The Nevada Gaming Control Board held a workshop on Thursday to start updating the state's cybersecurity reporting regulations. This development comes two years after a significant cyberattack in September 2023, which severely impacted the systems of Caesars Entertainment and MGM Resorts.
This workshop marked a step towards amending the regulations to better handle the consequences of such incidents and lessen negative publicity in the future. The proposed changes will be reviewed by the Nevada Gaming Commission on December 18 for final approval.
Ed Magaw from the state Attorney General's Office outlined the proposed modifications to the reporting requirements under Nevada Regulation 5.260. Currently, gaming licensees are required to notify the board of a cyberattack within 72 hours of confirmation. The new proposal aims to shorten this notification period to within 24 hours. The Nevada Resort Association, representing operators, expressed concerns regarding the recommended changes, even though those recommendations were made unanimously.
Following initial notification, licensees will need to submit an Initial Cyber Incident Response report within five calendar days. They must then provide updates every 30 days until the incident is resolved and documented, as determined by the operator. Licensees have the option to meet directly with the board instead of filing an incident report, although that report still needs to be submitted 30 days after the meeting.
NGCB Chair Mike Dreitzer remarked that the proposed amendments reflect the board's current understanding that existing regulations do not fully represent best practices. He noted that a “misalignment” exists between current rules and future objectives.
The cyberattacks in 2023, described by board member George Assad as “very chaotic,” resulted in significant financial losses due to operational disruptions and extensive media coverage. Reports indicated that Caesars paid a substantial ransomware demand, while MGM did not.
The changes discussed during the workshop do not enhance cybersecurity systems or prevent attacks but instead aim to improve communication between operators and regulators. Board members emphasized that the goal of a shorter notification period is to keep them informed more effectively. This initial notification could be as simple as an email or phone call; the phrase “get in touch” was frequently mentioned during discussions.
Dreitzer suggested that opting for a board meeting instead of an immediate incident report might yield a clearer understanding of the situation than the current filing process. This approach could also lessen the investigative burden on operators by enabling them to alert regulators promptly instead of preparing a detailed report.
Dreitzer noted, “This is consistent with the feedback we’ve gotten from licensees who’ve gone through this process in real time… sometimes it’s better to have a meeting of notification than filling out a form when all of the information is not yet known. We feel that this approach is more consistent and more practical than the existing regulation.”
However, stakeholders in the industry voiced that the reduced timeframe could complicate operations. The Nevada Resort Association requested the board maintain the 72-hour requirement, arguing that it is more practical based on industry experiences.
Operators sometimes hire third-party vendors for cybersecurity services, which generally allow those vendors 48 hours to notify the licensees. This means companies need at least 24 hours to assess these notifications. The board compromised by updating the language to clarify that the 24-hour deadline applies once operators are aware of the incident.
The increase in cybersecurity threats against gaming companies was a significant topic during the workshop. Both retail and online gaming operators have become prime targets for cybercriminals due to the vast amount of player data and financial transactions they manage.
A UNLV cybersecurity study from September indicated that Nevada casinos are especially attractive targets because they possess numerous cyber entry points, substantial financial resources, and generate less public outcry when attacked. The study identified almost 50 confirmed cyber incidents in Nevada from 2007 to 2023, with most occurring since 2015.
Stakeholders warned that an uptick in cyber incidents might result in an overwhelming number of “false alarm” notifications. Erik Hanson, information security officer for Affinity Gaming, stated, “There are a number of incidents that happen daily that we are investigating that never rise to the level of a material breach, which we could end up having to report by just giving the phone call.”
Board members acknowledged the potential confusion between what constitutes a “material” breach and an unsuccessful cyber attempt under the new rules. They expressed a need to be notified promptly to avoid learning about incidents through media or third parties. Dreitzer admitted the board was hesitant to specifically define “material” breaches due to the variability between companies.
Compliance with reporting regulations will be challenging, as highlighted by Caesars legal counsel Chandler Pohl. “While the news may cover the incident, the licensee may not have determined that there was a material breach,” he explained. “There could be numerous reasons a slot floor or part of a floor goes down that are unrelated to a cyber incident.”
Dreitzer’s leadership has prompted significant regulatory updates since he took office in June, marking the fifth board chair since January 2019. This year has been particularly scrutinized in Nevada’s regulatory framework, with four entities facing multimillion-dollar anti-money laundering fines, three of which were levied against major operators: Wynn Resorts, MGM Resorts, and Caesars. These investigations were initiated prior to Dreitzer’s tenure.
On the sidelines of the Global Gaming Expo in October, Dreitzer announced plans for more workshops. The board lists 12 proposed regulatory amendment processes scheduled for December, covering topics from cybersecurity to horse racing technologies and surveillance.
