The new Nevada gaming cybersecurity rule (NRS 463.0129) went into effect in January with novel and specific requirements for casino operators. As the gambling industry handles enormous amounts of sensitive patron and employee data, gaming entities are a prime target for data breaches and identity theft. So, in addition to securing and protecting their own records and operations, gaming operators must shield personal information of their patrons and employees. The consequences for failing to do so could be substantial according to this new regulation.
Assuming that you, as a casino operator, have fulfilled the first of the new cybersecurity rule’s requirements – an initial security risk assessment conducted by an outside party – what else do you need to do? Simply understanding your organization’s risks and potential security gaps and vulnerabilities is not enough to ensure compliance.
Listen to our podcast on this topic, Gaming Cybersmart: New Cybersecurity Regulations in Nevada
Proof of Action Items From the Security Risk Assessment
Naturally, addressing any security risk assessment action items is good business practice, and can mean the difference between a costly data breach or conducting business as usual. The key to compliance for this part of the new Nevada gaming rule is proof of action. Not only must your gaming operation continue to monitor cybersecurity risks, but you must also develop a plan and address risks when they arise.
Any cybersecurity risk assessment should include a “treatment plan” to effectively bring your operation to an acceptable risk level in a timely manner.
This should include:
- Listing all the cybersecurity risks
- Steps necessary to address each action item
- Timelines for completion
- Parties responsible for ensuring completion of each step
- Budgets necessary to mitigate these risks
Documenting your completion of these steps, or noting progress in implementing them, is how your operation can prove you have addressed the required action items.
Additional Requirements
In addition to the areas mentioned above, casino gaming operations subject to Nevada’s gaming cybersecurity rule have four more requirements:
- The gaming operation must designate a qualified cybersecurity team member to be responsible for developing, implementing, overseeing, and enforcing the covered entity’s cybersecurity best practices and procedures. This team member cannot also be the organization’s internal auditor for reasons explained below.
- The operation must verify that the covered entity is following cybersecurity best practices and procedures, at least annually, by using an internal auditor or another independent entity. With either choice, they are required to have expertise in the field of cybersecurity to perform and document observations, examinations, and inquiries of employees. The internal auditor cannot also be the designated, qualified cybersecurity team member mentioned above.
- The casino operation must retain all documents prepared by the internal auditor for five years.
- With the new rule, the covered entity is required to document, in writing, all procedures taken to comply with the new NRS rule.
Developing Cybersecurity Best Practices
Beyond documenting that you have addressed any security risks, your compliance with the new rule includes developing cybersecurity best practices – the policies and procedures your operation will take to secure customer and employee data. Mitigating cybersecurity risks is an ongoing task requiring time and resources to monitor, respond and adjust as needed. Written and widely distributed best practices provide a repeatable model for reducing chances of a cyberattack and conducting future assessments.
Consider that if you don’t develop and follow these policies and procedures, you will not be able to prove your gaming operation is within compliance with the new cybersecurity rule in Nevada.
So, what exactly does the rule mean by “best practices” and how many policies and procedures are required to prove compliance?
According to the United States Cybersecurity & Infrastructure Security Agency, cybersecurity best practices start with requiring strong passwords and multi-factor authentication, the most up to date software, and training users to question and report suspicious links. These basics form the minimum level of “cyber hygiene,” and should already be part of your operation’s cybersecurity practice. They should also be incorporated in any best practices document.
Implementing tailored cybersecurity practices is just as vital to protecting and maintaining your gaming operation. Consider these additional best practices to strengthen security:
- Regular security assessments and testing that simulate cyberattacks to evaluate the effectiveness of your security measures.
- Incident response and recovery plans to minimize potential damage, recover quickly, and boost organizational confidence.
- Collaboration with industry partners and law enforcement to share threats and develop countermeasures.
Embracing a Security First Outlook
Adopting these (and other) policies, procedures, and additional security solutions as they arise, your Nevada gaming operation can better safeguard your employee and customer data as you align operational practices with the new gaming cybersecurity rule. A security first mindset provides crucial confidence and better enables the gaming industry to thrive in a world of high stakes.
Our expert cybersecurity advisors have decades of trusted experience to help you and your gaming operation get cybersmart.
Looking for a quick, holistic analysis of your organization’s cybersecurity risk? Ask about REDW’s Security Scorecard. Our best-in-class information security platform evaluates 10 vital risk factors from an attacker’s perspective and delivers a clear, concise report card with actionable details that reveal just where —and how— you can strengthen your defenses across the board.
Contact Brian Grayek, REDW IT & Cybersecurity Consulting Director, to discuss your next steps.
More Cybersecurity Insights from REDW
- Tribal Cybersecurity Grant Program (TCGP) Requirements: FEMA Announces $18.2M to Address Cyber RiskFEMA announced the funding of a new grant—the Tribal Cybersecurity Grant Program (TCGP)— to aid tribal leaders in protecting their communities against the risk and consequences of cyber-attacks
- Does the FTC Consider Your Business a Financial Institution? —An Updated Safeguards Rule ReminderWhether you’ve just realized that your company needs to follow the FTC’s Safeguards rule and you’re at ground zero or you’ve been working on it for months—or years!—the data security specialists at REDW can help…
- Protecting Public Water Systems from Cyberattack: New Cybersecurity Regulations for State GovernmentsThe US Environmental Protection Agency announced that it now requires all public water system (PWS) audits to include cybersecurity.
- Cybersecurity for Nevada Gaming: Breach Notification RequirementsIn Nevada, the cybersecurity breach notification process must be fully documented to provide team instruction in the case of an incident
- SEC Issues 4-Day Disclosure Requirement & Additional Cybersecurity Rules for ALL Public CompaniesThe SEC recently adopted new rules for all publicly traded companies regarding the disclosure of cybersecurity incidents
