New Cybersecurity Regulations from the Nevada Gaming Commission

By Kelci S. Binau, Esq.

Gaming is just one of many industries working to strengthen its regulations concerning cybersecurity and privacy. On Thursday, December 22, 2022, the Nevada Gaming Commission (“NGC”) approved and adopted an amendment to its gaming regulations. NGC Regulation 5.260, which became effective January 1, 2023, requires certain gaming operators (“covered entities”) to comply with new cybersecurity regulations on or before December 31, 2023. The new regulations require covered entities to take “all appropriate steps” to “secure and protect” not only their own “information systems,” their own “records” and their own “operations,” but also secure and protect the “personal information” of their patrons and employees. Nev. Gaming Comm’n Regs. 5.260(1). The NGC’s amendment reflects its concern about cybersecurity over the past few years as cyber-attacks continue to increase in frequency and the range of businesses targeted has broadened.

Covered gaming entities

The amended regulations define “covered entities” as nonrestricted licensees operating or exposing for play games or gambling games and gaming licensees authorized to operate a race book, sports pool, and/or interactive gaming. Nev. Gaming Comm’n Regs. 5.260 (2)(c).

Cyber-attacks defined

The regulations define a cyber-attack as “any act or attempt to gain unauthorized access to an information system for purpose of disrupting, disabling, destroying, or controlling the system or destroying or gaining access to the information contained therein.” Nev. Gaming Comm’n Regs. 5.260(2)(a). It is important to note that the definition includes “attempt” –successful or not– which could be interpreted to mean the regulations apply to instances in which a cyber-attack was prevented or defeated by existing cybersecurity measures.

Record keeping requirements

Covered entities must create written documentation of “all procedures” for complying with the new regulations – “and the results thereof.” The records must be retained for a minimum of (5) five years and provided to the Nevada Gaming Commission Board (“NGCB”) upon request.

Risk Assessment, Best Practices and Monitoring

By December 31, 2023, covered entities must (1) conduct an initial risk assessment of its business operations and (2) develop cybersecurity best practices it deems “appropriate.” On an “ongoing basis,” covered entities must monitor and evaluate cybersecurity risks and accordingly modify cybersecurity best practices and risk assessments. The risk assessment, monitoring, and evaluation may be conducted by an affiliate of the covered entity or a third-party expert.

Actions required after cyber-attack/incident response

A covered entity that experiences a cyber-attack to its information system which results in a “material loss of control, compromise, unauthorized disclosure of data or information,” must comply with certain requirements. It is important to note that the regulation further states that the same steps are required if a covered entity experiences “any other similar occurrence”. Such language could be interpreted to mean the regulations may also apply to a failed, defeated, or otherwise unsuccessful cyber-attack. The required steps are as follows:

1. Provide written notification to the NGCB as soon as practicable but no later than 72 hours after becoming aware of the cyber-attack. (The NGCB may request additional “specific information.”)
2. Investigate the cyber-attack and prepare a report documenting the results, including the extent and “root cause” of the cyber-attack and any actions taken or planned to prevent “similar events that allowed the cyber attack to occur.”
3. Notify the NGCB of the completed investigation report and make it available to the NGCB upon request. Nev. Gaming Comm’n Regs. 5.260(4)(a-c).

Additional Requirements for Group I Licensees

Group 1 licensees, as defined by Subsection 8 of regulation 6.010, must comply with the following additional requirements:

1. Designate a qualified individual to be responsible for developing, implementing, overseeing, and enforcing cybersecurity best practices and procedures.
2. At least annually, engage a qualified “internal auditor or other independent entity” to conduct and document “observations, examinations, and inquiries of employees to verify” the covered entity is following best practices and procedures. All documents prepared pursuant to this requirement must be retained for (5) five years.
3. At least annually, engage an “independent accountant or other independent entity” to review the covered entity’s best practices and procedures – and attest in writing that they are in compliance. The written attestation and any related documents must be retained for (5) five years.
4. The same “independent entity” may be utilized to perform the requirements in these sections 2 and 3 so long as they are “performed by different employees.”

About the author

Kelci S. Binau is an attorney in the Gaming & Administrative Law Practice at McDonald Carano. Kelci also serves as the incoming Secretary and General Counsel of Global Gaming Women.

About the article

This article was originally published in the Communiqué (Nov. 2023), the official publication of the Clark County Bar Association. See https://clarkcountybar.org/about/member-benefits/communique-2023/communique-november-2023/.

© 2023 Clark County Bar Association (CCBA). All rights reserved. No reproduction of any portion of this issue is allowed without written permission from the publisher. Editorial policy available upon request.