On Thursday, the Nevada Gaming Control Board took decisive action to amend cybersecurity reporting rules, a significant move spurred by the crippling cyberattacks on Caesars Entertainment and MGM Resorts in September 2023. This workshop marked the beginning of a process to update regulations and is set to conclude with a final vote by the Nevada Gaming Commission on December 18.
Ed Magaw from the state Attorney General’s Office outlined proposed amendments to Nevada Regulation 5.260, aimed at strengthening the current reporting framework. Under existing rules, licensees must inform the board of a cyberattack within 72 hours of confirmation. The proposed changes mandate notification within 24 hours, a shift met with resistance from the Nevada Resort Association, which represents various operators in the state.
The amendment also requires an Initial Cyber Incident Response report within five days of the attack, followed by updates every 30 days until resolution. This approach emphasizes the importance of immediate communication. Board Chair Mike Dreitzer highlighted the current misalignment between existing regulations and future objectives, noting that the new rules are designed to improve upon best practices.
The 2023 cyberattacks, described by board member George Assad as “very chaotic,” inflicted millions in damages and drew widespread media attention. Caesars allegedly paid a hefty ransom, while MGM did not. The urgency of addressing these vulnerabilities is clear, yet the proposed changes focus on communication rather than prevention, aiming to streamline how incidents are reported.
Operators are encouraged to “get in touch” promptly, a phrase that underscores the preference for informal communication channels like emails or phone calls. This method is considered more effective than current procedures, which require detailed reports that may not capture the incident’s status accurately.
“This is consistent with feedback from licensees who have dealt with these issues in real time,” Dreitzer explained. “Sometimes a meeting is more practical than filling out a form when information is incomplete.”
However, industry stakeholders, including the Nevada Resort Association, voiced concerns over the 24-hour reporting deadline, citing operational challenges. Many operators rely on third-party vendors for cybersecurity services, and contractual terms often allow vendors 48 hours to notify operators, who then need additional time to assess the situation.
The sheer volume of cyber threats facing the gaming industry was a central topic during the workshop. Gaming companies, both brick-and-mortar and online, are prime targets due to their extensive player data and financial transactions. A UNLV cybersecurity study highlighted that Nevada casinos are particularly vulnerable, with nearly 50 confirmed incidents from 2007 to 2023—most occurring after 2015.
Erik Hanson, information security officer for Affinity Gaming, warned that the increase in cyber activities could overwhelm the board with notifications that may not constitute material breaches. This concern emphasizes the need for clear definitions within the new rules, though board members remain hesitant to rigidly define “material” breaches due to varying company circumstances.
Despite these challenges, the urgency for rapid incident notification remains. As Chandler Pohl, legal counsel for Caesars, pointed out, compliance efforts struggle to keep pace with the speed of social media, which can disseminate information about incidents before a material breach determination is made.
The workshop is part of a broader initiative led by Dreitzer, who has been active in updating various regulations since his appointment as board chair in June. Despite a tumultuous year marked by significant anti-money laundering fines against major operators like Wynn, MGM, and Caesars, Dreitzer remains focused on improving regulatory processes.
As the board navigates these complex issues, it is clear that enhancing cybersecurity measures is paramount for protecting Nevada’s gaming industry. With the casino sector facing mounting cyber threats, these regulatory changes represent a critical step toward fortifying defenses and ensuring operators are better prepared to manage future incidents.
4.4/5
