The Nevada Gaming Control Board (NGCB) has recommended that most gaming licensees be required to take additional steps to protect their data.
The Nevada Gaming Control Board wants to require that most gaming operators regularly review their cybersecurity protections and update those security measures. But some licensees say such an annual review would be costly and overly burdensome. (Image: Nevada Gaming Control Board)
The NGCB held a workshop yesterday to draft regulatory amendments to Regulation 5 — the Operation of Gaming Establishments in Nevada. The board, which has the primary purpose of protecting the stability of the state gaming industry through licensing, investigation, and enforcement of laws and regulations, as well as maintaining public confidence by making regulatory adjustments to the governing conditions, thinks casinos and other licensees should do more to strengthen their cybersecurity.
Following the workshop, the NGCB drafted an amendment to Regulation 5 suggesting that certain gaming operators, including casinos, non-restricted licenses, and racebook and sportsbook permit holders, regularly review their cybersecurity protections and report their findings to the state.
It is critical that gaming operators take all appropriate steps to secure and protect their information systems from the ongoing threat of cyber attacks,” the NGCB amendment draft reads. “Gaming operators must not only secure and protect their own records and operations, but also the personal information of their patrons and employees.”
To achieve that mission, the NGCB is suggesting that most gaming licensees annually hire an independent third-party auditor specialized in cybersecurity to review the company’s electronic information, data, hardware, software, and overall computer systems and networks. Each licensee would then be required to implement patches and other fixes and assurances based on the assessor’s findings.
Board Backlash
The NGCB reports to the Nevada Gaming Commission (NGC), the five-member board that oversees the state’s gaming industry. The NGC is set to consider the board’s cybersecurity rules on October 20. In the meantime, licensees are submitting comments on the proposed regulatory changes.
South Point Casino, located south of the Las Vegas Strip, is one licensee that has expressed concerns with the cybersecurity recommendation. The casino says such a requirement would unfairly impact its resort compared with larger casino operators.
“We firmly believe requiring an annual risk assessment is unnecessary and unfairly impacts single property licensees like the South Point. Risk assessments are not inexpensive, and for single property licensees, generally have to be performed by an outside consultant,” South Point attorney Barry Lieberman wrote in a letter to the NGCB.
South Point is urging the NGC, should it decide to accept the board’s recommendation regarding increased cybersecurity measures, that assessments be required every three years instead of annually.
Attorneys representing Aristocrat Leisure and IGT, two leading gaming manufacturers, appealed for the board to more definitively define “information system.” Boyd Gaming suggested that the board clarify what constitutes a “cyber attack” and exclude unsuccessful IT infiltration attempts from being required to be reported to the state.
The board’s Regulation 5 cybersecurity draft includes requiring licensees to inform the NGCB of any cyberattack on their information systems within 72 hours.
Attacks Increasing
Tribal casinos have emerged as prime targets for hackers. After numerous casinos operated by Native American tribes were attacked online in 2020 and 2021, the FBI Cyber Crime Division issued a warning to the tribal gaming industry suggesting that tribes have become desirable targets among ransomware groups.
Commercial gaming operators are not immune.
In 2019, MGM Resorts admitted that personal data on roughly 30 million guests had been compromised through a cyberattack. And last year, Dotty’s said it was the victim of a cyberattack that resulted in the personal information of both employees and guests being stolen.
The post Nevada Gaming Control Board Suggests Licensees Do More to Assure Cybersecurity appeared first on Casino.org.
