Technological advancements have improved the ways that companies collect, transfer, and process data within and between organizations, creating markets that are largely reliant on internet infrastructure for their day-to-day operations. While these technological advancements have increased the speed at which business is conducted and improved efficiency and economies of scale, this convenience can often come at the cost of cybersecurity. Hackers are constantly testing the defenses protecting corporate data, as evidenced by the explosive recent growth in the number of cyberattacks.
Many boards are already adapting to promote risk oversight that includes cybersecurity threats. There has been a significant increase in disclosure of companies’ and boards’ approaches to cybersecurity following the introduction of new SEC rules in July 2023. Those rules require disclosure of material cybersecurity incidents within four days, as well as a discussion of the role of management and the board’s committees in overseeing cybersecurity matters to be included in annual reports.
We found that approximately 74% of companies in the Russell 3000 index have taken the additional step of codifying oversight of cybersecurity at the full board level or with a board committee in their governing documents or committee charters. We view management and board oversight of cybersecurity as an essential component of a company’s preparedness for cyberattacks and expect that companies will continue to improve best practices for oversight and disclosure as attention to cybersecurity issues grows more widespread.
Case Study: MGM Resorts International (MGM)
On September 12, 2023, MGM disclosed that the company “had recently identified a cybersecurity issue affecting certain of the Company’s U.S. systems,” predominantly at its Las Vegas resorts. Hackers gained access to MGM’s private data by gathering the information of a company employee from a public LinkedIn profile, then using that information to impersonate the employee while requesting administrative login assistance.
This type of social engineering scheme has grown increasingly popular among hacker groups in recent years, and is effective because it allows attackers to take advantage of human safeguards without having to bypass the more sophisticated software defenses that companies employ, such as firewalls or data encryption.
The company disclosed that it had shut down its systems upon learning of the incident, leading to disruptions at its Las Vegas properties and for website bookings. However, some of its customers’ information was breached in the cyberattack before MGM’s systems went offline. Compromised information included certain customers’ names and contact information, dates of birth, and driver’s license numbers, though MGM said that credit card and bank information remained secure.
The company estimated that costs related to the incident were approximately $100 million in lost hotel and casino revenues, and a federal judge recently approved a preliminary settlement of $45 million over a class action lawsuit against MGM over data breaches in 2019 and the 2023 cyberattack.
Company Response
MGM issued a statement the day after the incident disclosing that the company was working alongside the FBI and the U.S. Cybersecurity and Infrastructure Agency to remediate. Additionally, the company stated that it had retained cybersecurity experts and technology consultants to assist in the remediation process. Prior to the incident, MGM had received a threat advisory from Okta, an access management software company, that hackers had used similar social engineering tactics to gain access to other companies’ networks. Nevertheless, hackers were able to collect, encrypt, and ransom MGM customer data.
The hackers ransomed the stolen data at $30 million, but MGM instead chose to ignore the ransom and start from scratch by rebuilding their compromised systems using data backups. The company’s decision allowed customers to resume using hotel and casino facilities in around a week and aligns with FBI guidance which advises that companies do not comply with ransomware requests. The systems shutdown lasted 10 days in total.
In reviewing a company’s response to a cybersecurity incident, we expect a level of responsiveness and remediation that is commensurate with the impact of the incident. MGM provided timely communication to shareholders, was able to resume normal operations within a relatively short time frame, and limited the impact of the incident to low-stakes data like names and phone numbers
While MGM was unable to defend itself from the social engineering scheme that resulted in its cybersecurity incident, we note that public companies defend against cyber threats on a frequent basis, and the incident does not appear to be the result of a particular failure of its cybersecurity framework.
In its 2023 annual report, MGM discusses that its audit committee and its chief information security officer oversee its enterprise risk management process. This process is audited annually, with emphasis on aligning the company’s framework with the National Institute of Standards and Technology (“NIST”) Cybersecurity Framework, as well as Privacy and Payment Card Industry (“PCI”) controls. These standards provide compliant companies with best practices for cybersecurity and payments processing, respectively. In its discussion of the role of management in overseeing cybersecurity risk, MGM provides that its CISO reviews the company’s cybersecurity controls and lists a series of relevant certifications and qualifications that its CISO possesses.
We view a company’s adherence to established standards and best practices as a favorable component of cybersecurity oversight. In arriving at our recommendation that shareholders vote in favor of the members of MGM’s audit committee, we considered the company’s above-average level of disclosure, specifically around the frequency of its internal and external audits, the qualifications of its CISO, and the standards with which the company aligns its cybersecurity framework.
Conclusion
Public companies are frequently the target of cyberattacks and cannot reasonably prevent all of the attacks they face. Furthermore, companies experience many different types of cyberattacks depending on their industry and the sensitivity of data they handle.
While many attacks are defended, can be characterized as routine, or are primarily motivated by the payment of a data ransom, others are carried out by nation-state threat actors and can carry serious implications for national security depending on the sensitivity of the data that company handles. In the corporate world, company’s responses to cybersecurity incidents can vary widely and are therefore best evaluated on a case-by-case basis. Various stakeholders may be increasingly concerned that boards have overburdened their audit committees, as boards often delegate risk oversight to these committee members by broadening their definitions of enterprise risk to include oversight of technological developments, such as cybersecurity.
Boards should ensure proper audit committee refreshment and training to ensure committee members possess the necessary skills and knowledge to oversee the cybersecurity risks their companies face. Having observed a sharp uptick in cyberattacks in recent years, we expect boards to continue to grapple with appropriate structures for cybersecurity risk oversight and how to appropriately respond to cyberattacks.