The Nevada Gaming Control Board (NGCB) wants to level up its fight against cybersecurity attacks.
This week, the NGCB made updates to the language in a draft of a new regulation (Regulation 5) that would impost on certain operators a series of requirements related to cybersecurity. The draft emphasizes the importance of operators protecting their information. The draft noted:
“It is critical that gaming operators take all appropriate steps to secure and protect their information systems from the ongoing threat of cyberattacks. Gaming operators must not only secure and protect their own records and operations, but also the personal information of their patrons and employees.”
How Regulation 5 would work
Regulation 5 calls for a new set of cybersecurity standards for its Group 1 licensees, which includes any Nevada casino that brings in at least $6.5 million in gross gaming revenue each year.
Basically, the regulations include the following directives:
- Set forth the importance of gaming operators to do everything they can to protect their information systems from cyberattacks.
- Define which gaming operators would be subject to Regulation 5.
- Requires gaming operators to do annual risk assessments and determine what they need to do to stay secure.
- Operators need to document everything they do to comply with Regulation 5.
- Maintain Regulation 5 paperwork for five years and provide it to the NGCB upon request.
- Provide results of risk assessment.
- Take any actions needed to ensure operators comply with Regulation 5.
Additionally, operators would have up to 72 hours to report a cyberattack to the NGCB if it results in:
- A material loss of control
- Unauthorized disclosure of data or information
If the NGCB gets its way, Regulation 5 would kick in on Jan. 1, 2023.
South Point Casino, IGT respond
The NGCB has been workshopping Regulation 5 since the beginning of the month. During that time, South Point Hotel and Casino and IGT submitted public comments about Regulation 5.
South Point complains about annual assessment requirement
South Point, an off-strip casino, said that Regulation 5’s annual assessment requirement (Section 3) is too much. South Point wrote in a letter to the NGCB:
“With respect to Section 3 we firmly believe requiring an annual risk assessment is unnecessary and unfairly impacts single property licensees like the South Point. Risk assessments are not inexpensive, and for single property licensees, generally have to be performed by an outside consultant.”
As an alternative, South Point suggested changing the assessment testing to every three years.
South Point went on to list several other issues it had with Regulation 5. One of those issues is that South Point doesn’t want to hand over cyberattack information to NGCB servers. Doing said, the casino said, “may provide a ‘roadmap’ to hackers on the vulnerability of systems.”
The casino said it prefers the information not to be stored on the state’s servers that could be hacked.
IGT asks for changes to annual risk assessment, too
Like South Point, gaming company IGT took issue with the NGCB’s yearly assessment.
IGT said the NGCB should scrap the annual requirement and choose a timeline that meshes with the IT industry’s minimum internal control standards (“MICS”). The company suggested as guides CIS, COBIT, ISO/IEC and NIST SP assessment requirements.
Consequently, IGT’s proposed changes would allow flexibility for assessment requirements based on each company’s characteristics.
“We understand business operations to mean the direct gaming operations of that respective covered entity,” IGT wrote. “We also understand that
the risks associated with each gaming operation can vary.”
Additionally, the company asked the NGCB to clarify the meaning of “information system” and offered a definition based on MICS.