Nevada casinos will be required to protect their customers, employees and themselves against computer cyberattacks after the Nevada Gaming Commission voted on Thursday to unanimously approve an amendment to the state gambling regulations.
The amended regulation takes effect on January 1. It gives the state’s more than 400 non-restricted casino operators a year to develop risk assessment plans that will have to be updated at least annually, and directs operators on how they must report any cyberattacks to state regulators.
Thursday’s meeting was attended by representatives of the Nevada Resorts Association and the Association of Gaming Equipment Manufacturers. The parties voiced no objections to the new regulation, reports Las Vegas Review-Journal, which had public hearings in the fall.
While most major casinos have ample security built into their data systems to prevent data breaches, resorts are occasional targets of hackers. For instance, the former Hard Rock Hotel – now Virgin Hotels Las Vegas – reported a data breach in 2015. Customers were alerted to check their credit card statements for a seven-month period from Sept 2014 to April 2015.
The regulation gives broad latitude to how casino and sportsbook operators protect themselves, saying they must develop “the cybersecurity best practices it deems appropriate.” After performing an initial risk assessment, each licensee shall continue to monitor and evaluate cybersecurity risks to its business operation “on an ongoing basis” and shall modify its cybersecurity best practices and risk assessments “as it deems appropriate.”
In case there is a cyberattack that results in a data breach, the new regulations require licensees to notify the Nevada Gaming Control Board within 72 hours. The operator will be required to explain the root cause of the cyberattack, the extent of the attack, and any actions taken or planned to be taken to prevent similar events from occurring again.
Virginia Valentine, president of the Nevada Resorts Association, said she and several of the association’s members attended previous public meetings involving discussions on the matter, and that their comments at those meetings were ultimately incorporated into the amended regulation.
While Daron Dorsey, executive director of the Association of Gaming Equipment Manufacturers, did not address the commission, AGEM sent a Nov. 21 letter to the commission outlining eight suggested revisions to the regulation that were incorporated into the final document, reports Review-Journal. Most of the suggestions were clarifications to stated policies.
The new regulations come at an appropriate time for the industry, taking into account BetMGM announced on Wednesday that personal information – including Social Security numbers and transactions – from some of its patrons was obtained in an unauthorized manner.
Moreover, in recent weeks, DraftKings also reported hackers were accessing customer accounts, and that about $300,000 in funds was affected. And in addition to this week’s notice, BetMGM has also reported that scammers were accessing bank funds from its poker players.