Under Nevada’s new cybersecurity rule for gaming operations, if an operation is breached by a cyberattack, it has some stringent reporting requirements beyond the federal requirements.
Nevada has enacted this new regulation because they know that in the event of a breach you won’t have time to figure it out. Seconds will make the difference between containment or complete collapse. —The latter has been the case in many incidents we’ve seen in which organizations were not fully prepared.
The cybersecurity breach notification process must be fully documented to provide team instruction in the case of an incident.
There are a lot of false ideas around the first actions to take in a cybersecurity breach, such as:
- immediately pulling the network cable,
- isolating the affected device, or
- starting immediate recovery.
These could all be worse choices. Having the breach process fully documented will guide your team through correct, critical steps after a breach, and, perhaps most importantly, instruct them on calling in the right reinforcements for the situation—whether they be executive management, the insurance company, or law enforcement.
Know the Rules: Nevada’s Reporting Requirements During or After a Cyberattack
- Written Notification to Leadership
The first of the reporting requirements is to provide written notification of the cyberattack to the organization’s Board or executive management as soon as practicable, but no later than 72 hours after becoming aware of the cyberattack. - Provide Incident Detail to Leadership
The second requirement is that, upon request, the operation shall provide the Board or executive management with specific information regarding the cyberattack. - Investigate & Document the Cyberattack
The third is to perform (or have a third-party perform) an investigation into the cyberattack, prepare a report documenting the results of the investigation, notify the Board of the completion of the report, and make the report available to the Board for review upon request. The report must include, without limit:- the root cause of the cyberattack,
- the extent of the cyberattack,
- and any actions taken or planned to prevent similar events that allowed the cyberattack to occur.
- Keep the Board in the Loop
The fourth and final requirement is to notify the Board when any investigation (or similar action) taken by an external entity is completed and to make the results available to the board or upon request.
Important Note: After the incident has been closed, unfortunately, you’re still not done. You must determine what information was disclosed, to whom, and whether you have further reporting requirements. This where you’ll most need expert advice you can trust.
Let’s Make This Easier
REDW’s cybersecurity experts carry decades of trusted expertise in both cybersecurity and the gaming and hospitality industries.
We’re standing by to help you make cybersmart decisions that help your operation comply with Nevada’s new cybersecurity rule and frame a more secure future amidst evolving cyber threats.
Contact IT & Cybersecurity Director Brian Grayek for guidance and to discuss managing your risk and compliance with Nevada’s new rule.
Use the How can we help? form on this page to get in touch.
