priti Patil & Katie Reilly
One Response
Very well done, Vishal!