Two cyber attacks against two separate casinos in Las Vegas last week highlight the continued cyber insurance market risk resulting from tenacious ransomware groups, according to Guy Carpenter’s Cyber Event Analysis.

Gaming and hospitality giant MGM Resorts International reported that an ongoing cybersecurity incident had paralyzed its information technology and casino operations. MGM attempted to thwart the attack by taking down some of its network infrastructure, which caused the cyber criminals to deploy ransomware. This cyber incident followed a similar incident targeting Caesars Entertainment, where its loyalty program database was breached, which included customer driver’s license numbers and Social Security numbers. In its report to the SEC, Caesars acknowledged paying a ransom so that the stolen data would be deleted by the cyber criminals.

Scattered Spider, working with ALPHV, a ransomware operation known for providing affiliates with highly customizable malware that can encrypt a wide range of network environments, conducted the attack via social engineering. According to the analysis, Scattered Spider is known to use LinkedIn and has impersonated IT personnel to gain access to internal data.

ALPHV is also a confirmed successor to the DarkSide ransomware group, which closed down operations in May 2021 as intense law enforcement pressure following its widely publicized attack on Colonial Pipeline, Guy Carpenter said.

DarkSide’s re-emergence as ALPHV, an organization that often targets large operations for high demands, is a reminder of how difficult it is to prevent malicious cyber activity, the analysis stated.

The threat of ransomware remains a major peril for insurers and insureds.

After a wave of ransomware activities starting in 2019, cyber insurance companies responded swiftly with major price hikes, seen by Guy Carpenter cyber client group’s average 183 percent cumulative rate increase since 2020.

Rate adequacy and cyber hygiene improvements has led to restored confidence to the cyber insurance industry, attracting new capacity. Despite this, ransomware activity has escalated this year, with ransom payments spiking to near the level of fourth-quarter 2021, according to the analysis.

Guy Carpenter suggests insurers address aggregation and volatility of the line.

“As the cyber insurance industry confronts systemic risk through quantification and policy wording, insurers and insureds should view the Vegas attacks as garden-variety cyber crimes that are financially motivated. Despite the fact that Caesars and MGM Resorts fell victim to the same threat actor, which used the same ransomware and similar social engineering tactics, early evidence indicates these incidents may be classified as two separate events rather than a single cyber catastrophe event,” the report stated. “Unlike systemic ransomware attacks where a self-propagating malicious code spreads across networks, the Vegas attacks involved, through individual targeted reconnaissance efforts, the compromise of separate systems owned and controlled by different entities.”

For insurers seeking to address portfolio volatility, Guy Carpenter recommends that losses from the MGM and Caesars claims should be considered holistically to address overall aggregation risk.