Nevada Gaming Commission (NGC) Section 5.260, which falls under the protection mandated by Nevada Revised Statute (NRS) 463.0129, addresses the need to protect a gaming company’s (i.e., casino’s) operations and records, as well as those of its patrons and employees. The Nevada Gaming Control Board is requiring covered entities to put additional cybersecurity measures into place by December 2023.
Throughout the NGC regulation, the Gaming Control Board emphasizes the importance of working with a qualified third-party cybersecurity provider. An experienced external team provides the skilled independent review that is needed to optimize your operation’s cybersecurity program and meet compliance for the regulation. However, as this regulation aims to intricately weave together two distinct and complex operations, gaming leaders should consider partnering with a third-party (or affiliate) cybersecurity team that also maintains specialized knowledge in gaming and casino operations. An expert cybersecurity provider with seasoned knowledge in the gaming industry not only provides you the unbiased insights needed to meet compliance, but can also untap lesser-known opportunities to empower your operation and overall cybersecurity posture.
Who Is Required to Follow Nevada’s Cybersecurity Regulation: a Reminder
As noted in our initial article on Nevada’s new gaming cybersecurity rule, the new rules affect holders of:
- nonrestricted licenses
- licenses that allow for operations of race books
- licenses that allow for operations of sports pools
- licenses that permit the operation of interactive gaming
Those who meet the classification of Group 1 licensees are subject to an additional layer of requirements noted in Section 5 of NGC Section 5.260.
What Are the Key Issues Addressed in a Risk Assessment?
The new regulation requires gaming facilities to adopt formal processes, systems, and training to prevent, detect and respond to cyberattacks. It describes a security risk assessment as “the process of identifying, estimating, and prioritizing risks to organizational operations and assets resulting from the operation of an information system.”
The National Institute of Standards and Technology (NIST), a division of the U.S. Department of Commerce, provides an extensive framework for conducting a risk assessment and documenting a system’s effectiveness, weaknesses, and any deficient controls.
Key issues addressed in a risk assessment are:
- Ensuring that processes support privacy protection needs and that responsible parties are clearly defined.
- Addressing untrustworthy suppliers, insertion of counterfeits, tampering, unauthorized production, theft and insertion of malicious code.
- Confirming the use of enterprise architecture concepts and models to consolidate, optimize, and standardize organizational systems, applications, and services.
If your gaming operation has not yet facilitated a security risk assessment, you have until December 31, 2023 to do so or be found out of compliance.
Relationships with Trusted Cybersecurity Experts Will Be Ongoing for Group 1 Licensees
The new regulation requires Group 1 Licensees to have annual cybersecurity reviews and processes attested:
- At least annually, have an independent entity with cybersecurity expertise or its internal auditor perform and document observations, examinations, and inquiries of employees to verify compliance with the cybersecurity best practices and procedures. All documentation must be retained.
- At least annually, engage an independent accountant or other independent expert in cybersecurity to perform an independent review of your best practices and procedures and attest in writing that they comply with the requirements of NGC 5.260.
Noncompliance Consequences
As with most other Nevada Gaming Commission regulations, the new cybersecurity requirements contain a broad statement about noncompliance: “Failure to exercise proper due diligence in compliance with this section shall constitute an unsuitable method of operation and may result in disciplinary action.” (NGC 5.011).
In May, REDW sought specificity regarding potential disciplinary action and reached out to the Deputy Chief of the Enforcement Division of the NGCB (Nevada Gaming Control Board), who shared that,
Michael Lawton, CPM
“…disciplinary actions can be very broad and are based on many different factors. To that point, any disciplinary considerations relating to non-compliance with Regulation 5.260 would be fact-specific and fall in line with Regulation 5.011.”
Senior Economic Analyst
Nevada Gaming Control Board
The Nevada Gaming Control Board takes many factors into consideration when assessing noncompliance such as intent, cooperation, speed in remediation, etc., but with Nevada clearly citing that a license or approval is a revocable privilege (NRS 463.0129), being on the receiving end of disciplinary action isn’t where anyone would want to be.
Independent, Multi-Disciplinary Expertise
REDW Advisors and CPAs have the ideal combination of seasoned cybersecurity expertise and over 30 years of experience serving gaming and casino operations. Our team of trusted advisors collaborates to ensure our clients get the service they need in the most efficient manner possible. Contact us today to discuss your cybersecurity compliance needs. We’re here to make this easier.
