Analyzing the Nevada Gaming Commission’s New Cybersecurity Rules

By Sun, Dec 10, 2023

In recent months, cybersecurity has become arguably the most important and most talked about topic in all of gaming. The Nevada Gaming Commission enacted new regulations surrounding the issue that went into effect this year, and Lewis Roca attorneys Glenn Light, Patrick Emerson McCormick and Karl Rutledge recently broke down the ins and outs of the rules and how operators should interpret and implement them.

Analyzing the Nevada Gaming Commission’s New Cybersecurity Rules

In an ever increasingly digital world, the significance of cybersecurity has reached unparalleled heights, and, in turn, has become an essential safeguard for individuals, businesses and governments alike.

Accordingly, on December 22, 2022, the Nevada Gaming Commission (NGC) amended its regulations to create NGC Regulation 5.260, Cybersecurity (Reg 5.260). This regulation took effect January 1, 2023.

Since Reg 5.260 took effect, the two largest gaming companies by annual revenue, MGM Resorts and Caesars Entertainment, have both suffered data breaches that they have disclosed publicly. The same threat actor reportedly committed both breaches and utilized social engineering to commit such breaches.

According to MGM’s 8-K it filed pursuant to the SEC’s new data breach regulations, the breach cost MGM approximately $100,000,000. In a public letter, MGM’s CEO Bill Hornbuckle disclosed that the attackers obtained personal information of individuals who were MGM customers prior to March 2019, including driver’s license numbers, Social Security numbers and passport numbers. MGM did not pay the ransom on guidance from the FBI.

Caesars also filed an 8-K following its breach. Caesars provided more details of the attack, including the threat actors’ use of social engineering, but it did not disclose its estimated losses from its breach. Caesars paid its attackers $15,000,000 in ransom, according to the Wall Street Journal.

These attacks provide an unfortunate illustration that gaming companies in Nevada are prime targets for threat actors looking to extract value from both the consumer data they are able to exfiltrate and the custodians of that data who may be willing to pay a ransom to recover and protect their consumers’ data.

Both attacks underscore the need for, and importance of, regulatory scrutiny in the area of cybersecurity. With specific regard to Reg 5.260, this regulation requires gaming entities to take proactive measures to prevent breaches, provide prompt notification in the event of a breach and maintain written records of their compliance.

Reg 5.260 requires that “gaming operators take all appropriate steps to secure and protect their information systems from the ongoing threat of cyber attacks.” This regulation applies to any entity with: a nonrestricted license as defined in NRS 463.0177; a gaming license allowing for the operation of a race book; a gaming license that allows for the operation of a sports pool; and/or a gaming license that permits the operation of interactive gaming. These are defined as “covered entities.”

Most of the requirements found in Reg 5.260 are reasonable best practices for any entity with substantial capital and consumer data. These new requirements can be summarized in five categories.

First, a covered entity must perform an initial risk assessment and develop best practices, then monitor and regularly update its best practices as needed. Reg 5.260(3) provides a list of best practices for guidance in developing your own best practices (including, without limit, CIS Version 8, COBIT 5, ISO/IEC 27001, and NIST SP 800-53, or later versions thereof).

Importantly, covered entities were required to be in compliance with this requirement by December 31, 2023.

Undertaking an initial risk assessment will be the first critical step in ensuring compliance with Reg 5.260. Covered entities should identify all assets (including hardware, software, data and networks), assess potential vulnerabilities and determine the potential impact of cyber threats on each of these assets. A covered entity may use a third-party cybersecurity professional to provide a comprehensive and technically detailed risk assessment as well as provide ongoing monitoring and evaluation.

While not explicitly required by Reg 5.260, any covered entity would do well to formulate a robust data breach response plan after performing its risk assessment. Such a plan should include well-defined procedures for identifying, containing and eradicating a potential cyber threat, and address the recovery process as well as post-incident review and analysis. All the requirements in Reg 5.260 should be preemptively addressed in this plan.

The data breach response plan should also include a clear communication strategy for managing external and internal communications after an incident. This includes a framework for informing all affected parties, from customers to employees. It is important to understand the legal obligations for notification, which may vary state-by-state and also depend on federal guidelines. All these requirements, timelines, and contact information can and should be explicitly included in a comprehensive data breach response plan.

Second, Reg 5.260(4) creates a notification requirement in the event of a cyberattack that results in “a material loss of control, compromise, unauthorized disclosure of data or information, or any other similar occurrence,” requiring notification to the Nevada Gaming Control Board (NGCB) within 72 hours after becoming aware of the cyberattack. This is in addition to an entity’s requirement to comply with NRS § 603A.220, which governs data breaches in the state of Nevada generally, and any other relevant state or Federal statutes.[1]

Third, covered entities must also perform an investigation into any cyberattack, including documenting the results of the investigation and making a report available to the NGCB with specific findings, including the cause and extent of the attack. This requirement goes above and beyond most existing notification requirements, which do not typically require the breached entity to disclose its post-attack report.

