Amid an increase in cyberattacks that have shuttered several tribal casinos in the last two years and prompted a warning from the FBI, Nevada gaming regulators have proposed cybersecurity requirements to protect casino information systems.
In a 75-minute workshop Monday, the Nevada Gaming Control Board recommended casinos and gaming operators do a risk assessment of their systems in 2023 and take any necessary steps to ward off cyberattacks. If any breach proved successful and compromised player data, credit-card information, and other records, including that of employees, properties would be required to report it to gaming regulators within 72 hours.
The Nevada Gaming Commission is scheduled to hold a hearing on Oct. 20 to consider the new regulations during the federally recognized Cybersecurity Awareness Month. If approved, they will go into effect on Jan. 1, 2023.
Cyberattacks have shuttered casinos in California, New Mexico, Arizona, Oklahoma, and Wisconsin since 2020 and prompted the FBI Cyber Division in November to issue a warning, stating ransomware attacks against tribal entities have caused damages estimated to be in the millions of dollars. The attacks caused disruptions, including temporarily shutting down casinos, the theft of sensitive data like credit cards, and significant financial losses.
Las Vegas hasn’t been immune and major casino companies have already done full risk assessments and taken major steps to ward off hackers.
In February and March 2020, slot machines at the Four Queens and Binion’s in downtown Las Vegas were out of service and computers were down for days in what was reported as a suspected cyberattack.
In 2014, hackers, later determined to be Iranian, targeted Las Vegas Sands and stole credit-card data, Social Security numbers, and driver’s license numbers of customers. Hard drives were also wiped and the website defaced.
In 2015 and 2016, the Hard Rock reported data breaches that targeted credit cards. In 2013, Affinity Gaming reported its credit-card system was breached in 12 casinos in four states. In 2017, there was a report of an unnamed North American casino targeted by hackers through a fish-tank thermostat.
Board Chairman Brin Gibson told gaming operators in the audience that the regulations are needed. Once casinos determine their risk tolerance, they can prioritize cybersecurity activities to enable organizations to make informed decisions about potential vulnerabilities for expenditures, he added.
Gibson said gaming “is a critical piece of the state’s infrastructure,” even though it’s not state owned. It’s a primary economic driver for the state and “we want you all to protect it.”
The regulations would apply to holders of non-restricted licenses, license holders of a racebook or sportsbook, and a license holder of interactive gaming.
The proposed regulations require an internal auditor or other independent entity with cybersecurity expertise to perform and document observations, examinations, and inquiries of employees to verify cybersecurity best practices and procedures. They also requires an independent accountant to conduct an independent review of best practices and procedures and attest to those in writing.
Gibson said the proposal provides flexibility in how operators manage risk assessments, so it doesn’t mandate annual or semi-annual audits, but he said it’s hoped that properties do them as often as they need to, based on their experiences.
“I want to make it clear that it’s not a safe harbor for licensees to do nothing between now and December 2023,” Gibson said. “Negligence is negligence and if there is any attack, and we review it and see that reasonable measures have not been taken, we still reserve the right to take action under Regulation 5 (that governs the operations of gaming establishments).”
Board members discussed whether a risk assessment should be done annually or every three years, but indicated the current draft addresses the issue, because operators could be sanctioned if attacked and didn’t take the necessary steps.
Boyd Gaming requested a risk assessment be required every two to three years, mirroring Iowa’s two years and Louisiana’s three years. South Point said an annual risk assessment “unfairly impacts single-property licensees” like their casino.
“Risk assessments aren’t inexpensive and for single-property licensees generally have to be performed by an outside consultant,” the South Point said in a letter. “We believe a risk assessment should only be required to be performed once every three years. … While we believe the requirement of a risk assessment every three years is adequate, that does not mean that a licensee will not continuously monitor the adequacy of its protection. We simply don’t believe an expensive procedure like a risk assessment should be mandated on an annual basis.”
Risk assessment should be an ongoing matter “once you’ve established and implemented whatever practices you’ve deemed fit and part of an implementation will be on an ongoing basis to evaluate the risks as they might change, as well as technology when added or subtracted to an information system, Jim Barbee, chief of the technology division at the Gaming Control told the Board. “By setting a floor, it might imply the X number of years is an acceptable method of doing things, but if you waited three years for a risk assessment, you would be grossly out of date and at much more risk,” Barbee said.
Entities aren’t required to come into compliance with any recognized standard, but a baseline risk assessment and ongoing assessments must evaluate whether potential mitigation controls are needed, regulators said. Some measures could take much longer than a year to implement.
The board got feedback from other casinos to help clarify the proposed regulations, including the definition of a cyberattack. Many hackers are constantly attacking casino systems and are thwarted without getting access and taking any information, operators noted to the board.
“Boyd requests the definition of cyberattack be revised to include the term ‘successful’ to clarify that minor, entirely unsuccessful attempts to gain unauthorized access do not rise to the level of concern intended to be covered by the regulation,” it wrote in a letter. The board clarified that that is the case.
South Point wrote that a lot of planning and work go into implementing the requirements and that there aren’t a lot of independent cybersecurity experts in Nevada, which means the regulations become more expensive.
“We believe the effective date of the regulation should be at least two years after adoption, or November 1, 2024,” the company said in a letter to the Board.
South Point also noted that almost all licensees have cybersecurity insurance and insurance companies require steps be taken to prevent cyberattacks.
“Rather than adding specific requirements, perhaps an option permitting a licensee to carry cybersecurity insurance as an alternative to having to meet (some of) the requirements in subsections is arguably a better way to ensure that appropriate measures are taken by the licensee and that the public is protected,” the South Point said.