MGM taken down, Caesars paid up

In September MGM Casinos and Hotels suffered a massive cyberattack. WSJ reported: “ I saw employees
armed with clipboards and pens everywhere. It was the strangest sight I’ve seen since MGM installed those
handwashing stations… tables were filled with binders of master keys in case the system went down again…
Getting cash was a problem, with ATMs not working at many of the casino hotels… [Slot machines] couldn’t
spit out the vouchers players receive when they hit the cash-out button.” (https://www.wsj.com/lifestyle/travel/
las-vegas-mgm-cyberattack-casinos-6ca43dcf)

Caesars had their own cyberattack earlier in the summer, but paid $15m to avoid most of the pain.
Nonetheless, “The company said it discovered that the attacker acquired a copy of data including driver’s
license numbers and social security numbers for ‘a significant number’ of members of its loyalty program.”

It seems like most people don’t take us cybersecurity pros seriously when we say this can happen.
I don’t know how much MGM would have had to pay but:

• Their operational losses will be through the roof
• The costs to investigate and repair will be incredible
• The lost revenue between hotel cancellations — which are forced to offer for free —
  and lost gambling revenue must be huge
• The reputational losses will be long-lasting. How many MGM customers will stay at
  Caesars going forward just to avoid the potential hassle of working with MGM?

Of course, for MGM this on $13bn of annual revenue, so would this matter to a smaller business? Yes. Small businesses will typically have a higher ransom or recovery cost as a proportion of revenue. The ultimate gamble is, is it less costly to go through a cybersecurity incident or defend against one?