Well-known US Businesses are Recent Victims of Cyber Crime, including MGM, Caesers, and Clorox
Security managers at many US companies have been on high alert in recent weeks as they digested the news that normal business operations at several well-known brands owned by MGM Resorts International, Caesers Entertainment, and Clorox ground to a halt due to major cyber attacks on their IT infrastructure.
These attacks, which harken back to the shutdown of Colonial Pipeline in May 2021, left many MGM casino properties in Las Vegas unable to process online transactions (including hotel reservations). The attack slowed down MGM hotel and restaurant operations considerably as employees reverted to transactions using old-school pen and paper – using the telephone to call in credit card payments and paying casino slot machine winners in cash.
The cyber attacks on MGM and Caesers were reportedly conducted by hacker groups known as ALPHV and Scattered Spider, who claim they were able to steal six terabytes of information, including sensitive customer data including driver’s license, credit card, and/or social security numbers.
(Caesers Entertainment reportedly made a ransom payment to the hackers to prevent their data from being publicly released.)
Clorox, the makers of a diverse range of consumer brands, including Clorox bleach products, Pine-Sol cleaner, and several leading cat litter products, announced its IT systems had been breached on August 14, 2023 – causing the company to take many internal IT systems offline. Over a month later, the company’s manufacturing operations are still operating at a much-reduced capacity, which will likely lead to ongoing product shortages at retailers.
Is the Problem of Cyber Attacks Bigger than We Think?
“This s*** is happening everywhere, and no one wants to talk about it!”
— Comment from a CFO at a Midwest manufacturer in the automotive and industrial machine sector
High-profile cyber attacks on brand name publicly traded companies make it to the news headlines, but what we don’t hear much about are the stories of small and medium privately held companies who incur high losses to cybercrime.
These attacks are often not only devastating financially, but they can also destroy years of hard work building up trust with customers and lines of credit with financial lending institutions.
So it’s understandable that many smaller privately held concerns elect not to disclose when a breach occurs (if they can get away with it), choosing instead to discreetly pay off hackers after a ransomware attack or biting the bullet to essentially pay a large invoice twice due to an illicit phishing scheme – chalking it up as an expense of doing business in hopes of recovering their lost earnings over time.
New SEC Rules Mandate Public Companies Have Four Business Days to Disclose Material Cyber Breaches
SEC rules for disclosing cyber breaches changed on September 5, 2023 – at least for publicly traded companies and those LLCs and LLPs registered with the SEC for managing publicly traded financial instruments, such as brokerage houses, exchanges, and the like.
The new SEC rule, which goes into effect on December 15, gives publicly traded companies only four business days to file an 8-K form with the SEC that alerts investors about a cyber attack.
(The four days are calculated starting the day management becomes aware of a qualitative or quantitative material breach in their finances due to the attack.)
Although the new regulation has not gone into effect yet, Clorox did file an 8-K report on its cyber attack, which you can review here.
SEC observers had originally expected the new regulation would also include a provision that company boards would need to include at least one board member (or a hired expert) with cyber security expertise, but that was nixed from the final regulation, possibly due to pushback that there just aren’t enough qualified board member candidates with that level of experience to go around.
(If you are associated with a company board, the NACD Director’s Handbook on Cyber-Risk Oversight is a useful read to understand how to fulfill your role as a director or board member in the context of cybercrime.)
Can We Regulate Our Way out of this Cyber Crime Problem?
While advocates of transparency and full disclosure will applaud the new SEC regulations, those responsible for corporate regulatory compliance are sounding the alarm that businesses are having to comply with an ever-growing number of potentially overlapping cyber security rules issued by multiple regulatory regimes.
They have a point.
In March 2022, Congress passed the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA), which will give the Department of Homeland Security (DHS) oversight over cyber attacks related to infrastructure through its Cybersecurity & Infrastructure Security Agency (CISA).
On top of this, CISA is working with the FBI to investigate cyber crimes, which can be reported through the Internet Crime Complaint Center (IC3).
