A Wall Street analyst said the losses MGM Resorts International is experiencing from a cyberattack on the company’s hotel-casino operations in eight states could be covered by a $200 million cyber insurance policy covering ransom payments and business interruption.
MGM Resorts on Sept. 11 acknowledged the attack, which has disrupted its business operations companywide, including the gaming floors, hotel operations and other guest services. The company’s website was recently relaunched with a frequently asked questions button focused on the hack’s fallout.
The company has not acknowledged making any ransom payment to the hackers, who have not been identified by the company or law enforcement.
JMP Securities gaming analyst Jordan Bender wrote in a research note Tuesday that the firm’s insurance technology team calculated that a ransom could cost between $30 million and $50 million. Jefferies Gaming analyst David Katz estimated in a research note last week that MGM is losing 10 percent to 20 percent of its daily revenue.
Much of those losses are coming from disrupted gaming operations, lack of online hotel reservation capabilities and the loss of paid parking fees because computer systems are offline. MGM said on its website it is not charging customers hotel room cancellation fees.
Bender wrote in his note that the insurance would cover up to four weeks of losses if a ransom payment had been made.
“If the breach is fully covered within the policy, MGM will incur minimal costs along the way, and see insurance premiums go up, but it would amount to a drop in the bucket for a company generating $4.7 billion of [cash flow] this year,” Bender wrote.
Shares of MGM Resorts, which closed at $39.20 on the New York Stock Exchange Tuesday, have lost roughly $850 million in market value, a decline of 6 percent since the hack was first reported.
Bender said the effects on MGM’s Strip properties could shift business to competitors. He said MGM generates 63 percent of its company wide property cash flow from the Strip, where it’s the largest operator of convention space and hotel rooms.
“We do not know the timeline of when operations will return to normal, but our checks indicate MGM is still experiencing day-to-day issues that could persist for a period of time,” Bender wrote.
Caesars Entertainment said last week it was also the victim of a cyberattack but didn’t confirm media reports from anonymous sources that it made a ransom payment to the unknown hackers who stole data associated with the company’s customer loyalty program.
In an 8K filing with the Securities and Exchange Commission, the company said it took steps “to ensure that the stolen data is deleted by the unauthorized actor, although we cannot guarantee this result.”
Bender noted that several gaming and leisure industry companies have been the victims of recent cyberattacks, including Marriott International last year and MGM in 2019. Sports betting operators DraftKings and FanDuel were hacked in cyberattacks last year.
“Historical precedent has shown past hacks of credit cards and personal information within this space have not materially impacted long-term revenue, and in turn, companies saw a recovery in the stock price,” Bender wrote.