2023-09-25 02:14:37 ET
Summary
- MGM Resorts International suffered a ransomware cyberattack, causing significant disruptions to its business operations.
- The total financial impact of the cyberattack remains unknown, in particular with regard to increased costs and potential liability.
- With such significant unknowns, MGM stock is too risky to hold in the aftermath of the cyberattack and investors should sell.
Whenever a special situation arises that causes a stock to suffer a quick decline, I usually like to kick the tires and see whether it's worth looking into from a value perspective. Often the market overreacts and there can be a buying opportunity. MGM Resorts International ( MGM ) suffered a ransomware cyberattack on September 10, and has just announced that it has gotten most of its computers back online .
Investment Thesis
There are currently too many factors about the cyberattack that are publicly unknown, leaving investors at significant risk. While analysts have estimated the daily losses in revenue, increased costs have not yet been reported, liability in the data loss is unknown, and the terms and amount of insurance coverage for cyberattacks are also unknown.
As a result, I consider MGM stock to be too risky to hold in the aftermath of the cyberattack.
Value Fundamentals
Let's take a quick look at the value investing fundamentals before breaking down this special situation so that we can get a better understanding of how much interest a value investor should have in MGM as a business.
On the bright side, MGM has a current ratio of 2.04 according to their most recent balance sheet . Of course, that has almost certainly been impacted negatively by the increased costs and reduced revenue from the cyberattack.
In addition, the rest of the balance sheet is not particularly attractive to a value investor. The tangible book value of MGM is -$6.65 per share, and they're carrying more than $19 of debt per share. Their earnings history is not impressive, showing a general upward trend but nothing to write home about, and that's before factoring in the current situation.
MGM Resorts International does have an impressive recent record of buybacks, reducing the share count from nearly 500 million to just over 350 million over the last three years. That's an annualized reduction of more than 11%, and presents a significant capital return to investors.
Impact of Cyberattack on MGM Stock
MGM has been pretty tight-lipped about exactly what's going on behind the scenes, so let's just focus on what we know. I happened to try to access the app myself on the night of September 10, and noticed that it was down, which matches the reported timeline of an attack beginning on the 10th.
The company released a statement on September 12, simply notifying investors that they had "recently identified a cybersecurity issue affecting certain of the Company's systems." They said that they had begun an investigation with experts, notified law enforcement, and shut down various systems to protect data and systems.
The systems that were down included their ability to accept hotel reservations through their website or app, and for a period of time over the phone. They also were unable to process anything through their MGM Rewards system, which includes most comps that players earn and use on food and beverages around their properties.
The Las Vegas Review-Journal cited an analyst report from the Jefferies Group, predicting that the company was losing $4.2 million to $8.4 million per day in revenue with their systems down. They were down for 10 days, although I'd argue they still aren't "back up" in the truest sense. But even over those 10 days, they lost between $42 million and $84 million based on that analysis.
The earnings estimates for the quarter were $0.45 to $0.78 per share, which would equate to $158 million to $273 million. So the downtime is likely to lead to anywhere from a 15% to 53% miss on earnings, as the lost revenue is not going to be offset by decreased cost inputs. In fact, costs should be significantly higher during this period. It's also unclear whether that analysis included lost revenue going forward due to reduced hotel bookings during the outage for future dates in the Fall.
The Fall is a busy season for Las Vegas casinos, as it's some of the best weather of the year in Vegas and football season is a popular time for sports bettors. As of the writing of this article on September 22, it is possible to book hotel rooms with MGM over the phone or via third-party sites, but not on the MGM website or app. The company has a webpage updating common questions about the impact on its customers. It's hard to imagine that this is not causing a significant drop off in bookings.
The app is also down and is not allowing customers to book rooms or check their MGM Rewards balances. So on top of current losses and potential losses from future bookings, there's also the question of whether this will impact customer loyalty going forward and perhaps impact MGM's ability to retain customers and market share.
The MGM Rewards app is still lacking significant functionality as of September 22, 2023. (MGM Rewards App)
On top of the lost revenue, MGM is almost certainly incurring significantly increased costs behind the scenes. They've had their employees working longer hours to handle tasks that had been automated by systems that were down, and they've almost certainly paid a significant amount of money contracting cybersecurity experts and programmers or system administrators to try to get their systems back online, while also fixing any security issues.
In a statement the Las Vegas Review-Journal obtained from LinkedIn, MGM Resorts International CEO Bill Hornbuckle thanked his employees for their extra work.
We continue to work diligently to resolve this issue, and that includes increasing our staffing levels across our properties to help ensure individual needs are addressed as promptly as possible. Again, thank you for your patience and the kindness you've shown to our employees.
And speaking of our tens of thousands of employees, I want to thank all of you for working so incredibly hard to maintain a high level of service. I understand this week has been challenging and appreciate you so much for your great dedication, resourcefulness and good cheer you are bringing every day. You have my utmost gratitude and greatest respect for all you do, day in and day out, but especially now.
