The Nevada Gaming Commission has approved cybersecurity regulations for the gaming industry, set to come into effect on January 1st. The move comes after a series of announcements by operators that customers’ personal information had been obtained illegally – such as those announced by BetMGM and DraftKings.
Under the new regulations, operators must carry out risk assessments of systems until the end of 2023 and any future successful breach which compromises data of players, employees or other records must be reported to regulators within 72 hours.
A note from the commission states that ‘a failure to comply with the requirements of the new regulation constitutes an unsuitable method of operation,’ with the commission able to ‘take such additional actions as may be necessary and proper to effectuate this stated purpose’.
Regulations will apply to license holders of non-restricted licenses, sportsbook or race license holders and interactive gaming license holders, note reports.
However, the main focus is on larger properties that have more exposure to risk.
During the debate of the new regulation, officials indicated that it would allow flexibility for operators to choose which procedures would be appropriate to handle issues, rather than dictate all procedures.
The 72-hour reporting deadline also requires operators to only provide information upon request by regulators, rather than specified details, and that they conduct an investigation and issue a notice of completion of the review, providing access to the commission on the results.
Internal audits or external expert verification of risk assessments will be required once a year.
