.svg)
Body
Nevada’s casinos have until the end of the year to perform a risk assessment of the vulnerability of their computer systems to cyberattacks that could potentially compromise customer data and negatively affect the state’s lucrative gaming industry.
The amendments to Regulation 5, which govern the operation of gaming establishments, took effect on January 1 and give some 400 non-restricted gaming licensees until December 31, 2023 to perform a risk assessment of their systems and take any necessary and ongoing steps to protect their infrastructure.
“This requirement is intended to allow all covered entities the discretion to determine what resources are appropriate,” said Edward Magaw, a senior attorney general with the Nevada attorney general’s office.
“The Nevada Gaming Control Board purposely does not dictate what specific procedures must be implemented,” Magaw said. “It is a business judgement by the individual licensee.”
Properties are also required under the new regulations to report any successful breach that compromises player or employee data, credit card information, and other records or infrastructure to gaming regulators within 72 hours.
“It doesn’t mean they can wait 72 hours to respond or react to the cyberattack, but to notify us,” Magaw said. “We felt that was limited enough time that the board, if there were risks to the industry as a whole, could take necessary measures to mitigate damage to other participants in the industry.”
Magaw said the Nevada Gaming Control Board (NGCB) must request information about any cyberattack instead of the licensee automatically submitting information about the incident.
“This was done for security reasons,” he added.
The amended regulations give licensees broad latitude to how they must develop the cybersecurity practices they deem appropriate. The new regulations were also changed to allow licensees to use an affiliate or third-party company to conduct the assessment and monitoring.
Magaw said the goal of these regulations is to provide a general framework for certain licensees to follow to protect their computer systems and the information stored on them from the threat of cyberattacks.
The cybersecurity regulations apply to non-restricted licensees, license holders of a race and sportsbook, and an interactive gaming licensee.
“Ensuring a safe and secure environment is always a top priority for our members, and they will continue to remain in compliance with all gaming regulations,” Virginia Valentine, president of the Nevada Resorts Association (NRA), told VIXIO GamblingCompliance via email.
The effort by gaming regulators to enact new cybersecurity regulations took four months to complete, with the five-member Nevada Gaming Commission (NGC) unanimously approving a final draft dated October 17, 2022, during its last monthly meeting of 2022 on December 22.
The NGCB recommended passage of the four-page revised document dated September 7, 2022 to the commission on September 26, but final consideration of the proposal was delayed until last month while the industry and regulators worked out their differences and submitted the final draft.
One of the biggest changes made to the regulations was the removal of a provision that would have required operators to perform an annual risk assessment of their business operations and implement the cybersecurity best practice the operator deems appropriate.
Boyd Gaming, IGT and South Point Hotel and Casino successfully lobbied for the modified language calling for licensees to perform an initial risk assessment, and then perform updates as needed.
During the NGC’s hearing last month, commissioner Ogonna Brown asked Dan Reaser, an attorney with Fennemore who represented the Association of Gaming Equipment Manufacturers (AGEM), if there was any discussion about making the 72-hour rule shorter or longer.
“We did not have any concerns about the 72-hour rule,” Reaser said. “There are similar regulations for financial institutions.”
Magaw said regulators' concern about setting a time limit was giving licensees “adequate time to gather their people to get an assessment of what happened and provide us with a report.”
Reaser told the commission the “one major issue” he has with the regulations was unlike other gaming regulations there is no waiver provision, so if there is an impossibility to perform some aspect of the regulations within the time period, “you have not given the NGCB chair the ability to accommodate that issue.”
“This is a right live set of regulations and there is not a safety valve,” he said. “We have, at least in the last 15 years, been putting safety valves in most regulations.”
Magaw admitted the NGCB did evaluate the benefit of adding a waiver but determined the regulations were written broadly enough that it really was not necessary to provide a waiver provision.
