- Nevada casino operators asked to carry out risk assessment of systems
- NGCB wants casino operators to be fully protected against cyberattacks
- Smaller casino operators feel an annual risk assessment is too expensive for them
After an FBI warning about growing cyberattacks that prompted many tribal casinos to close in several states since 2020, the Nevada Gaming Control Board (NGCB) has asked casino operators perform a risk assessment to protect their information systems.
The NGCB made the suggestions in a workshop held earlier this week.
NGCB Chairman Highlights Importance of Regulations
The NGCB recommended casino operators to look out for any breach that compromised sensitive player information and employee records. Operators were asked to report such infringements to regulatory authorities within 3 days of spotting them. NGCB chairman Brin Gibson emphasized the importance of cybersecurity regulations to make more informed decisions.
The recommendations come in the wake of several cyberattacks on casinos in New Arizona, California, Oklahoma, and Wisconsin, causing damages worth millions. The regulations will apply to interactive gaming, sportsbook, and non-restricted licensees. The new regulations could get rolled out from January 1, 2023, if approved by the Nevada Gaming Commission in a meeting on October 20, during the Cybersecurity Awareness Month.
The regulations state the requirement of an internal auditor with cybersecurity expertise to observe documents, conduct inquiries and determine the best procedures and practices. Besides an experienced auditor, an accountant will conduct, and attest a review of the practices. Gibson further clarified that any negligence will be promptly reviewed and dealt with under the provisions of Regulation 5, which oversees how gaming entities are operated.
Companies in Las Vegas have already performed risk assessments to keep hackers at bay. Gibson said that entities should perform annual or semi-annual risk assessments even if the regulations don’t necessitate it. Single property licensees such as Boyd Gaming and South Point deemed annual risk assessments an unfair and expensive exercise for entities like them as it would require a lot of planning. They prefer if the assessment could be conducted every two or three years instead of the annual basis recommended by the regulators.
NGCB’s Jim Barbee Cautions Against Delay
NGCB technology division chief Jim Barbee cautioned casino operators against delaying risk assessment as it might render them more vulnerable to risks. The regulator required licensees to conduct a baseline procedure to recognize if mitigation controls are needed.
Entities like Boyd also sought the revision of how cyberattacks were defined, besides clarifying the regulations, the NGCB noted. South Point suggested that the regulations should be effective after November 1, 2024.