I haven't found any estimates on what the increased labor may be costing MGM, but it is hard to imagine it's not in the tens of millions of dollars.
Now, that said, MGM Resorts International does maintain insurance against cyberattacks according to their most recent 10-K filing . "In addition, while we maintain cyber risk insurance to assist in the cost of recovery from a significant cyber event, such coverage may not be sufficient," the company said.
The problem is, their filing gives no information on how much insurance they carry. It's also hard to imagine that in a case as significant as this one there won't be some sort of battle over how much is actually paid out.
Their 10-K filing also mentions the damage that a cyberattack could have on the company moving forward.
We also rely extensively on computer systems to process transactions, maintain information and manage our businesses. Disruptions in the availability of our computer systems, through cyber-attacks or otherwise, could impact our ability to service our customers and adversely affect our sales and the results of operations. For instance, there has been an increase in criminal cybersecurity attacks against companies where customer and company information has been compromised and company data has been destroyed. Our information systems and data, including those we maintain with our third-party service providers, have been subject to cybersecurity breaches in the past and may be subject to cybersecurity breaches in the future. In addition, our third-party information system service providers face risks relating to cybersecurity similar to ours, and we do not directly control any of such parties' information security operations. A significant theft, loss or fraudulent use of customer or company data maintained by us or by a third-party service provider could have an adverse effect on our reputation, cause a material disruption to our operations, and result in remediation expenses, regulatory penalties and litigation by customers and other parties whose information was subject to such attacks, all of which could have a material adverse effect on our business, results of operations and cash flows.
These factors present significant unknowns and leave the average investor at a significant informational disadvantage to experts and insiders. That presents significant risk.
Other Risks Facing MGM
On top of the special situation, MGM Resorts International faces similar headwinds to other companies in the consumer discretionary sector. Concerns over an upcoming recession and a loss of consumer confidence could cause a decline in business, and at a time when the company can ill afford it.
Possible Mitigants and Upside Catalysts
There are a few arguments to counter the negative narrative. It's possible that MGM's insurance against cyberattacks is robust enough to offset losses significantly, and thus the only impact to the business that shareholders are on the hook for is reputational damage and loss of loyalty among customers due to the downtime.
I don't expect the reputational damage to be significant, as cyberattacks have become increasingly common and have impacted other rival companies, with Caesars Entertainment ( CZR ) recently paying a ransom itself. In fact, it's possible that MGM managed to shut down its systems before customer data was stolen. That means it's possible that the narrative when the dust settles is that MGM took a significant hit in revenue to protect its customers' data, which could make people trust the company more. The range of outcomes here is wide, and we simply don't have enough information to draw a conclusion.
The impact of the downtime on market share and loyalty among customers is difficult to measure, and a lot will likely depend on what MGM decides to do in terms of "make good" promotions when its app and MGM Rewards system are fully operational again.
Those who are interested in the company in part due to the growth potential of the BetMGM side of the business might view this as a good buying opportunity. Nothing has fundamentally changed with regard to the online gambling side of the business, which certainly has significant upside - but also significant competition.
Valuation
Given the number of unknowns at this point related to the cyberattack, I consider it virtually impossible to come to any sort of valuation conclusion based on publicly available information. We don't know how much MGM's losses will be offset by insurance, how much their costs have increased, or whether they'll face any liability or regulatory issues going forward.
So instead of making a wild guess at their fair value, let's use a relative method and take a look at the stock's movements since this cyberattack started relative to industry competitors.
Caesars, which opted to pay a ransom and keep its systems running in the face of a similar attack, is down about the same amount as MGM during this window. Las Vegas Sands Corp. ( LVS ), which has no known or confirmed cyberattacks at the moment, is down 7.28%.
So, making a relative comparison, the market seems to be implying that Caesars and MGM have had a similar value loss based on their cyberattacks. If one believes that to be true, then their investment thesis on MGM preceding the cyberattack should probably remain about the same - it's already been fairly priced in.
However, it seems obvious to me that MGM has suffered far more significant disruptions to their business than Caesars, and should probably be suffering more significant losses in market cap. That would either mean that Caesars should be trading higher, or MGM should be trading lower.
Conclusion
There are simply too many public unknowns at this moment that insiders and experts have better insight into, leaving retail investors at a significant disadvantage. That alone is enough to scare me off, and seeing as MGM was not a company of particular interest to me before the cyberattack, nothing changes that for me now.
If I were already a shareholder, I would sell the stock and wait for more information to become publicly known so that I wasn't carrying the risk of being at a huge informational disadvantage.
I'll continue to monitor the situation, and once more is publicly known about the details of the costs I may reconsider. In the meantime, I think there are better consumer discretionary stocks to invest in.
For further details see:
MGM Resorts: Impact Of Ransomware Attack