The Nevada Gaming Commission Thursday approved cybersecurity regulations for the state’s gaming industry to protect operators’ information systems from attacks that could shutter casinos and compromise customer data. The new rules go into effect on Jan. 1.
The approval came one day after BetMGM reported that its customers’ personal information, including Social Security numbers and transactions, was obtained in an unauthorized manner. In recent weeks, DraftKings reported hackers were accessing customer accounts and about $300,000 in funds was affected. BetMGM also reported that scammers were accessing bank funds from its poker players.
Casinos will be required to do a risk assessment of their systems by the end of 2023 and take any necessary and ongoing steps to ward off attacks. If any successful breach compromised player or employee data, credit-card information, and/or other records, properties will be required to report it to gaming regulators within 72 hours.
Cybersecurity has been in the sights of gaming regulators over the last two years, after ransomware attacks perpetrated against tribal casinos shuttered several of them. A year ago, the FBI Cyber Division issued a warning that ransomware attacks against tribes have caused millions in damages. In Las Vegas, the Dotty’s bar chain and the Four Queens and Binion’s were the victims of attacks on their computer systems.
The regulations apply to holders of non-restricted licenses, license holders of a race or sportsbook, and a license holder of interactive gaming.
Thursday’s discussion that took less than 25 minutes and focused on the regulations that had faced some initial opposition from operators.
Edward Magaw, a senior deputy attorney general for Nevada, told Commission members that the final-draft regulations incorporate many changes requested by the industry since the original was released in August.
The focus of the regulations is on entities with the highest cybersecurity risks or risk of damage, meaning larger properties with more exposure.
Magaw said that in evaluating and monitoring cybersecurity risks, the regulation provides flexibility in allowing operators to determine what procedures are appropriate. The Nevada Gaming Control Board doesn’t dictate procedures; instead, the Board leaves it to the judgment by the license holders, he said.
“Based on comments received from the industry, one change makes it less rigid, while another clarifies that an affiliate or third party may be used to perform the assessment and monitoring,” Magaw said.
The provision allowing the Board chair to approve modified timetables was removed. It was deemed unnecessary, given the modifications in the regulations, Magaw said.
When it comes to notifying the Board within 72 hours of a material cyberattack, one change is that operators won’t have to provide the Board with specified information; rather, they’ll provide information upon request by regulators.
“This was done for security reasons, as well as the dialogue between the licensee and Board on this issue,” Magaw said.
Operators are required to conduct a thorough investigation of what happened and notice of the completion of that review, then provide access to those results, Magaw said. That also includes reports from outside entities.
The regulations require that an internal audit or independent cybersecurity expert verify compliance with the best practices implemented by the licensee based on the risk assessment. The review needs to be performed at least once a year.
In response to a question from the Commission about the 72-hour requirement, gaming attorney Dan Reaser, representing the Association of Gaming Equipment Manufacturers, said that’s commensurate with what’s done in the banking industry.
Magaw said 72 hours is thought to give operators adequate time to gather their people, get an assessment of what happened, and provide a report to the board.
“It doesn’t mean they can wait 72 hours to respond or react to the cyberattack, but to notify us,” Magaw said. “We felt that was limited enough time that the Board, if there were risks to the industry as a whole, could take necessary measures to mitigate damage to other participants in the industry.”
Reaser pointed out that this regulation applies to operators, not manufacturers or distributors, and one of the issues that arose is many manufacturers had slot route operators licensees that would be captured.
“The one major issue I have with the regulation is unlike many other regulations, it has no waiver provision. So if it’s impossible to perform some aspect within some time period, you’re not giving the chair of the Board the ability to accommodate that issue whatsoever,” Reaser said. “There’s no safety valve and we have in the last 15 years been putting safety valves into most regulations.”
Magaw said the regulations were written broadly enough that a safety valve wasn’t needed. They give a lot of leeway to licensees in how they interpret and apply them.
Magaw also pointed out that they removed specific reporting requirements in the regulation, since operators might be working with the FBI or another agency to investigate and they might not be able to provide the Board any information until after 72 hours.
“It may be much later that they get that information to us, and that’s why we set it up to be once the investigation is completed, you give the Board access,” Magaw said.
