During a webinar hosted by KPMG, Nicole Solaita, SVP and chief audit executive at Caesars, said cyber threats in the gaming industry are now “our new norm”.
She also noted that operators should be asking how frequently it could happen to them.
Reflecting on the highly impactive cyber-attack on Caesars last September, Solaita told the audience: “Unfortunately I’ve realised that this is really going to be our new norm in this corporate space.
“Education for the employees is so key in this space and training is clearly fundamental. But as much as you train and you try to be prepared, we’re seeing that some of these cyber events haven’t been all that sophisticated.”
Last year’s cyber security attack on Caesars stemmed from a social engineering attack on outsourced IT support.
The attackers had obtained customer data, including a copy of Caesars’ loyalty programme database. This included the driver’s licence numbers and social security numbers of various members.
Staff training is crucial
Solaita highlighted the difficulty in training staff to identify cyber security issues, as many attacks can be unsophisticated.
“It comes back to social engineering and you [can] find yourself frustrated because, although you train folks, for whatever reason I think some of that is fleeting and when they find themselves in the moment and they get a call, a request or an instruction, some of that critical thinking is not so instinctive and they just go on autopilot,” Solaita said.
“We’re going to have to really put all our efforts into this education space and really making sure everyone understands the risks and how we can be diligent at all times.”
Cory Fox, FanDuel VP for product and new market compliance, noted the online gaming environment was particularly different. But he added that it still presented a challenge in protecting extensive customer data.
“We are investing heavily in online security. We certainly do a fair amount of cybersecurity training to the point that it’s annoying those of us who are pretty good at identifying phishing emails, but we get quite a few of them every month to make sure that we’re all staying on our toes,” Fox told the panel.
He also said the unsophisticated nature of current cybersecurity attack architecture was a major risk.
Investors raise cybersecurity concerns
KPMG’s ‘State of risk in the gaming industry’ report said investors in gaming have become increasingly concerned about cyber risk. It prompted the US Securities Exchange Commission (SEC) to implement comprehensive new rules.
These are aimed at ensuring companies adhere to guidelines regarding the speed, reliability and effectiveness of their cyber-incident response plan.
The panel also considered the emerging cyber risks around generative AI and the growing use of AI across digital industries.
“In a large organisation, trying to put some guardrails around the usage [of generative AI] and then understanding the business use cases is a tremendous effort,” Solaita said of the technology’s potential.
“I’m super excited about really leveraging it, but there’s concerns, like who owns the data and who has access to the data? You don’t want to put your data privacy and protection at risk,” she added.
MGM faced a hugely financial damaging cyber attack on 11 September, which forced it to shut down certain systems. The firm said the attack had a negative adjusted property EBITDAR impact of approximately $100m.