Celebrating 75 Years of Serving Nevada’s Legal, Business, Government, and Civic Communities

New Cybersecurity Regulations from the Nevada Gaming Commission

Gaming is just one of many industries working to strengthen its regulations concerning cybersecurity and privacy. The Nevada Gaming Commission approved and adopted an amendment to its gaming regulations which requires certain gaming operators to comply with new cybersecurity regulations on or before December 31, 2023. Gaming Law attorney Kelci Binau explains the new regulations in an article published in the November issue of Clark County Bar Association’s Communiqué magazine. Kelci’s article is provided below and available here on pages 20 and 21 of the magazine.

“New Cybersecurity Regulations from the Nevada Gaming Commission”
Communiqué magazine, November 2023, by Kelci S. Binau, McDonald Carano LLP

On December 22, 2022, the Nevada Gaming Commission (“NGC”) approved and adopted an amendment to its gaming regulations. NGC Regulation 5.260, which became effective January 1, 2023, requires certain gaming operators (“covered entities”) to comply with new cybersecurity regulations on or before December 31, 2023. The new regulations require covered entities to take “all appropriate steps” to “secure and protect” not only their own “information systems,” their own “records” and their own “operations,” but also secure and protect the “personal information” of their patrons and employees. Nev. Gaming Comm’n Regs. 5.260(1).

Covered Gaming Entities
The amended regulations define “covered entities” as nonrestricted licensees operating or exposing for play, games or gambling games and gaming licensees authorized to operate a race book, sports pool and/or interactive gaming. Nev. Gaming Comm’n Regs. 5.260 (2)(c).

Cyber Attacks Defined
The regulations define a cyber-attack as “any act or attempt to gain unauthorized access to an information system for purpose of disrupting, disabling, destroying, or controlling the system or destroying or gaining access to the information contained therein.” Nev. Gaming Comm’n Regs. 5.260(2)(a).   It is important to note that the definition includes “attempt” –successful or not– which could be interpreted to mean the regulations apply to instances in which a cyber-attack was prevented or defeated by existing cybersecurity measures.

Record Keeping Requirements
Covered entities must create written documentation of “all procedures” for complying with the new regulations – “and the results thereof.” The records must be retained for a minimum of (5) five years and provided to the Nevada Gaming Commission Board (“NGCB”) upon request.

Risk Assessment, Best Practices and Monitoring
By December 31, 2023, covered entities must (1) conduct an initial risk assessment of its business operations and (2) develop cybersecurity best practices it deems “appropriate.” On an “ongoing basis,” covered entities must monitor and evaluate cybersecurity risks and accordingly modify cybersecurity best practices and risk assessments. The risk assessment, monitoring, and evaluation may be conducted by an affiliate of the covered entity or a third-party expert.

Actions Required After Cyber Attack/Incident Response
A covered entity that experiences a cyber-attack to its information system which results in a “material loss of control, compromise, unauthorized disclosure of data or information,” must comply with certain requirements. It is important to note that the regulation further states that the same steps are required if a covered entity experiences “any other similar occurrence.” Such language could be interpreted to mean the regulations may also apply to a failed, defeated, or otherwise unsuccessful cyber-attack.  The required steps are as follows:

  1. Provide written notification to the NGCB as soon as practicable but no later than 72 hours after becoming aware of the cyber-attack. (The NGCB may request additional “specific information.”)
  2. Investigate the cyber-attack and prepare a report documenting the results, including the extent and “root cause” of the cyber-attack and any actions taken or planned to prevent “similar events that allowed the cyber attack to occur.”
  3. Notify the NGCB of the completed investigation report and make it available to the NGCB upon request.  Nev. Gaming Comm’n Regs. 5.260(4)(a-c).

Additional Requirements for Group I Licensees
Group 1 licensees, as defined by Subsection 8 of regulation 6.010, must comply with the following additional requirements:

  1. Designate a qualified individual to be responsible for developing, implementing, overseeing, and enforcing cybersecurity best practices and procedures.
  2. At least annually, engage a qualified “internal auditor or other independent entity” to conduct and document “observations, examinations, and inquiries of employees to verify” the covered entity is following best practices and procedures. All documents prepared pursuant to this requirement must be retained for (5) five years.
  3. At least annually, engage an “independent accountant or other independent entity” to review the covered entity’s best practices and procedures – and attest in writing that they are in compliance. The written attestation and any related documents must be retained for (5) five years. 
  4. The same “independent entity” may be utilized to perform the requirements in these sections 2 and 3 so long as they are “performed by different employees.”

The NGC’s amendment reflects its concern about cybersecurity over the past few years as cyber-attacks continue to increase in frequency and the range of businesses targeted has broadened. For assistance in complying with the new regulations please contact Kelci S. Binau.


About McDonald Carano

In 2024, McDonald Carano celebrates 75 years of serving Nevada’s legal, business, government, and civic communities. More than 60 lawyers and government relations professionals serve Nevada, national, and international clients from our offices in Reno, Las Vegas, and Carson City. McDonald Carano provides legal services and government affairs and advocacy advice to startups, corporations, private companies, trade associations, nonprofits, public entities, high-net-worth individuals, and family offices throughout Nevada. We are proud to be your Nevada law firm since 1949.

Media Contact

Mark Buckovich


702.257.4559

You have chosen to send an email to McDonald Carano. The sending or receipt of this email and the information in it does not in itself create an attorney-client relationship. If you are not already a client, you should not provide us with information that you wish to have treated as privileged or confidential without first speaking to one of our lawyers. If you provide information before we confirm that you are a client and that we are willing and able to represent you, we may not be required to treat that information as privileged, confidential, or protected information, and we may be able to represent a party adverse to you.

I have read this and want to send an email.