.svg)
Body
Nevada regulators on Monday (September 26) continued their process to enact new cybersecurity regulations designed to ensure operators follow best practice when it comes to data protection.
The Nevada Gaming Control Board (NGCB) recommended passage of the regulation to the Nevada Gaming Commission after a public workshop on its proposed rule, although there will likely be some changes yet to be made before the commission votes on the draft.
“On the whole, I think it’s ready to go up, and we’ll make minimal changes between now and the commission,” said Brin Gibson, chair of the NGCB.
One of the biggest changes made to draft regulations since the measure was first proposed on September 7 is the removal of a provision that would have required operators to perform an annual risk assessment of their business operations and implement the cybersecurity best practice the operator deems appropriate.
Following feedback from several companies, including IGT, Boyd Gaming and South Point Hotel and Casino, the modified language now calls for Nevada gaming licensees to instead perform an initial risk assessment, and then “perform updated risk assessments as needed.”
“We firmly believe requiring an annual risk assessment is unnecessary and unfairly impacts single property licensees like the South Point,” wrote Barry Lieberman, an attorney representing South Point, in comments submitted last week. “Risk assessments are not inexpensive, and for single property licensees, generally have to be performed by an outside consultant.”
Jim Barbee, chief of the NGCB’s technology division, said that the control board envisioned a more ongoing review of cybersecurity methods rather than a formal annual review with the prior draft regulation.
Regulators are intending for operators to undertake a risk assessment when they make changes to their information systems or as they monitor potential threats, Barbee said.
“Although we did strike the word annually there, if you were only doing a risk assessment annually, I believe you would be wrong,” he added. “I believe best practices are to do that much more frequently than on an annual basis.”
That language may be the most likely to change before it reaches the commission level, as board members discussed potential ways to tweak the proposal to capture the spirit of the rule rather than implement a harder floor for cybersecurity assessments.
The new regulatory proposal also now excludes slot-route operators that do not expose gaming for play.
However, Kathleen Worley, compliance officer for Aristocrat Technologies, pointed out that even though the regulations were targeted at the property level, as written, they could still apply to manufacturers who share revenues and thus fall under the definition of exposing gaming for play.
