Nevada Gaming Control Suggests More Assurance on Cybersecurity

Posted on: September 27, 2022, 01:16h. 

Last updated on: September 27, 2022, 03:44h.

The Nevada Gaming Control Board (NGCB) is recommending that most gaming licensees be required to take additional steps to protect their data.

Nevada Gaming Control Board cybersecurity casino gambling
The Nevada Gaming Control Board wants to require that most gaming operators regularly review their cybersecurity protections and update those security measures. But some licensees say such an annual review would be costly and overly burdensome. (Image: Nevada Gaming Control Board)

The NGCB held a workshop on Monday to draft amendments to Regulation 5 — the Operation of Gaming Establishments in Nevada. The board — which has the primary purpose of “protecting the stability of the state gaming industry through licensing, investigation, and enforcement of laws and regulations —  thinks casinos and other licensees should do more to strengthen their cybersecurity.

Following the workshop, the NGCB drafted an amendment to Regulation 5, suggesting that certain gaming operators, including casinos, non-restricted licenses, and racebook and sportsbook permit holders, regularly review their cybersecurity protections and report their findings to the state.

It is critical that gaming operators take all appropriate steps to secure and protect their information systems from the ongoing threat of cyber attacks,” the NGCB amendment draft reads. “Gaming operators must not only secure and protect their own records and operations, but also the personal information of their patrons and employees.”

To achieve that mission, the NGCB is suggesting that most gaming licensees annually hire an independent third-party auditor specialized in cybersecurity to review the company’s electronic information, data, hardware, software, and overall computer systems and networks. Each licensee would then be required to implement patches, fixes, and assurances based on the assessor’s findings.

Board Backlash

The NGCB reports to the Nevada Gaming Commission (NGC), the five-member board that oversees the state’s gaming industry. The NGC is set to consider the board’s cybersecurity rules on October 20. In the meantime, licensees are submitting comments on the proposed regulatory changes.

South Point Casino, located south of the Las Vegas Strip, is one licensee that has expressed concerns with the cybersecurity recommendation. The casino says such a requirement would unfairly impact its resort compared with larger casino operators.

We firmly believe requiring an annual risk assessment is unnecessary and unfairly impacts single property licensees like the South Point. Risk assessments are not inexpensive, and for single property licensees, generally have to be performed by an outside consultant,” South Point attorney Barry Lieberman wrote in a letter to the NGCB.

South Point is urging the NGC, should it decide to accept the board’s recommendation regarding increased cybersecurity measures, that assessments be required every three years instead of annually.

Attorneys representing Aristocrat Leisure and IGT, two leading gaming manufacturers, appealed for the board to more definitively define “information system.” Boyd Gaming suggested that the board clarify what constitutes a “cyber attack” and exclude unsuccessful IT infiltration attempts from being required to be reported to the state.

The board’s Regulation 5 cybersecurity draft requires licensees to inform the NGCB of any cyberattack on their information systems within 72 hours.

Attacks Increasing

Tribal casinos have emerged as prime targets for hackers. The FBI Cyber Crime Division warned the tribal gaming industry that tribes have become desirable targets among ransomware groups. That’s after numerous casinos operated by Native American tribes were attacked online in 2020 and 2021,  

Commercial gaming operators aren’t immune from these attacks either.

In 2019, MGM Resorts admitted that personal data on roughly 30 million guests had been compromised through a cyberattack. And last year, Dotty’s said it was the victim of a cyberattack that resulted in the personal information of employees and guests being stolen.