Nevada Regulators Mulling Increased Cybersecurity Obligations

Cybersecurity has become a huge topic of conversation for all businesses, including casinos. In lieu of multiple damaging attacks to tribal casinos in recent years, the Nevada Gaming Control Board and Chairman Brin Gibson (l.) are proposing increased regulations to ensure that patrons’ data is protected moving forward.

Due to the influx of cyberattacks against both tribal and commercial casinos over the past decade, the Nevada Gaming Control Board (NGCB) has proposed new cybersecurity regulations to better protect both operators and their patrons.

The NGCB held a workshop on September 26 with a number of high-profile gaming companies around the state to discuss these proposed obligations. During the 75-minute meeting, the board made it clear that if the regulations go into effect, operators would then be obligated to notify state officials of any cybersecurity breach within 72 hours.

October is federally recognized as Cybersecurity Awareness Month, and the Nevada Gaming Commission (NGC) will meet October 20 to vote on whether or not to approve the new regulations, which would go into effect starting January 1 of next year.

Since the beginning of 2020, cyberattacks have affected casinos in five different states—Arizona, Wisconsin, New Mexico, California and Oklahoma—and in November of that year, the FBI’s Cyber Division issued a formal warning to casino operators, specifically tribal owners, to start ramping up security efforts.

Commercial operators haven’t escaped these issues either, as Las Vegas Sands, Hard Rock, Binion’s and Affinity Gaming have all reported data breaches since 2014.

During the recent workshop, NGCB Chair Brin Gibson said that the board wants and expects all operators to invest in cybersecurity in order to protect the gaming industry and its patrons, which he called a “critical piece of the state’s infrastructure.”

If approved, the new regulations would require all operators, including race/sportsbook and iGaming companies, to conduct multiple risk assessments and audits from third parties with cybersecurity expertise in order to form best practices.

Gibson maintained that there is no mandated schedule for these assessments. However, he also noted that that is not a “safe harbor for licensees to do nothing between now and December 2023,” and if unreported breaches are discovered, “we still reserve the right to take action under Regulation 5 (that governs the operations of gaming establishments).”

Iowa requires its operators to assess security systems every two years, and Louisiana enforces a three-year schedule. Some have predicted that Nevada may opt for an annual obligation, but representatives from the South Point in Las Vegas said that this is too much for single-property operators to take on.

In a statement, the company said, “Risk assessments aren’t inexpensive and for single-property licensees generally have to be performed by an outside consultant. We believe a risk assessment should only be required to be performed once every three years. … While we believe the requirement of a risk assessment every three years is adequate, that does not mean that a licensee will not continuously monitor the adequacy of its protection. We simply don’t believe an expensive procedure like a risk assessment should be mandated on an annual basis.”

South Point also requested that the regulations, if approved, should not go into effect until November 1, 2024 in order for operators to have enough time to get the proper resources in place.

Jim Barbee, head of the NGCB’s technology division, responded by saying that risk assessment should be a continuous process, and shouldn’t be tied to a time window, as that may make operators lazy.

“By setting a floor, it might imply the X number of years is an acceptable method of doing things, but if you waited three years for a risk assessment, you would be grossly out of date and at much more risk,” he said.

Boyd Gaming also requested that “the definition of cyberattack be revised to include the term ‘successful’ to clarify that minor, entirely unsuccessful attempts to gain unauthorized access do not rise to the level of concern intended to be covered by the regulation.” The board agreed.