On December 22, the Nevada Gaming Commission (NGC) approved new regulations regarding gaming operators’ cybersecurity systems, which came into effect at the start of the new year.
As part of the approved changes, casinos were required to run an independent evaluation of their existing systems by the end of the year in order to ascertain what additional safeguards needed to be implemented, if any. Additionally, operators will be required to notify the NGC of any breaches of player or employee data in the future.
These guidelines apply to all gaming entities, including those with unrestricted licenses, race and sportsbook licenses or iGaming licenses.
Cybersecurity has been a huge topic of interest for the gaming industry for the last two-plus years, beginning with a slew of ransomware attacks against tribal operators over the course of 2020 and 2021; the FBI has since estimated that those attacks resulted in millions of dollars in damages. In Nevada specifically, the Dotty’s bar franchise and Binion’s were also hit by hackers.
Not only that, but several high-profile sports betting operators have reported data breaches over the past year, including DraftKings and BetMGM—in fact, the NGC’s ruling came just one day after BetMGM announced that a trove of customer data, such as Social Security numbers and banking information, was compromised in a recent attack.
These issues were at the forefront of the NGC’s recent meeting, which took less than a half hour to complete.
As reported by CDC Gaming Reports, Edward Magaw, Nevada’s senior deputy attorney general, told regulators that the final version of the legislation had changed significantly since it was originally introduced over the summer, following input from operators.
According to Magaw, flexibility is paramount, as operators won’t be subject to a blanket set of procedures with regards to investigating and overseeing cybersecurity risks as established by the Nevada Gaming Control Board. Instead, that responsibility will be placed on licensees themselves.
Magaw said that “based on comments received from the industry,” the guidelines were updated so that “an affiliate or third party may be used to perform the assessment and monitoring,” as reported by CDC Gaming Reports.
With regards to notifying regulators after an attack has taken place, Magaw said that operators will not be obligated to share any specific information; rather, they will release information as requested, which, as he asserted, was changed for security reasons.
All attacks must be followed by a thorough investigation as well as a report that must be made accessible to regulators, which was to be expected. Based on the report, operators must consult with a third-party cybersecurity expert in order to implement whatever changes are required, and this review process must be done on an annual basis thereafter.
As far as the 72-hour window is concerned, that timetable is congruent to other industries such as banking, according to Dan Reaser, an attorney representing the Association of Gaming Equipment Manufacturers (AGEM).
According to CDC, Magaw said that the window “doesn’t mean (operators) can wait 72 hours to respond or react to the cyberattack, but to notify us. We felt that was limited enough time that the Board, if there were risks to the industry as a whole, could take necessary measures to mitigate damage to other participants in the industry.”
He also mentioned, however, that the language regarding reporting was left intentionally broad to accommodate for special circumstances, such as when operators work with the FBI or other government agencies.