Our CEO, Jeff Hare, CPA CIA CISA Comments on the MGM Resorts Cyberattack

Sadly, we see another significant, and successful cyberattack with MGM Resorts being the latest victim.  What we understand from the information available, is the breach could have a material impact on the company’s financial results. Additionally, this is the first major corporate breach since the SEC guidance on cyber risk which was published in late July. [See reference article here]

We also know that MGM had a breach in 2020. This led to the leak of personal information of more than 10 million customers. Given this is the second breach in three years, this type of event could undermine investor’s confidence in the security of MGM’s systems and related controls. The breach could have been the result of management not having fully identified the risks having led to the 2020 breach. Or it may have come about by not taking corrective actions needed to prevent and detect breaches.

Risks

We see similar risks with organizations implementing ERP/HCM Cloud today.

There are significant cyber risks associated in these categories:

• Lack of multi-factor authentication,
• Not properly securing service and integration accounts,
• Incomplete logging of data and retention of logs,
• Unauthorized access to web services, APIs, and other significant privileges
• Unrestricted access to query data

Furthermore, these risks are posed not just by their internal users, but also by other categories of users. Categories such as: system integrators, managed service organizations, suppliers, and customers.

Unfortunately, management often ignores cyber risks in SaaS application because they believe the hosting provider (Oracle, SAP, Workday, etc.) has ‘secured the perimeter’ and has inoculated their organization from ransomware and other risks. Given SaaS applications are internet facing, properly securing key configurations (SSO, MFA, Passwords, Logins, etc.), and privileged access for SaaS applications IS the responsibility of management. As a result, the MGM breach should be a wakeup call to all organizations that their risk assessment needs to look at ALL risks.

“The MGM breach should be a wakeup call to all organizations that their risk assessment needs to look at ALL risks.” Jeff Hare

The cybersecurity industry as a whole is primarily concerned with securing the perimeter and lacks the domain expertise in the way these SaaS applications are configured and implemented. To date, CISOs unfortunately have few options to turn to for outside assistance.

ERP Risk Advisors and partners of ours have developed a comprehensive risk assessment related to cyber risk for Oracle ERP/HCM Cloud and related technologies. Contact us for more information at sales@erpra.net.

MGM Resorts Statement