On January 1st, 2023, the new Nevada gaming cybersecurity rule in NRS 463.0129 went into effect with many new requirements for cybersecurity practices in gaming operations and other covered entities. This new rule has some very new and specific requirements that will benefit casinos in Nevada. And as history shows, Nevada is usually a forerunner in gaming regulations, so don’t be surprised if other states quickly pick up the torch on this one, too.
The NRS 463.0129 rule, in a nutshell, is that gaming operators must not only secure and protect their own records and operations, but also the personal information of their patrons and employees. Failure to do so may result in disciplinary action—consequences which, legally, could become substantial for gaming operations.
The NRS 463.0129 Rule Has 6 Major Parts
First, we must emphasize that this new rule isn’t just for casinos; it covers any of the following “covered entities”:
- Holder of a non-restricted license as defined in NRS 463.0177 who deals, operates, carries on, conducts, maintains, or exposes for play any game defined in NRS 463.0152;
- Holder of a gaming license that allows for the operation of a race book;
- Holder of a gaming license that allows for the operation of a sports pool;
- and Holder of a gaming license that permits the operation of interactive gaming.
Here’s a quick rundown on key requirements of the new cybersecurity rule:
1. Initial Security Risk Assessment
Nevada’s new cybersecurity rule no longer allows any covered entity to go along without ever having facilitated a legitimate and professional security risk assessment. If your gaming operation hasn’t facilitated a risk assessment, you will have until December 31st, 2023, to do so or be found out of compliance.
The NRS 463.0129 rule says, a risk assessment “may be performed by an affiliate of the covered entity or a third-party with expertise in the field of cybersecurity.” What this really means is the covered entity cannot conduct their own internal risk assessment. A risk assessment must be done by an outside party (an affiliate or third-party).
2. Provable Action Items After the Security Risk Assessment
Your gaming operation will need to monitor cybersecurity risks and modify best practices as necessary. Consider that if you don’t have policies and procedures for monitoring, you will not be able to prove your casino is within compliance for the new cybersecurity rule in Nevada.
3. Required Development of Cybersecurity Best Practices
Beyond proving your compliance with the new rule, the need for security policies and procedures is hinged on your operation’s ability to properly secure customer and employee data; the new cybersecurity law in Nevada requires your operation to have security policies and procedures in place.
4. Breach Notification Requirements
Under the new cybersecurity rule, if your operation is breached by a cyberattack, you will have reporting requirements, some immediate.
The reporting requirements by NRS 463.0129 after a security breach are as follows:
- Provide written notification of the cyber-attack to your organization’s board or executive management as soon as practicable, but no later than 72 hours after becoming aware of the cyber-attack.
- Upon request, the covered entity shall provide the board or executive management with specific information regarding the cyber-attack.
- Perform (or have a third-party perform) an investigation into the cyber-attack, prepare a report documenting the results of the investigation, notify the board of the completion of the report, and make the report available to the board for review upon request. The report must include, without limit:
- the root cause of the cyber-attack,
- the extent of the cyber-attack,
- and any actions taken or planned to be taken to prevent similar events that allowed the cyber-attack to occur.
- Notify the board when any investigation or similar action taken by an entity external to the covered entity is completed and make the results of such investigation (or similar action) available to the board upon request.
5. Other New Requirements for a Covered Entity Include:
- Designating a qualified (cybersecurity) team member to be responsible for developing, implementing, overseeing, and enforcing the covered entity’s cybersecurity best practices and procedures; this team member cannot also be the organization’s internal auditor.
- Verifying that the covered entity is following cybersecurity best practices and procedures, at least annually, by the internal auditor or another independent entity; either actor is required to have expertise in the field of cybersecurity to perform and document observations, examinations, and inquiries of employees. The internal auditor cannot also be the designated, qualified cybersecurity team member mentioned above.
- Retaining all documents prepared by the internal auditor. With the new rule, the covered entity is required to document, in writing, all procedures taken to comply with the new NRS rule. All documents are to be retained for five years.
6. Failure to Comply
Failure to comply with the new Nevada gaming cybersecurity rule may result in disciplinary action. This new regulation is the first we’ve seen setting aggressive new requirements, but as cybersecurity experts, we know it’s for good reason as cyberthreats are evolving and becoming more populous every day. The inclusion of this section underscores the importance of tightened cybersecurity practices. Aside from this legitimate sense of urgency, note that inclusion of this “failure to comply” section makes it both possible and probable for the state of Nevada to make an example of any offender.
Complying with the Nevada Gaming Cybersecurity Rule
With the rule having gone into effect at the start of 2023, it is critical for casino and gaming entities to meet compliance to best secure operations and the personal data of patrons. We’re here to make this easier. REDW’s trusted advisors are seasoned professionals with decades of expertise in both the gaming and cybersecurity industries. Learn more about REDW’s Cybersecurity services.
Or contact us for any questions or to discuss Nevada’s new cybersecurity rule.