Meanwhile, in the Whitehouse, the new Office of the National Cyber Director (ONCD) has a mandate to coordinate cyber security issues between federal agencies.
But wait, there is more. The Federal Trade Commission (FTC) has its own data security safeguards rules meant to protect consumers from cyber theft, and the Transportation Security Administration (TSA) recently issued its own emergency cyber infrastructure rules covering airports and airline infrastructure.
And we haven’t even gotten to laws issued by individual states.
Illinois passed the Biometric Information Privacy Act (BIPA) in 2008 to protect personal identifiers e.g. biometric data. In California, legislators passed the California Consumer Privacy Act (CCPA) in 2018; two years later, state voters passed the California Privacy Rights Act (CPRA) ballot initiative, setting up the California Privacy Protection Agency to regulate personal data on the internet.
Those doing online business in Europe are no doubt aware of the draconian fines associated with violations of the General Data Protection Regulation (GDPR), which requires the company’s controller to give notice of any cyber security breach within 72 hours. (The EU has proposed another major regulation, known as the Digital Operational Resilience Act or DORA, which will go into effect in January 2025.)
Given the proliferation of rules, are we any safer?
It’s not clear yet.
But one piece of advice from compliance officers: identify the most stringent agency rules that apply to your business and start there first – this will help you get a leg up on regulations issued by other agencies.
Despite these Well Meaning Regulations, Could Entire Business Sectors Go Down in a Major Cyber Attack?
Given the recent history of cyber attacks, could things get worse?
Could cyber break-ins shut down major sectors of the country’s economy?
Could it shut down the economy of an entire country?
Unfortunately, it’s already happened; just ask Estonia.
In April 2007, the country’s electronic infrastructure came under attack, affecting the government, banking institutions, and the media. At the time, there was widespread suspicion this attack was spearheaded by Russian interests in retaliation for Estonia’s removal of a Soviet-era statue in its capital, Tallinn.
We probably haven’t seen the last of Russian cyber-retaliation.
Echoes of the Estonia attack were felt recently in Germany when not long after Germany’s Rheinmetall, a $7 billion automotive parts manufacturer and defense contractor, announced it would be sending refurbished Dutch and Danish tanks to Ukraine, the company was hit with a major cyber attack by the so-called BlackBasta ransomware gang, which was widely understood by industry insiders to be in retaliation to its efforts to aid Ukraine.
Even if Your Business Recovers from a Cyber Attack Quickly, the Average Downtime is Significant
Business continuity is a real concern when it comes to cyber-attacks.
Larger companies with deep pockets will likely survive – but at a significant cost.
But smaller concerns may go under entirely if they can’t get back to earning revenue.
Analysts estimate that businesses hit with a cyber intrusion will have their operation significantly impacted for at least 30 days, but 60 days or even longer is not out of the question.
For example, according to industry insiders, Rheinmetall’s manufacturing operations have not fully recovered since the attack, even though it’s been about 6 months since the incident occurred.
Experts recommend aside from dealing with the immediate aftermath of a security breach, you should focus on maintaining payroll first – if you can. If your business records are locked out, have your bank pay your employees the same amount as their previous income amount before the attack. That way, your staff can continue working – allowing you to sort out the reconciliation details down the road.
Who is Getting Targeted by Cyber Crime, and What are the Attack Methods?
Fifteen years ago, distributed denial-of-service (DDoS) attacks (such as those directed against Estonia) were one of the most common forms of cyber attacks.
Today’s cybercriminals are different. Rather than publicly disrupting businesses, they are more focused on quietly extracting money from companies through either extortion or fraud.
Extortion in cyberattacks typically involves gaining control of something of value, such as a company’s internal databases (which prevents it from conducting normal business operations) or making copies of what’s known as “personal identifiable information” (PII), e.g. the private data of the company’s customers, such as social security and credit card numbers.
