In September 2023, MGM Resorts watched its slot machines go dark, its hotel keys stop working and its booking system fall over — all because a ransomware crew got an MGM IT employee on the phone, impersonated a vendor, and reset some credentials. The company reported the loss at “approximately $100M” in its 8-K. Other estimates put the all-in figure substantially higher.
That number gets attention because MGM is large. But the mechanism of the loss is what restaurant and hospitality groups in 2026 need to look at — because the same playbook is being run against operators a fraction of that size, and the policy gaps are bigger at the smaller end.
The loss had four heads
A modern hospitality cyber event doesn’t show up on one line of the income statement. MGM’s loss broke down roughly into:
- System restoration and remediation — getting back online
- Business interruption — revenue lost during the outage
- Customer notification and regulatory defence — millions of records implicated
- Third-party liability — class actions filed within days
A typical mid-market BOP doesn’t respond meaningfully to any of these. The hospitality cyber endorsements sold as an add-on to a BOP often sub-limit business interruption to $50,000–$250,000 — which won’t cover a single weekend of a multi-unit operation.
What multi-unit operators need
The right cover for hospitality groups is a standalone cyber policy with BI sized to the operation, not a bolted-on endorsement. Specifically:
- BI limit sized to weekly revenue × expected outage. Most ransomware-driven outages now run 3–10 days even with a strong response. If you do $2M a week across your units, $250k of BI is the wrong order of magnitude.
- POS and back-office both in scope. Many forms cover one or the other. Hospitality needs both — POS goes down, you stop taking orders; back-office goes down, you stop paying staff and suppliers.
- PCI fines and assessments. Card-data breaches at scale trigger PCI penalties that BOP cyber endorsements rarely cover.
- Contingent BI for upstream vendors. If your reservations platform or payment processor is the one hit, you still lose revenue.
The social-engineering vector matters
The MGM attack didn’t start with a sophisticated zero-day. It started with a phone call. That’s important because most cyber forms that do cover ransomware still treat social-engineering fraud — the wire that goes to the fake vendor, the credentials that get reset by an “IT vendor” who isn’t one — as a separate, often sub-limited, peril.
For hospitality groups with finance teams handling vendor payments at scale, a primary social-engineering limit sized to the dollars actually moving is no longer optional. It belongs alongside cyber and crime, with the wording explicit.
What to do this quarter
- Map your operational dependencies. Reservations, POS, payroll, vendor payments — list every system and the vendor behind it.
- Cost out a 7-day BI scenario. Compare to your current BI limit. The gap is your exposure.
- Re-shop cyber separately from the BOP. Bundled cyber endorsements are convenient at small scale. At multi-unit scale they’re a false economy.
- Test the social-engineering control loop. The cyber underwriter will ask. Better to know the answer.
MGM survived because MGM is large enough to absorb $100M in shock. Most multi-unit operators aren’t. The lesson isn’t that a fortress is required — it’s that the insurance limits and the form wording have to actually match the modern threat. They mostly don’t yet.
