Nevada Moves to Tighten Cybersecurity Reporting Rules

Nevada regulators have begun advancing changes to the state’s cybersecurity reporting rules for gaming companies, seeking faster and more direct communication with operators following a rise in cyberattacks and the fallout from two high-profile breaches in 2023.

The Nevada Gaming Control Board (NGCB) on Thursday held a workshop to review proposed amendments to Regulation 5.260, the section governing cybersecurity incident reporting. The session marked the first formal step in revising the rules, with a final vote scheduled before the Nevada Gaming Commission on 18 December.

The proposals come two years after cyberattacks on Caesars Entertainment and MGM Resorts disrupted operations, caused millions in damage, and drew intense media scrutiny. Board member George Assad called the 2023 incidents “very chaotic” for both regulators and operators.

 

Requirement	Current Rule	Proposed Change	Deadline / Notes
Initial notification	Notify within 72 hours of confirmed attack	Notify within 24 hours of operator awareness	Informal email or phone call accepted
Initial incident report	N/A (current practice varies)	Initial Cyber Incident Response report required	Due within 5 calendar days
Follow-up updates	No standard cadence	30-day updates until resolved	Ongoing until incident documented as resolved
Materiality definition	Left to licensee discretion	Board remains hesitant to define materiality	Determination left to operators

 

Faster Reporting at the Center of Proposed Changes

Assistant Attorney General Ed Magaw outlined the amendments, which would require gaming licensees to notify regulators within 24 hours of confirming a cyberattack. Current regulations allow 72 hours. The industry pushed back. The Nevada Resort Association (NRA) urged regulators to keep the 72-hour window, citing operational challenges. Many operators rely on third-party cybersecurity vendors that typically have up to 48 hours to notify clients of an incident. Companies say they need additional time to conduct their own assessments.

In response, regulators revised the language so that the 24-hour clock begins once the operator itself becomes aware of a confirmed attack, not when the attack first occurs. The initial notification—described repeatedly by board members as a simple phone call or email—must be followed by a formal Initial Cyber Incident Response report within five days. Operators would then submit 30-day status updates until the incident is fully resolved. A company may opt for a meeting with the board in place of the initial written report.

NGCB Chair Mike Dreitzer said the changes reflect a “misalignment” between current rules and what the board views as best practice. He argued that early, even informal, communication would prevent the board from learning about incidents through media reports or third-party disclosures. “This is consistent with feedback from licensees who’ve gone through this process in real time,” Dreitzer said, noting that operators often lack reliable information in the early hours of an attack.

Operators raised concerns about the volume of cybersecurity activity they face. Gaming companies process large amounts of customer data and financial transactions, making them common targets. A UNLV study released in September found nearly 50 confirmed cyber incidents at Nevada casinos between 2007 and 2023, with most occurring in the past decade. Affinity Gaming’s information security officer, Erik Hanson, cautioned that the new rules could generate “false alarm” notifications. Many suspected intrusions, he said, never develop into material breaches but would still trigger required outreach under the revised standard.

The board declined to define what constitutes a “material” breach, arguing that thresholds vary widely across operators and systems. Caesars counsel Chandler Pohl added that public reporting often outpaces corporate assessments: “Compliance will never be faster than social media,” he said, noting that technical outages unrelated to cyberattacks can draw public speculation.

 

The current regulation doesn’t, in all ways, show best practice.

 

Part of a Broader Regulatory Overhaul

The cybersecurity workshop reflects a period of heightened regulatory activity under Dreitzer, who became chair in June and is the fifth person to hold the role since 2019. The board has recently advanced changes to poker chip cashing policies and private gaming salon rules. The year has been marked by increased enforcement as well. Four entities have received multimillion-dollar fines for anti-money-laundering violations, including Wynn Resorts, MGM Resorts, and Caesars—cases initiated before Dreitzer’s tenure.

Regulators plan an active December: the NGCB lists 12 proposed rulemaking processes underway, spanning cybersecurity, surveillance standards, and horse racing technologies. If approved next month, the revised reporting rules would take effect in 2024, reshaping how Nevada operators communicate with regulators during cyber incidents as attacks grow more frequent and more costly.