15 Nov Follow the lecture on Week 13 to create and organize your research notes #1, #2, and #3 into an outline format.  You DO NOT need to furnish the full paragraphs for the writing but if

,

Evaluation of MGM Cybersecurity Breach Exposures

How complete was the disclosure? What aspects of the breach were disclosed (Threat – threat agent – vulnerability – actual breach – discovery – investigation – impact – remediation)?

On October 5, 2023, MGM Resorts filed the details of the recently concluded cyberattack on MGM data collection and management systems. The company claimed that hackers had managed to access customer's personal information, including their names, contact information, gender, dates of birth, driver's license numbers, social security numbers, and passport details. However, the hackers are unlikely to have gained access to customer security passwords and payment details. MGM Resorts was unclear about the number of affected users in the recently concluded cyberattack.

How timely was the disclosure? Did it provide adequate time references for evaluation (report, discovery, investigation, and remediation lag)?

The details provided by MGM Resorts in their fillings confirmed that the company systems were breached by a cyberattack leading to stealing customer's personal information. The extent of damages in terms of stealing personal data was reported, and the likely repercussions of economic losses due to the disruption of services were estimated to be more than $100 million in the context of lost earnings.

Did management involve themselves in the disclosure? (signature of C-suite executives)

Yes, as the filings submitted by MGM Resorts on October 5, 2023, were signed by Jessica Cunningham, Vice President, Legal Counsel, and Assistant Secretary of MGM Resorts. MGM Resorts management actively dealt with the impact of cyberattacks and decisions related

to the normalization of services provided by the company. The company had reportedly spent around $10 million in one-time expenses related to the recovery activities from the cyberattack (Page & Whittaker, 2023). MGM Resort management had decided not to pay ransom to the hacker group. It deemed the company's cybersecurity insurance sufficient to meet the economic impact of the recent cyberattacks.

,

Threat

Threat refers to the risks or losses resulting from a cyberattack. In the MGM security breach, the loss of customers' personal information, including their names, contact information, gender, dates of birth, and driver's license numbers, can be considered a threat in the given context. Also, the suspension of MGM Resort services, which included disruptions to MGM Resorts and the closing down of ATM services and online booking systems, led to an estimated loss of $100 million to MGM Resorts (Page & Whittaker, 2023).

Threat Agent

          A threat agent is a person, entity, or actor that carries out the cyberattack. Hackers from the ALPHV subgroup Scattered Spider claimed the September 11 large-scale cyberattack on MGM Resorts. The hackers claimed in their message, "If you have money, we want it."

Vulnerability

          Vulnerability refers to the weakness hackers exploit to get into the system to employ the cyberattack. As per the claims made by hackers from the ALPHV subgroup Scattered Spider, the group found a LinkedIn profile of an MGM employee and employed social engineering techniques to compromise MGM Resorts Cybersecurity systems (Page & Whittaker, 2023). The hacker group used the details collected from employees' LinkedIn to access their accounts by calling MGM's help desk.

Discovery

          The recent cyberattack was discovered after the manifestation of large-scale service disruptions experienced by customers of MGM Resorts beginning on September 11, 2023. The company officially acknowledged the occurrence of a cyberattack in its filing with the SEC on October 5, 2023.

Investigation

          Internal investigations by MGM Resorts revealed that no customer passwords or payment details were likely to have been captured in the cyberattacks. The hackers were able to gain access to the personal information of customers, including their names, contact information, gender, dates of birth, and driver's license (Page & Whittaker, 2023). MGM Resort also reported that the hackers may have accessed the social security numbers and passport details. The investigations also revealed that the number of affected customers was yet to be determined.

Impact Assessment

MGM Resorts also reported that the recent cyberattack may result in losses of an estimated $100 million in terms of loss of earnings and an estimated one-time expense of $10 million in cyberattack-related activities. Customers reported service disruptions, including accessing ATM services, Casinos, and online booking systems days after the discovery of cyberattacks.

Remediation

          MGM Resort management reported that the company's cybersecurity insurance policy options were sufficient for making up the losses incurred due to the recently concluded cyberattack on company systems.

