The Nevada Gaming Control Board on Thursday held a workshop to begin the process of amending the state’s regulations regarding cybersecurity reporting, two years removed from the significant September 2023 cyberattack that crippled systems for Caesars Entertainment and MGM Resorts.
The workshop was a first step in amending the regulations to mitigate impacts, as well as negative coverage, of future incidents. A finalised version of the amendments still must be approved by the Nevada Gaming Commission on 18 December.
Ed Magaw from the state Attorney General’s Office laid out the proposed changes to reporting requirements under Nevada Regulation 5.260. Currently, licensees must notify the board of a cyberattack within 72 hours of a confirmed attack. The proposed changes would require operators to notify the board within 24 hours of a confirmed attack. The Nevada Resort Association, a trade group representing operators, pushed back on the adjustments, which were recommended unanimously.
That initial notification must then be followed by an Initial Cyber Incident Response report within five calendar days. From there, 30-day updates are required “until the cyber attack incident is fully resolved and documented”, the determination of which was left to the operator. A licensee may choose to meet directly with the board in lieu of the incident report, though that would still be due 30 days after the meeting.
NGCB Chair Mike Dreitzer said the changes reflect the regulator’s “current belief” that the “current [regulation] doesn’t, in all ways, show best practice”. He said a “misalignment” has emerged between existing rules and future goals.
Those 2023 attacks, which board member George Assad referred to as “very chaotic” for operators and regulators, resulted in millions of dollars in damages from disruptions and a firestorm of media coverage. Caesars also reportedly paid a sizeable ransomware demand, whereas MGM did not.
Nevada operators must ‘get in touch’ early to stop cyberattacks
The changes recommended on Thursday did not involve bolstering cybersecurity systems or preventing attacks themselves. Rather, they aimed to establish a clearer line of communication. Board members stressed that the shortened response time was only imposed to keep them more informed. This notification could be as informal as an email or phone call; the phrase “get in touch” was used often.
Dreitzer said the option of a board meeting rather than immediate incident report could be more effective in establishing where things stand as opposed to current procedures. It also might lower the operators’ burden of investigation by notifying regulators right away instead of having to prepare a detailed report.
“This is consistent with the feedback we’ve gotten from licensees who’ve gone through this process in real time, the idea being that sometimes it’s better for various reasons to have a meeting of notification as opposed to filling out a form, when all of the information is not yet known,” Dreitzer said. “So we feel that this approach is more consistent and more practical in application than the existing regulation.”
Industry stakeholders argued that this shortened time was challenging operationally. The Nevada Resort Association submitted comment to the board requesting that the 72-hour requirement be kept “based on practical application and industry experience”.
Operators sometimes contract with third parties for cyber services, and those contracts often give vendors 48 hours to notify licensees. Companies then typically want at least 24 hours to review the notification and make their own assessment. The board compromised by editing language to reflect that the 24-hour deadline applies to when operators themselves are made aware.
Cybersecurity efforts paramount for Nevada gaming industry
The sheer volume of cybersecurity threats that gaming companies face was a focal point of workshop discussion. In recent years, both retail and digital-facing gaming companies have become leading targets for cyber crime, in part because of their immense amount of player data and money exchanges.
According to a UNLV cybersecurity study from September, Nevada casinos in particular “are opportunistic targets because they have an extensive array of cyber entry points, have lots of money, and the public outcry is less conspicuous when they are attacked”. The study listed nearly 50 confirmed Nevada cyber incidents from 2007-2023, with the majority coming from 2015 onward.
This increase in activity might overload the board with “false alarm” notifications, stakeholders warned.
“There are a number of incidents that happen on a daily basis that we are investigating that never rise to the level of a material breach, which we could end up having to report by just giving the phone call,” said Erik Hanson, information security officer for Affinity Gaming.
This differentiation between a “material” breach and an unsuccessful attempt might be blurred under the new rules. Board members stressed a desire to be notified as soon as possible to avoid hearing about incidents from the media or third parties. Dreitzer said the board was “hesitant” to define “material” breaches given the differences between companies.
But as Caesars legal counsel Chandler Pohl stated, compliance will never be faster than social media.
“While the news may cover the incident, the licensee may not have made the determination that there was a material breach,” Pohl said. “And there could be a number of reasons why a slot floor or portion of a floor goes down that are unrelated to a cyber incident.”
Dreitzer spearheading litany of regulatory updates
Thursday’s workshop was the latest indication of a ramp-up in activity from the board. Dreitzer, who took office in June as the fifth board chair since January 2019, already oversaw multiple rule changes, including poker chip cashing policies and private gaming salon regulations.
This year has been arguably the darkest in Nevada’s regulatory history, with four entities receiving multimillion-dollar anti-money laundering fines. Three of those went to the state’s three biggest operators: Wynn Resorts, MGM Resorts and Caesars. Those investigations began before Dreitzer’s tenure.
On the sidelines of the Global Gaming Expo in October, Dreitzer told iGB that a multitude of new workshops were being planned.
Indeed, the board currently lists 12 proposed regulatory amendment processes in December alone. These range in scope from cybersecurity to horse racing technologies and surveillance.
Jess Marquez
Jess has covered the global gaming industry since 2022. A native of Reno, Nevada, he’d like to note that it’s Ne-va-da, not Ne-VAH-da.
Cybersecurity has been top of mind in Nevada for several years as gaming companies grapple with increasing attacks.