Two years after the major cyberattack in 2023 that crippled the Caesar and MGM systems, Nevada's gaming regulatory body is finally updating its rules. The Gaming Control Board recently held a workshop proposing to drastically reduce the reporting time for operators after a cyberattack from the current 72 hours to just 24 hours. The regulators are serious this time, wanting to get a handle on situations earlier, but this new rule has caused quite a stir within the industry.
New Rule Core: Must "Breathe a Word" Within 24 Hours
According to the proposed amendment, once a licensee confirms a cyberattack, they must notify the Gaming Control Board within just 24 hours. This is much more urgent than the current 72-hour requirement. After the initial notification, operators must submit a detailed "Initial Cyber Incident Response Report" within 5 calendar days. Moreover, the matter doesn't end there; updates are required every 30 days until the incident is deemed "completely resolved." Interestingly, what constitutes "completely resolved" is still up to the operators to decide. According to PASA's official website, the regulatory body has also left a loophole, allowing operators to choose to meet directly with the committee to communicate, instead of submitting a written report.
Industry Complaints: Tight Timing, Difficult Operations
For this seemingly urgent rule, industry groups represented by the "Nevada Resort Association" cast a direct vote against it. Their reasoning is practical: many operators outsource network security to third-party service providers, with contracts usually stipulating that the service provider must notify the operator within 48 hours. After receiving the message, companies still need at least 24 hours to assess the situation. By this calculation, even 72 hours is tight, let alone 24 hours. At the meeting, information security officers complained that there are so many attempted incidents investigated daily that if each had to be reported by phone, it could lead to a large number of "false alarms," overwhelming the regulatory body.
Regulatory Logic: Don't Want to See Our Own Troubles on the News
Facing opposition from the industry, the chairman of the Gaming Control Board, Mike Draz, directly addressed the core issue: we just want to know earlier. He admitted that the existing rules no longer meet "best practices" and are misaligned with regulatory goals. The 2023 attack was very "chaotic" for both operators and regulators, causing huge losses and widespread media coverage. The committee does not want to learn about incidents in their jurisdiction through news headlines again. They emphasize that early notifications can be just a phone call or an email, the core is "keeping in touch." This new set of rules is expected to be finally voted on by the Nevada Gaming Commission on December 18.
Reform Continues: New Chairman Pushes for Multiple Regulatory Updates
This cybersecurity rule revision is just one of a series of regulatory updates pushed by the new chairman, Draz. This year can be said to be one of the "harshest fine" years in the history of Nevada regulation, with giants like Wynn, MGM, and Caesar facing millions of dollars in anti-money laundering fines. The committee currently lists up to 12 regulations pending revision, ranging from horse racing technology to surveillance systems. It is evident that, against the backdrop of increasing digital risks and compliance requirements, Nevada is trying to tighten the regulatory net comprehensively. For more in-depth interpretations of global gaming regulatory dynamics, please continue to follow the PASA official website.
————
This article is from "PASA-Global iGaming Leader" gaming news channel:https://t.me/pasa_news
Gaming original depth channel:https://t.me/gamblingdeep
Free data reports: @pasa_research
PASA Matrix: @pasa002_bot
PASA official website: https://www.pasa.news
