Cybersecurity for Nevada Gaming: Shielding Patron & Employee Data

Cybersecurity for Nevada Gaming: Shielding Patron & Employee Data

July 10, 2023

The new Nevada gaming cybersecurity rule (NRS 463.0129) went into effect in January with novel and specific requirements for casino operators. As the gambling industry handles enormous amounts of sensitive patron and employee data, gaming entities are a prime target for data breaches and identity theft. So, in addition to securing and protecting their own records and operations, gaming operators must shield personal information of their patrons and employees. The consequences for failing to do so could be substantial according to this new regulation.
Assuming that you, as a casino operator, have fulfilled the first of the new cybersecurity rule’s requirements – an initial security risk assessment conducted by an outside party – what else do you need to do? Simply understanding your organization’s risks and potential security gaps and vulnerabilities is not enough to ensure compliance.

Listen to our podcast on this topic, Gaming Cybersmart: New Cybersecurity Regulations in Nevada

Proof of Action Items From the Security Risk Assessment

Naturally, addressing any security risk assessment action items is good business practice, and can mean the difference between a costly data breach or conducting business as usual. The key to compliance for this part of the new Nevada gaming rule is proof of action. Not only must your gaming operation continue to monitor cybersecurity risks, but you must also develop a plan and address risks when they arise.

Any cybersecurity risk assessment should include a “treatment plan” to effectively bring your operation to an acceptable risk level in a timely manner.

This should include:

  • Listing all the cybersecurity risks
  • Steps necessary to address each action item
  • Timelines for completion
  • Parties responsible for ensuring completion of each step
  • Budgets necessary to mitigate these risks

Documenting your completion of these steps, or noting progress in implementing them, is how your operation can prove you have addressed the required action items.

Additional Requirements

In addition to the areas mentioned above, casino gaming operations subject to Nevada’s gaming cybersecurity rule have four more requirements:

  1. The gaming operation must designate a qualified cybersecurity team member to be responsible for developing, implementing, overseeing, and enforcing the covered entity’s cybersecurity best practices and procedures. This team member cannot also be the organization’s internal auditor for reasons explained below.
  2. The operation must verify that the covered entity is following cybersecurity best practices and procedures, at least annually, by using an internal auditor or another independent entity. With either choice, they are required to have expertise in the field of cybersecurity to perform and document observations, examinations, and inquiries of employees. The internal auditor cannot also be the designated, qualified cybersecurity team member mentioned above.
  3. The casino operation must retain all documents prepared by the internal auditor for five years.
  4. With the new rule, the covered entity is required to document, in writing, all procedures taken to comply with the new NRS rule.

Developing Cybersecurity Best Practices

Beyond documenting that you have addressed any security risks, your compliance with the new rule includes developing cybersecurity best practices – the policies and procedures your operation will take to secure customer and employee data. Mitigating cybersecurity risks is an ongoing task requiring time and resources to monitor, respond and adjust as needed. Written and widely distributed best practices provide a repeatable model for reducing chances of a cyberattack and conducting future assessments.
Consider that if you don’t develop and follow these policies and procedures, you will not be able to prove your gaming operation is within compliance with the new cybersecurity rule in Nevada.

So, what exactly does the rule mean by “best practices” and how many policies and procedures are required to prove compliance?

According to the United States Cybersecurity & Infrastructure Security Agency, cybersecurity best practices start with requiring strong passwords and multi-factor authentication, the most up to date software, and training users to question and report suspicious links. These basics form the minimum level of “cyber hygiene,” and should already be part of your operation’s cybersecurity practice. They should also be incorporated in any best practices document.
Implementing tailored cybersecurity practices is just as vital to protecting and maintaining your gaming operation. Consider these additional best practices to strengthen security:

  1. Regular security assessments and testing that simulate cyberattacks to evaluate the effectiveness of your security measures.
  2. Incident response and recovery plans to minimize potential damage, recover quickly, and boost organizational confidence.
  3. Collaboration with industry partners and law enforcement to share threats and develop countermeasures.

Embracing a Security First Outlook

Adopting these (and other) policies, procedures, and additional security solutions as they arise, your Nevada gaming operation can better safeguard your employee and customer data as you align operational practices with the new gaming cybersecurity rule. A security first mindset provides crucial confidence and better enables the gaming industry to thrive in a world of high stakes.

Our expert cybersecurity advisors have decades of trusted experience to help you and your gaming operation get cybersmart.

Looking for a quick, holistic analysis of your organization’s cybersecurity risk? Ask about REDW’s Security Scorecard. Our best-in-class information security platform evaluates 10 vital risk factors from an attacker’s perspective and delivers a clear, concise report card with actionable details that reveal just where —and how— you can strengthen your defenses across the board.

Contact Brian Grayek, REDW IT & Cybersecurity Consulting Director, to discuss your next steps.

More Cybersecurity Insights from REDW

Recent Posts