Compromised companies face a difficult choice; without access to their systems, they can’t operate. If customer data is compromised, the hackers could sell it on the black market and/or leave the company subject to devastating fines for violating consumer’s right to privacy (particularly if the company does business in Europe, where the onerous GDPR fines are based on a percentage of a company’s revenue).
Collectively, this type of extortion is called “ransomware,” a portmanteau of ransom and software, and many companies have to resort to paying the demands of criminals to regain access to their data.
The other type of cybercrime that is very common right now is fraud, which typically involves impersonating a person, a business entity, or a government agency – often with the intent of misdirecting payment funds, such as wire transfer payments for large invoices, to the wrong bank account, e.g. one that the criminal has access to, instead of its intended recipient.
As we’ll see shortly, impersonating an individual can take many forms, from telephone calls to an A/P department asking to change the routing number on a payment to more elaborate schemes involving impersonated emails or even entire fake websites.
One specific type of impersonation fraud is known as “phishing,” which relies on errors of human judgment rather than vulnerabilities in software code to work.
In a typical phishing attack, a fake email is sent out, typically with an urgent call to action, asking the recipient to click on a link to log into the company’s data system or online bank account, etc.
Once our hapless user attempts to log in, the criminal gets access to their user name and password, allowing them to pursue several crimes, from penetrating an internal computer system (with the intent to compromise the data and make extortion demands of the company) or using the credentials to log in and transfer or withdraw funds directly (e.g. bank fraud).
Phishing attacks can also occur via the plain old telephone system.
A common scam is to impersonate a vendor and call a company’s accounts receivable department, asking that the routing number of the vendor’s bank be changed.
TIP: Never change payment instructions if the caller calls you; always call the contact number back to confirm these types of changes with someone you know personally.
The recent MGM cyber-attack was reportedly kicked off with a call to the company’s help desk; the caller claimed to be an employee needing to gain access to the computer system. Once the hackers gained access, they were able to burrow further into the system, apparently eventually compromising the online identity protection system from software vendor Okta (ouch!), which provided further access to other Otka company clients.
If you think you are protected from cyber-attacks because your company or government agency is small, think again.
Galveston County, south of Houston, was hit with a phishing scam in 2018 in which a half-million-dollar payment intended for a road construction vendor was fraudulently sent to a criminal’s bank account instead. Sadly, this year, the City of Galveston fell for a similar phishing attack, mistakenly paying an entity claiming to be a trash service vendor nearly $700,000.
Sometimes, these phishing schemes are quite elaborate, involving “spoofed” emails, as Sherry Williams, an executive from the San Francisco Bay Area non-profit One Treasure Island, learned to her horror. In this case, the email system at the non-profit’s outside bookkeeper was compromised, allowing the hacker to create three fraudulent email accounts that impersonated three different individuals – all of whom duly signed off one by one on a payment misdirected to a bank account in Texas that was under the control of the hackers. The funds, which were lost, were intended to pay for pre-development work on an affordable housing program for homeless and low-income families on Treasure Island, a former military site located in the middle of San Francisco Bay.
Security experts fear that advances in artificial intelligence, such as new advanced generative content tools, will make the phishing problem worse, as it will allow hackers in foreign locations to write more convincing fake emails in different languages.
Cybercrime Victims are Negotiating Business Contracts and Payment Terms with Hackers to Get their Data Back
As cybercrime becomes a business, many CEOs are alarmed to find out that the best way forward to deal with a hacking situation is to just negotiate and pay a ransom.
One such executive is Kathleen Duffy, CEO of the Duffy Group, a recruiting agency that lost access to its entire email and financial systems after a German hacker took control of their Microsoft Exchange server in 2021.
At first, Duffy was taken aback to learn that her technical team advocated negotiating directly with the hacker; she asked how was it possible to trust a criminal.
But her advisors pointed out that because cybercrime has essentially become a business, hackers who don’t stand up to their word (even while committing a crime) will get a bad reputation and will have trouble collecting from the next victim.
