Posted on: December 23, 2022, 11:05h.
Last updated on: December 23, 2022, 12:18h.
The Nevada Gaming Commission on Thursday approved an amendment to regulations designed to protect the state’s gaming industry from cyberattacks that could cripple operations and breach customer information.
The regulation, which goes into effect on January 1, requires operators to report all successful breaches to gaming regulators within 72 hours of the breach. It also gives operators a year to develop risk assessment plans that must be updated annually.
The amended regulation applies to the state’s more than 400 nonrestricted casino operators, as well as to all licensed sportsbook and interactive gaming businesses operating in the state.
Thursday’s discussion took less than 25 minutes and focused on regulations that faced some initial opposition from operators. Representatives of the Nevada Resorts Association and the Association of Gaming Equipment Manufacturers were in attendance, but voiced no objections to the amendment, which had public hearings in the fall.
Edward Magaw, Nevada’s senior deputy attorney, told commission members that the final draft of the regulations incorporate many changes requested by the industry since a first draft was released in August.
New Requirements Explained
According to the amended regulations, any successful breach compromising player or employee data, credit card information, and/or other records, must be reported to the Nevada Gaming Control Board within 72 hours of the breach. Operators are required to explain the root cause of the cyberattack, its extent, and any actions taken or planned to prevent similar events from occurring.
Operators have until the end of 2023 to perform their initial risk assessment and take any necessary and ongoing steps to ward off attacks. Afterward, according to the amendment, each licensee “shall continue to monitor and evaluate cybersecurity risks to its business operation on an ongoing basis.”
When an area requiring improvement is identified, operators have discretion on how to address it. No specific measures are dictated by the amendment, only that each operator “modify its cybersecurity best practices and risk assessments as it deems appropriate.”
An internal audit or independent cybersecurity expert must verify operator compliance with best practices based on the risk assessment.
The regulation change came only a day after BetMGM notified patrons of a data security issue in which customer information – including hashed Social Security numbers – was “obtained in an unauthorized manner,” and a month after DraftKings reported the theft of $300K from customer accounts with compromised login information.
Last year, the FBI’s Cyber Division reported that ransomware gangs hit several tribal casinos, taking down their systems, disabling connected systems, and causing millions of dollars in damages. The targets included four casinos and two travel center gaming parlors owned and operated by the Cheyenne and Arapaho Tribes of Oklahoma, and the Menominee Casino Resort in Wisconsin.
Also last year, the Dotty’s chain of 120 Nevada gaming bars reported a data breach. And in 2020, the Four Queens and Binion’s Gambling Hall were closed for almost a week following a cyberattack that affected their slot machines and other systems.