Boyd Gaming, which operates 11 casinos in southern Nevada, has expressed its support for a regulatory proposal to amend state regulations creating cybersecurity requirements, but have suggested several revisions due to “certain practical limitations” of running a gaming company.
The Nevada Gaming Control Board (NGCB) released the original draft language for cybersecurity rules last month prior to a scheduled hearing on September 7, before chairman Brin Gibson postponed the discussion due to an unusually lengthy board meeting that included the initial licensing of the Bally’s Corp. $308m acquisition of the Tropicana.
The NGCB then released four pages of updated proposed amendments to Regulation 5.260.
In a notice to licensees, the NGCB said it will now hold the workshop on September 26, with final approval of the proposed amendments a possibility at the October 20 meeting of the Nevada Gaming Commission (NGC).
Those companies potentially affected by the proposed regulations are nonrestricted licensees that operate 16 or more slot machines, “or operate any number of slot machines together with any other game, gaming device, race book or sports pool at one establishment,” and slot route operators.
Sportsbook operators and interactive gaming license holders would also be covered by the new requirements.
Michelle Rasmusson, vice president of regulatory compliance and corporate compliance officer with Boyd Gaming, submitted written comments dated September 4, 2022, suggesting several regulatory revisions.
As of Tuesday (September 13), Boyd is the only Nevada licensee to have submitted comments to state gaming regulators.
Rasmusson requested that the control board staff’s definition of “cyber attack” be revised to include the term “successful” to clarify that minor, entirely unsuccessful attempts to gain authorized access do not rise to the level of concern intended to be covered by the regulations.
Boyd also requested further guidance from regulators on the scope of the risk assessment proposed within an earlier draft of the proposed amendments.
The control board’s proposal for annual risk assessments did not change between draft regulations released August 25 and a third version released September 7.
According to the updated draft, licensees are required to perform a risk assessment annually and implement “best practices” to protect its systems.
The revised draft does allow a licensee to submit a written request for an alternative timetable and methodology for performing the required risk assessment for multiple “affiliated covered entities.”
Rasmusson asked the control board to revise the required annual risk assessment to every two or three years, which is consistent with other jurisdictions with similar rules.
“For example, Iowa required assessments every two years, and Louisiana and Missouri every three years,” said Rasmusson, whose company operates nine casinos in those three states.
Those requirements have worked well, according to one state regulatory official.
“For the most part, both the industry and commission have been pleased with the results of the network security regulations,” said Brian Ohorilko, administrator with the Iowa Racing and Gaming Commission.
“There regulations have been in place for a while now,” Ohorilko told VIXIO GamblingCompliance. “They are not perfect, but they do seem to be helping with ensuring network security is good at our facilities and that risks have been identified and addressed at each location.”
Ohorilko said Iowa regulators do believe the two-year assessment is adequate for the brick-and-mortar facilities at this time.
“We continue to evaluate the results from our assessments and may revisit if the need arises. For the online sports wagering companies, our rules require an annual assessment,” Ohorilko said.
“We believe there are differences in the type of data retained by the online companies and feel that the network assessments should be conducted more frequently for them,” he added.
In Boyd's comment letter, Rasmusson also requested that any information, reports and results of investigations provided to the Nevada Gaming Control Board be maintained as confidential, “as these documents may contain sensitive information including personal identifiable information.”
In her two-page letter, Rasmusson also requested a modification to the requirement to notify the NGCB within 72 hours of a cyber attack.
“Given how little may be known within the first 72 hours of a successful cyberattack, Boyd requests that the categories of information covered entity is to provide to the board be qualified by ‘if known’ with the ability to supplement as more information becomes available.”
Rasmusson also asked for clarification regarding the frequency of internal audit assessment and independent review of a gaming company’s policies and procedures.
Nevada regulators are proposing that licensees designate an employee to be responsible for developing, implementing, overseeing and enforcing cybersecurity policies, as well as an internal auditor to verify that these procedures have been developed.
But the latest draft does mention how often these internal auditor and independent reviews must occur.
Rasmusson concluded her written comments by reminding regulators that an annual risk assessment is likely unnecessary to accomplish the objectives set out in this regulation.