,

8

Research Workshop #3

In cybersecurity governance and event reporting, the MGM Resorts 2023 security breach is a crucial example. The issue is examined from the perspective of internal audit in this research note, which highlights essential elements such as board accountability, risk management, management involvement, reporting frameworks, cybersecurity awareness, and incident response plans (Mohana Krishnan et al., 2023). Given its extensive financial impact, this breach emphasizes the need for proactive risk management approaches and the importance of strong cybersecurity governance. Furthermore, the particulars of this incident are explored, and the critical responsibilities that different stakeholders, including board members, management, and internal audit, play in preventing and addressing cybersecurity threats of this nature are examined.

Board Responsibility

Effective response systems and cybersecurity governance are major responsibilities of the board of directors. Regarding the security breach at MGM Resorts, the board needs to have adhered to the following obligations:

Set the Tone

Establishing the tone meant cultivating a cybersecurity-aware culture that emphasized how vital it is to protect consumer data and follow industry rules. This fundamental step reinforced the organization's commitment to data security and regulatory compliance by highlighting the necessity for vigilance and compliance in the face of emerging cyber threats. 

Oversight of Risk Management

The board exhibited proactive supervision by assessing and approving the company's risk management plan. Given the significant estimated losses of $100 million caused by this attack, the board's ability to comprehend the possible ramifications of future cybersecurity breaches was made possible by this all-encompassing strategy, which was crucial. This inspection made sure that the organization's attempts to mitigate risk matched its larger goals for business.

Resource Allocation

Assuring that vital resources were set aside to support cybersecurity measures, the board was instrumental in determining how best to allocate resources. To strengthen the organization's cybersecurity defences, funds must be set aside for staff training and the purchase of cutting-edge security equipment. Sufficient money was essential to building an efficient defensive mechanism against cyberattacks and guaranteeing that the company had the personnel and equipment to safeguard confidential information and lessen any dangers.

Regular Reporting

The board established a system for frequent reporting, requiring management to provide regular reports on the state of the organization's cybersecurity. These reports included details on new threats, security incidents, and the general effectiveness of the cybersecurity program. This procedure guaranteed openness and informed the board, allowing prompt revisions to the organization's cybersecurity plan.

Legal and Regulatory Compliance

In cybersecurity governance, putting legal and regulatory compliance first is essential. It includes ensuring the company complies with cybersecurity standards set forth by regulatory agencies like the SEC. Significant incidents must be reported promptly in accordance with these requirements. Compliance reduces possible legal risks and financial fines by guaranteeing that the company stays within the bounds of the law. Also, it shows a dedication to openness and responsibility, both essential for preserving stakeholder confidence and limiting harm to one's reputation in the case of a cyberattack.

Risk Management

Many important assets were in danger in the context of the MGM Resorts security incident. Confidential client data such as addresses, telephone numbers, names, sex, dates of birth, driver's license numbers, social security identities, and passport information were among them. The breach also put the organization's credibility and reputation at risk. Future attacks could have a significant impact because the breach resulted in an estimated loss of over $100 million in earnings, highlighting the financial vulnerability (Childs, 2023). In order to mitigate these risks, the organization needs to create a clear incident response plan, invest in strong cybersecurity systems, and build thorough risk mitigation methods.

Potential Impact Analysis

Future cybersecurity incidents could have a wide range of possible effects and could significantly influence an organization. These effects include factors related to finances, operations, and reputation. Incidents may cause large financial losses due to direct event response and recovery expenditures, legal obligations, and regulatory fines. Downtime brought on by operational hiccups can impact customer satisfaction and service delivery. Furthermore, hacked consumer data can undermine confidence and harm the company's image. Strong risk management and incident response plans are essential since the scope and form of these effects might change based on the type and severity of the incident.

Risk Handling Strategies

Using efficient risk management techniques is essential to controlling the possible effects of cybersecurity events. These tactics could consist of the following:

Risk Mitigation:

Proactive steps are taken to lessen the possibility and effect of cybersecurity events as part of risk mitigation. To bolster an organization's defences against potential threats and vulnerabilities includes implementing stronger security controls, regular patch management, and access limits.

Risk Transfer:

Transferring part of the financial burden of cybersecurity incidents to an insurance provider is known as risk transfer (Childs, 2023). Organizations acquire cybersecurity insurance plans to protect against potential losses, such as incident response expenses, fines from regulatory bodies, and legal obligations. The financial impact of security breaches is lessened with this tactic.

