Companies remain reluctant to admit paying hackers

Caesars Entertainment Casino Operator,

for example, has not publicly stated that it paid hackers after a cyberattack in late summer. The Wall Street Journal reported last week that Caesars had paid about half of the $30 million ransom demanded by the hackers. Unlike competing MGM resorts,

which was hacked on September 10, Caesars appears to have avoided major technology outages. Caesars and MGM did not immediately respond to requests for comment.

In a Sept. 14 filing with the Securities and Exchange Commission, Caesars made no reference to paying a ransom, saying, “We have taken steps to ensure that the stolen data is deleted by the non-actor.” allowed, although we cannot guarantee this result. »

The issue reflects the challenges federal regulators face in imposing more transparency on how companies handle cyberattacks. Companies are often unwilling to disclose more information than is required, in part because they fear lawsuits and reputational blowback.

The SEC approved new rules in July requiring publicly traded companies to report, starting in December, the nature, scope and timing of significant cyberattacks in 8-K filings and other regulatory forms. Some companies are already reporting cyberattacks through this method, like Clorox, which filed an 8-K complaint regarding a hack that disrupted order processing for some products since August.

Some states, regulators, and the federal government have specific rules regarding incident reporting, or are considering implementing them, but the SEC’s are by far the most detailed.

The materiality threshold under the SEC rules would in many cases include whether a company paid a ransom, said Doron Goldstein, a privacy and cybersecurity partner at the law firm Withers.

Payments amounting to millions of dollars could be significant for some companies, Goldstein said. “We’re going to see more reporting on things that the public didn’t know were happening before,” he said.

The rate at which victims pay ransoms has been declining steadily for years, which cyber experts attribute to higher investments in security, better practices, and more extensive training and preparation in responding to attacks. incidents.

In the second quarter of 2023, a record 34% of attacks led to companies paying, according to Coveware, which negotiates with hackers on behalf of victims. This figure was 42% for the same period in 2022, 53% for the second quarter of 2021, 69% for the same period in 2020 and 79% in 2019.

At the same time, Coveware said, the average amount of ransoms paid has increased sharply in recent months to $740,144 at the end of the second quarter of 2023, an increase of 126% from the first quarter.

The cybersecurity industry is divided over whether companies should pay ransoms. The Federal Bureau of Investigation generally advises victims not to pay because it encourages more attacks. Companies that pay could be violating U.S. sanctions against cybercriminal groups or countries, said Nick Hyatt, head of cyber practice at security firm Optiv.

For certain sectors, the decision is based on delicate calculations. Broken computers and equipment in healthcare facilities, for example, can have deadly consequences. Casinos and hotels can be crippled by lengthy outages, which could harm local economies.

“As entertainment and hospitality are deeply ingrained in cities like Las Vegas, the repercussions of an attack can be widespread,” Hyatt said, referring to the hacks at MGM Resorts and Caesars.

In rare cases, companies have publicly admitted to paying a ransom. In 2021, Joseph Blount, chief executive of Colonial Pipeline, told the Wall Street Journal that he authorized a $4.4 million payment because executives were unsure of the magnitude of the effects of a attack on the energy company and the duration of this attack. take to restore operations. “I have to admit I wasn’t comfortable seeing money coming out the door of people like this,” Blount said at the time.

Companies may pay but not acknowledge it because of embarrassment or fear of providing ammunition for possible lawsuits, said Bob Zukis, CEO of the Digital Visitors Network, an organization that advocates for subject matter expertise. cybersecurity within company boards of directors.

“It would be an admission that it was a measure of last resort: there was nothing else we could do and so we had to pay,” he said. “Why put that out there?”

Caesars said in its SEC filing that hackers stole data from its loyalty program database, including members’ driver’s licenses and Social Security numbers.

“What do they have to gain by confirming that they paid millions of dollars to criminals who could attack a children’s hospital or charity the next day,” said Brett Callow, a threat analyst at Emsisoft, a company cybersecurity. “Being seen as funding these groups can be very bad publicity,” he said.

Write to Catherine Stupp at catherine.stupp@wsj.com and James Rundle at james.rundle@wsj.com