Gaming regulators discuss oversight of cycbersecurity at casinos
Nevada doesn’t require casino companies to carry cybersecurity insurance, but most of them do as a cost of doing business.
Gaming regulators from four states, including Nevada Gaming Control Board Chairman Kirk Hendrick, weighed in on the regulation of companies Monday in an opening panel of the four-day Global Gaming Expo.
Around 25,000 industry leaders are gathering through Thursday at The Venetian Expo for the 22nd edition of the show that includes more than 80 educational sessions, a handful of keynote speeches on various gaming topics and a trade show filled with slot-machine innovations and gaming systems that opens Tuesday.
Cybersecurity hot topic
Panelists spent more than half of their regulatory session discussing cybersecurity, a topic amplified by hacking attacks on computer systems operated by Caesars Entertainment Inc. in August and MGM Resorts International in September.
Both companies have acknowledged the attacks, with MGM stating that the hack on its system will cost the company $100 million. It indicated most of the losses would be covered by cyberattack insurance.
“It’s not required right now,” Hendrick said of insurance covering cyberattacks. “I think most operators have already seen that as a cost of doing business and already have it. Right now it hasn’t been mandated, but it’s certainly something that the board and commission could look at.
It’s part of your general liability business policy. I don’t know what the premiums are now, but it’s a good business practice to have it,” he said after the panel.
One state that does require cybersecurity insurance is Massachusetts, where MGM operates MGM Springfield.
“In Massachusetts, we’re prepared and hope that our operators never have to use that coverage,” said Cathy Judd-Stein, chairwoman of the Massachusetts Gaming Commission.
Asked during the panel what role regulators should play in overseeing cybersecurity, David Rebuck, director of the New Jersey Division of Gaming Enforcement, said it’s important for state regulators to be involved, even though some cyberattacks require federal intervention.
“I think there’s a role for us to play in that conversation, but depending who the criminals are, that’s an international organization. Then now you’ve got the State Department and there might be some national security implications involved,” Rebuck said.
Nevada regulation
Nevada is in the midst of establishing oversight in cybersecurity matters after regulators approved amendments to Regulation 5, which guides casino operations, in December.
Nevada’s nonrestricted licensees will have until Dec. 31 to prepare and submit a cybersecurity plan to the Gaming Control Board.
Rules established in Regulation 5 say “a covered entity shall perform an initial risk assessment of its business operation and develop the cybersecurity best practices it deems appropriate. After performing the initial risk assessment, the covered entity shall continue to monitor and evaluate cybersecurity risks to its business operation on an ongoing basis and shall modify its cybersecurity best practices and risk assessments as it deems appropriate.”
The regulation also says a casino that has been attacked has 72 hours to report it to regulators.
“Upon request, the covered entity shall provide the board with specific information regarding the cyberattack; perform, or have a third-party perform, an investigation into the cyberattack, prepare a report documenting the results of the investigation, notify the board of the completion of the report, and make the report available to the board for review upon request. The report must include … the root cause of the cyberattack, the extent of the cyberattack, and any actions taken or planned to be taken to prevent similar events that allowed the cyberattack to occur …”
The regulation also requires licensees to perform annual audits of their cybersecurity protection. Records of cyberattack incidents have to be kept for at least five years.
David Derigiotis, chief insurance officer for San Francisco-based digital business insurer Embroker, who wasn’t on the panel, said it’s difficult to quantify how many casino companies carry cybersecurity insurance.
“This is not something a client would typically broadcast for fear of further targeting by cyber criminals,” Derigiotis said in an email. “I can tell you when I personally handled casino clients as a broker in my previous role, cybersecurity was often an issue. Casinos are known for having strong physical security and onsite surveillance capabilities, but this level of rigor does not automatically extend to their digital operations. Should they have it? This is always a question of what risk is an entity willing to take on. What level of financial harm can they tolerate before a business interruption event becomes problematic for the company or the shareholders, what resources do they readily have access to in the event of a security incident. Cyber insurance can help with all of this. Cyber insurance can also help with a variety of proactive security measures before a breach occurs.”
Costly premiums
Cybersecurity insurance policies don’t come cheap. Premiums can cost six or seven figures.
“Casinos will typically be in a higher hazard category due to the hospitality element, gambling operations, and business interruption exposure they have. Larger casinos also typically purchase higher insurance limit towers ($20 million-plus) to address their risk profile and exposure,” he said. “This can come with significant six-figure or seven-figure insurance premiums.”
He said insurance premiums likely will go up for Caesars and MGM.
“The cost increase is likely to be isolated to MGM and Caesars,” said Derigiotis, who will be speaking on cybersecurity insurance at the ITS conference in Las Vegas later this month.