Risk Acceptance: 

This refers to the organization recognising that some risks are unavoidable and deciding to forgo further resources to reduce or eliminate them. It is frequently used when a risk has little probability or impact, and the expense of mitigating it could be more than the risk's possible outcomes. The risk tolerance of an organization is in line with this approach.

Incident Response Planning: 

Creating an organized, well-documented strategy for handling and lessening the effects of cybersecurity incidents is known as incident response planning. It describes the actions and protocols that must be taken in the event of an incident, including incident identification, containment, eradication, recovery, and lessons gained (Childs, 2023). A well-thought-out plan is necessary for prompt and efficient incident handling.

Management Involvement

Organizational leadership must take a proactive approach to managing cybersecurity. In this context, the roles of the Chief Information Officer (CIO) and Chief Information Security Officer (CISO) are crucial. To ensure that the company's computer networks and technological infrastructure comply with cybersecurity regulations and processes, the CIO monitors them. The planning and execution of cybersecurity, comprising risk evaluations and safety measures, is the purview of the chief information security officer (CISO). They collaborate to preserve a strong cybersecurity posture. They are responsible for creating and enforcing cybersecurity policies, putting technological controls in place, performing frequent risk analyses, and ensuring the company is prepared for cyberattacks. Their close interaction and frequent board reports guarantee that the leadership is knowledgeable about cybersecurity issues, encouraging a proactive and strong approach to incident prevention.

Reporting Structure

For cybersecurity incident management to be effective, the organization must establish a clearly defined reporting system. It entails defining escalation protocols and assigning particular people or groups as points of contact for incident reporting. When an incident happens, this structure makes incident reporting easier and guarantees that the appropriate people are notified right away (Hendrix, 2023). Well-defined reporting pathways facilitate efficient detection, evaluation, and reaction. This reduces the possible consequences of cybersecurity incidents and strengthens the organization's ability to withstand changing threats.

Cybersecurity Awareness

Encouraging cybersecurity awareness among all staff members is essential to constructing a strong defence against constantly changing threats. This means putting in place extensive training and educational initiatives. Through such activities, the organization hopes to instil a sense of awareness regarding the crucial relevance of cybersecurity in protecting customer data and reputation. Workers are essential in seeing and thwarting possible attacks, especially regarding social engineering tactics like phishing. Organizations may help create a safer digital environment by empowering their teams to act as a collective shield against cybersecurity risks through workforce education and awareness-raising.

Incident Response Preparation

An essential part of cybersecurity readiness is incident response planning. It entails drafting and revising a comprehensive plan that specifies the actions to take in order to manage and lessen the effects of cybersecurity events efficiently. This plan covers threat identification, incident containment, threat eradication, affected system recovery, and post-event analysis to enhance response tactics. Regularly holding incident response drills and exercises enables staff members to become acquainted with their duties and obligations in case of a security breach. The organization's incident response capabilities must be continuously improved, which requires recording and evaluating these drills. Thanks to a well-prepared incident response strategy, the organization can react quickly and efficiently when cybersecurity events arise.

Conclusion

In conclusion, the security compromise at MGM Resorts highlights the importance of proactive cybersecurity governance and incident response plans. Organizations can strengthen their cybersecurity posture and guarantee compliance with external requirements like those imposed by the SEC by implementing various measures, including board responsibility, risk management, management involvement, reporting structure, cybersecurity awareness, and incident response planning. Organizations need internal audit assistance in these efforts because it fosters security and resilience against the ever-growing threat of cyberattacks. Businesses aiming to improve their cybersecurity procedures might benefit greatly from the lessons this hack taught us.

References

Childs, D. (2023).  The Hospitality Curriculum Cybersecurity Education Shortfall: An Exploratory Study (Doctoral dissertation, Marymount University).

Hendrix, B. (2023). The effect of ISBs on publicly listed companies’ business performance.

MohanaKrishnan, M., Kumar, A. S., Talukdar, V., Saleh, O. S., Irawati, I. D., Latip, R., & Kaur, G. (2023). Artificial Intelligence in Cyber Security. In  Handbook of Research on Deep Learning Techniques for Cloud-Based Industrial