Responding entities should take care in their written communications related to the post-attack forensic investigation, even with their attorneys. Some courts have held that such investigations are performed for business purposes rather than for legal reasons, and as such no attorney-client privilege protects the entity’s communications with its attorneys. Nevada courts have not yet opined on the matter, but Reg 5.260’s requirement for the creation and disclosure of a post-attack report increases the likelihood that a court will view communications related to the investigation as a business operation, not a legal one.

Fourth, Reg 5.260(5) requires Group I licensees (per Reg 6.010(8))[2] have a designated, qualified individual responsible for the covered entity’s cybersecurity best practices and procedures. Group I licensees must also perform annual audits and reviews of their best practices, procedures, and security. While Reg 5.260(5) does not address all covered entities, any covered entity should also review its best practices and procedures at least annually to ensure compliance with Reg 5.260(3), which requires any covered entity to “continue to monitor and evaluate cybersecurity risks to its business operation on an ongoing basis.”

While not required, a Group I licensee (and any other covered entity) should consider an annual tabletop exercise in addition to its annual audit and review. Conducting regular tabletop exercises helps identify potential gaps in a security system and refine the data breach response plan. They also train the members of the covered entity in the flow of responding to a breach, much like a practiced fire drill.

Fifth, all steps taken to comply with Reg 5.260 must be memorialized in writing and retained for five years, per Reg 5.260(6). Failure to exercise due diligence in compliance with any section of Reg 5.260 “shall constitute an unsuitable method of operation and may result in disciplinary action.” While not entirely clear from the language of Reg 5.260(6), it is likely a covered entity need only retain the documents necessary to memorialize the compliance must be retained and produced upon request (and not all writings created to comply with Reg 5.260).

This subsection is also silent on attorney-client communication privilege. Until there is further guidance on this issue, a covered entity and its counsel should proceed as though all written communications relating to a data breach response covered by Reg 5.260 may not be protected by attorney-client communication privilege.

In summation, the requirements set forth in Reg 5.260 are fairly reasonable, advisable precautions that will make covered entities better prepared and protected from a data breach, which will in turn provide a return on investment beyond compliance if done with intentionality. The vague and potentially onerous notification requirements will increase costs in the event of a breach, but not significantly beyond other existing Nevada and Federal notification requirements. Due to the strict nature of the new Reg 5.260 requirements, every covered entity would do well to have a data breach response plan that it reviews and updates at least annually.

Lastly, the increased threat of cyberattacks creates a host of other considerations that gaming licensees and regulators will have to account for.

For instance, cybersecurity firms require access to systems and highly sensitive information that are often regulated under gaming law and only accessible to certain approved persons. Accordingly, regulators will have to determine whether cybersecurity firms are required to undergo licensure and whether vetting should be expedited, or waived, during a cyberattack. Similarly, gaming licensees will need to make sure they only use the services of cybersecurity firms that have obtained the necessary regulatory approvals, if any. Otherwise, gaming licensees run the risk of providing unauthorized persons with access to regulated equipment and information.

If you have any questions regarding the above, including Reg 5.260 and its requirements imposed on covered entities, creating a data breach incident response plan, or running a tabletop exercise, please contact Karl Rutledge at KRutledge@lewisroca.com, Glenn Light at GLight@lewisroca.com, or Patrick Emerson McCormick, CIPP/US at PMcCormick@lewisroca.com.

[1] For example, each state has its own set of requirements in the event of a data breach, including who must be notified, timelines for the notification, and what information must be included. The Federal Trade Commission provides additional guidelines for businesses on what to do in the event of a data breach.

[2] Current revenue thresholds for Reg 6.010(8) can be found here: https://gaming.nv.gov/modules/showdocument.aspx?documentid=8372

Articles by Author: Glenn Light, Patrick Emerson McCormick, and Karl Rutledge

Glenn J. Light is a Partner and Chair of Lewis Roca’s Commercial Gaming Industry Group. He provides counsel on nearly every aspect of commercial gaming transactions, including licensing, corporate structure, financing and due diligence.
Karl F. Rutledge is managing partner of Lewis Roca’s Nevada offices, which include Las Vegas and Reno, and a member of the firm’s Commercial Gaming Industry Group providing counsel on gaming, eSports, fantasy sports, sports betting, and promotional marketing.
Patrick Emerson McCormick, CIPP/US is an associate in Lewis Roca’s Data Privacy and Cybersecurity Group. He assists clients on how to comply with the growing number of data and cyber regulations, how to best protect themselves from data breaches, and how to respond if one occurs.