Caesars And MGM Boards Lose Cybersecurity Gambles | #hacking | #cybersecurity | #infosec | #comptia | #pentest | #ransomware

Despite the staggering, well-documented rise in cybercrime, the SEC’s long-awaited cybersecurity regulations exclude board tech expertise requirements.

Two recent cyberattacks on prominent casino chains, MGM Resorts and Caesars, offer clear and compelling examples of the risks of poor boardroom digital era readiness and why proxy statement governance disclosures warrant a closer read.

As widely reported, Caesars paid $15 million in a ransomware attack. Just days later, in a “vishing” (voice phishing) scheme, hackers impersonated an employee using LinkedIn information to fool MGM’s IT help desk for systems access. The breach disrupted MGM casino operations, reduced daily revenue and cash flow by an estimated 10-20% and dented its market cap by nearly $2 billion.

Notably, both casinos seated boards without credible IT experience. That reality was tucked in their 2023 proxy statements — either by disclosure or sleight of hand.

Use Your Illusion

Many companies talk a good game about digital technology. But is their commitment real, lacking or just for show? A first clue is in the proxy statement.

MGM took the antiquated route. Only one board member has any discernable tech experience — audit committee chair Gregory Spierkel, who ended his stint as CEO of Ingram Micro in 2012. Its board lacks a technology committee and cyber governance is tasked to the audit committee for occasional discussion.

MGM’s 2023 proxy statement states that “the audit committee receives updates on information technology risks at least twice a year from the chief information security officer and the chair of the audit committee updates the full board on these presentations. The audit committee also receives an annual assessment of its cybersecurity program by external subject matter experts.” That’s hardly tenacious director selection, commitment and oversight.

Caesars 2023 proxy statement provides a contrasting example to the same end. In May, it re-elected all nine board members, with an average of over 66 years of age.

In its cleverly-bundled qualification criteria, the proxy identifies seven directors who have “risk management/IT cybersecurity data technology experience.” While such background is defined as “experience managing risks associated with cybersecurity and IT functions [which] can help provide knowledge and guidance to the Board with respect to data protection and oversight of associated security risks,” none of the director biographies mentions any direct tech function or cybersecurity experience.

  • Bonnie Biumi, age 61, is a CPA and former industry CFO.
  • Jan Jones Blackhurst, age 74, a former Caesars executive, “brings to the Board significant experience in corporate social responsibility matters, including specifically within the gaming industry, including policies on responsible gaming and government relations experience.”
  • Frank Fahrenkopf, age 83, retired president and CEO of the American Gaming Association, “has been selected to serve as a director because of his extensive knowledge of gaming regulatory matters, his relevant legal experience and his experience as a public company director.”
  • Dan Kornstein, age 71, the board’s vice chair, is a consulting partner who “brings to the board his experience in the gaming and entertainment industries…strategy and finance expertise and experience serving on several boards of directors.”
  • Courtney Mather, age 46, the CEO and Chief Investment Officer at Vision One, is a former managing director at Icahn Capital and Goldman Sachs.
  • Thomas Reeg, age 51, the former CFO of Eldorado Resorts, “has been selected to serve as a director because of his extensive financial experience and his familiarity with the business of the Company.”
  • David Tomic, age 71, audit committee chair and a former CFO, was “selected to serve as a director because of his financial and management expertise and his experience with respect to raising capital, mergers and acquisitions, corporate governance and investor relations.”

The proxy statement later includes a 295-word boilerplate cybersecurity statement that indicates, “the board is responsible for reviewing our cybersecurity risk profile and is regularly updated by our senior VP of IT (who also serves [as] chief information security officer) on cybersecurity risks and threats.”

It continues, “the board has determined that retaining responsibility for risks related to cybersecurity oversight is appropriate, given the complexity of the risks associated with cybersecurity and the attention required to appropriately review and monitor such risks. The full board lends its collective experience and attention to discussing and overseeing potential risks identified by management and stays up to date on management’s risk-mitigation processes related to cybersecurity.”

While no company is immune to cyber risk, neither casino’s governance stance offers convincing stewardship responses to digital era danger.

Better Odds

Even if board members lack IT experience, they can readily learn more. For instance, the Digital Directors Network delivers governance seminars and issues a Qualified Technology Expert (QTE) certification. According to its website, participants include directors and employees across a wide range of industries, such as the NFL, Amazon, American Express, Aramark, Envestnet, Pfizer and KraftHeinz.

Bob Zukis, Digital Directors Network founder/CEO and fellow Forbes contributor, wrote, “Until the SEC [views] the responsibilities of the board in cybersecurity risk oversight as critically as financial risk oversight, leadership in cybersecurity risk governance will continue to underperform the realities of the market.”

He emphasized, “Cybersecurity success starts in the boardroom (except in the eyes of the SEC) and unfortunately cyber failure often does too.”

Regardless of compliance minimums, boards can and must fulfill their fiduciary responsibilities with rigorous director selection, continuing education and active governance. Otherwise, relentless cybercriminals dangerously gain leverage.

Who’s Next?

After-the-fact enforcement of tardy disclosure is futile in reducing stakeholder risk. Even absent board composition regulation, the SEC should pursue and sanction disclosure violations that prioritize form over substance. General risk management experience cannot be characterized as cyber expertise. Is anyone at 100 F Street in Washington, DC willing to roll the dice for a further look?


Click Here For The Original Source.

National Cyber Security