Presumably the insurance requires a security audit (yearly?) in order to get in the first place?
As long as the auditors OK'd it then the insurance should pay out. Unless they can show that MGM intentionally lied in the information they gave the auditors -- which will surely now be gone through with a fine-toothed comb.
(See that HN thread from a couple of days ago wondering if they were personally liable for fraud for producing a document lying about pentesting.)
The audits you get for something like SOC2 are quite weak, I'm very curious to learn if the insurance team's audit is more thorough (if they perform one).
As long as the auditors OK'd it then the insurance should pay out. Unless they can show that MGM intentionally lied in the information they gave the auditors -- which will surely now be gone through with a fine-toothed comb.
(See that HN thread from a couple of days ago wondering if they were personally liable for fraud for producing a document lying about pentesting.)