Duffy’s negotiators were eventually able to knock the original $28,000 down $2,800, plus a $1,000 bonus payment to speed up the recovery (all in untraceable Bitcoin). Even so, after the payment was made (and communication with the hacker was lost), it was later discovered that emails from 2020 and earlier weren’t recoverable.
Insurance Company Policies May Drive Good Security Practices Faster than Government Regulations
Cyber insurance companies are taking note of their growing losses in the cyber insurance market and raising their rates accordingly.
According to Marc Schein, national co-chair of the Cyber Center of Excellence at the Marsh McLennan Agency (the nation’s largest insurance broker), insurers are increasingly concerned about widespread attacks affecting entire industry sectors – or even entire countries – due to systemic risk, due in part to commonalities in security procedures and common software used across different companies.
Schein points out that insurance companies have become much more selective when it comes to issuing cyber coverage and that companies need to prepare to get the best coverage at the most favorable rates.
Many of the policy riders that were included at one time now have to be negotiated separately, such as business interruption coverage.
Schein notes the time needed to successfully negotiate cover is also longer; Schein recommends setting aside 120 days to negotiate a simple cyber policy renewal, significantly longer for initial coverage.
What are the recommendations for getting cyber insurance coverage?
Shein says his group at Marsh Mclennan Agency has worked with a panel of major business insurance companies, such as Chubb, to create a top 12 list of what carriers are looking for when underwriting cyber insurance coverage for a business.
- Use of Multifactor Authentication (MFA) to protect data assets
- Endpoint Detection and Response
- Secure and Tested Backups
- Privilege Access Management
- Email Filtering and Web Security
- Patch and Vulnerability Management
- Instant Response Plan that has been tested
- Cybersecurity Awareness Training (such as Phishing Training)
- Hardening Techniques, such as Protecting Remote Desktop Protocols
- Network Logging and Monitoring
- Processes for Managing End-of-Life of Outdated Systems
- Processes to Manage the Vendor Supply Chain (including Third and Fourth-Party Security)
In Schein’s view, the first item, multifactor authentication (MFA), to access data has almost become a dealbreaker; companies without this type of protection may find it difficult to get cyber insurance coverage. Overall, Schein says that insurance carriers are very concerned about the status of items one through five.
Companies seeking cyber insurance should prepare a report outlining the status of all twelve of these key security areas – even those programs that are approved and budgeted but are only now in the early planning stages. Having this report in hand will allow for a more productive conversation with your insurance broker or if you are negotiating with a cyber insurance carrier directly.
If all 12 areas are in good shape, you might be able to negotiate full limits for things like dependent business interruption coverage. But if you fall short, you still may be able to get coverage based on your plans to improve, albeit with lower coverage sub-limits tied to how secure your current operations are.
Be aware that many insurance companies are no longer taking the self-assessment security reports of companies at their word. Instead, they are employing security firms to probe the online defenses of companies applying for cyber insurance to see if their security is as good as they say it is.
Given that many cyber insurance companies plan to assess your security before issuing a policy, Schein recommends you do the same to clean up any outstanding issues before your insurance application. Two of the most popular companies mentioned by Schein that offer independent security testing and assessment are Bitsight and SecurityScorecard. (Cisco TrustSec also offers intrusion detection testing.) In some cases, your insurance broker may already have access to these services, so check first.
It’s also worth mentioning that there are companies, such as KnowBe4, that offer cybersecurity awareness training, including instruction and ongoing testing of employees’ ability to avoid falling for phishing attempts.
According to one of our sources, 40% of employees at a Michigan manufacturing company with access to email and/or data systems flunked their first phishing test assessment conducted by KnowBe4.
While most employees improved after additional training, some have failed to become more security aware, leaving the company to question whether they should continue having access to company email, or worse, enjoy continued employment with the company.
Formaspace is Your Partner for Product IT Work Environments
If you can imagine it, we can build it, here at our factory headquarters in Austin, Texas.
Talk to your Formaspace representative today to find out how you can work together to make your next construction project or renovation project a complete success.