.svg)
Body
The Nevada Gaming Control Board (NGCB) will consider how to proceed with several proposed amendments to state gaming laws creating new cybersecurity requirements for operators at a workshop next month.
According to the four-page draft document released Tuesday (August 23), regulators reminded licensees that in accordance with the state gaming law “it is critical that gaming operators take all necessary steps to secure and protect their information systems from the ongoing threat of cyber attacks.”
“Gaming operators must not only secure and protect their own records and operations, but also the personal identifiable information of their patrons, employees, and vendors,” the document states.
Those businesses potentially affected by the proposed regulations are nonrestricted licensees that operate 16 or more slot machines, “or operate any number of slot machines together with any other game, gaming device, race book or sports pool at one establishment,” and slot route operators.
Sportsbook operators and interactive gaming license holders would also be covered by the new requirements.
“Given the ever growing risks of cyber attacks, the Nevada Gaming Control Board strongly believes that it is essential that our licensees take steps to evaluate and mitigate the impact of those risks on their operations and to preserve the integrity of gaming,” Michael Lawton, the NGCB’s senior economic analyst, said Tuesday.
Lawton said the NGCB has issued guidance in the past regarding licensees' cyber responsibilities.
In a notice to licensees dated October 23, 2020, the control board reminded licensees they are responsible for implementing and ensuring adherence to best practices related to cybersecurity.
Among the areas of concern were taking appropriate steps to secure and maintain devices and networks, protecting data from compromise or loss, cybersecurity threat monitoring, and maintaining a cyber incident response plan.
In recent years, ransomware attacks have cost commercial and tribal operators millions of dollars to repair the damage done to their information systems.
Last year, six tribal casinos in Oklahoma were forced to close after hackers used ransomware to seize customer information and damage their computer systems. Those incidents led the FBI to issue a notice to tribal operators warning them of potential attacks.
In recent years, both New Jersey and Massachusetts have increased their cybersecurity rules, with New Jersey requiring casinos’ heads of information security to be afforded the same level of responsibility as heads of other departments.
The Nevada Resort Association, a lobbying group for the state's gaming and hospitality industry, said Tuesday it is reviewing the regulations and had nothing else to add at this time.
Among the proposals being considered by Nevada regulators at their September 7 workshop is a requirement that licensees perform annual risk assessments of their business operations and implement best practices to adequately mitigate the risk of a cyber attack.
A casino that experiences a cyber attack to its information system resulting in the loss of control, compromise, unauthorized disclosure of data or information will be required to notify the NGCB as soon as practicable but no later than 72 hours after becoming aware of the cyber attack, according to the proposed amendments to Regulation 5.
The NGCB would also require the notification to include a description of the nature and scope of the cyber attack, how it was discovered, when it was discovered, whether it is ongoing, the systems affected, the impact on operations, and the actions taken to contain the cyber attack.
Gaming companies would be required to inform regulators of any government agencies notified of the attack, such as the FBI’s Internet Crime Complaint Center. They will also be required to perform or have a third-party perform an investigation into the incident and provide a report to the control board.
The report filed with the NGCB must include the cause of the attack, the extent of the cyber attack, and any actions taken or planned to be taken to prevent similar events, and provide regulators with the results of any investigation undertaken by the licensee or a third party.
Nevada regulators are also considering requiring licensees to designate an employee to be responsible for developing, implementing, overseeing, and enforcing cybersecurity policies, as well as an internal auditor to verify that these procedures have been developed.
Licensees will be required to keep all their records for a minimum of five years unless the NGCB chair approves otherwise in writing. The NGCB also warned that failure to comply with the regulations “may result in disciplinary action being broad by the board."
The Nevada Gaming Commission (NGC) is debating the proposal on September 22. All changes would become effective upon approval by the five-member commission.
