CYBER SECURITY
law that applies on a federal level, but there are state-specific privacy laws that vary in scope and protection. Many of these privacy laws set out cybersecurity breach response provisions that gaming companies operating in that state must abide by, but only about 25 percent of the 50 states in the US have comprehensive consumer data privacy laws. Nevada’s privacy law is very weak and does not aide much in cybersecurity regulation, that said, the Nevada Gaming Commission (“NGC”) is the only gaming regulatory body in the US to implement a set of cybersecurity specific regulations for its licensees to adhere to. 10 In December 2022, the NGC approved and adopted NGC Regulation 5.260, to be effective January 1, 2023. The new regulations have been covered in past editions of the IMGL Magazine 11 but in summary they defined cyber attacks, set out record keeping requirements, risk assessment and monitoring best practice, and listed the actions required of covered entities in the event of a cyber attack. They also set a higher bar for larger operators in terms of personal responsibility and independent audit requirements. It is worth noting that in August 2023, the Massachusetts Gaming Commission (“MGC”) approved and enacted 205 CMR 257: Sports Wagering Data Privacy, a strict privacy regulation that includes a provision that states: “In the event of a suspected data breach, gaming operators must immediately notify the MGC and commence an investigation within five days of discovery (emphasis added).” 12 Similar to the NGC regulation, the MGC regulation is broad and specifies that the MGC must be notified even in the event of a suspected breach and not just a confirmed breach. This is a start to more effective cybersecurity regulation, although it only applies to sports betting operators and not all gaming operators within the state. Massachusetts gaming operators are required to notify the MGC under Massachusetts state privacy law in the event of a breach, however there is no specific regulation from MGC that applies to all licensees. Furthermore, the Securities and Exchange Commission recently adopted guidelines stating that publicly traded firms must disclose material information pertaining to their cybersecurity risk management, processes, and oversight. 13 Form 8-K has been amended to include Item 1.05, which requires the company to disclose a material cybersecurity incident when it happens. Whilst the company itself has the ability to determine whether
or not the incident is considered “material,” the SEC has noted that it will expect doubts about materiality to be resolved in favor of protecting investors. Item 1.05 8-K is required to be filed within four business days after the company concludes that the incident was material. Additionally, starting with the first annual report for a fiscal year ending on or after December 15, 2023, companies will be required to report the following information required by Item 1.06 in Regulation S-K: • the registrant’s processes, if any, for assessing, identifying, and managing material risks from cybersecurity threats in sufficient detail for a reasonable investor to understand those processes; • whether any risks from cybersecurity threats, including as a result of any previous cybersecurity incidents, have materially affected or are reasonably likely to materially affect the registrant, including its business strategy, results of operations, or financial condition and, if so, how; • a description of management’s role in assessing and managing the registrant’s material risks from cybersecurity threats; and • a description of the board of directors’ oversight of risks from cybersecurity threats including, if applicable, identifying any board committee or subcommittee responsible for the oversight of risks from cybersecurity threats and describing the processes by which the board or such committee is informed about such risks. This is helpful to cybersecurity regulation because the largest gaming companies in the country are publicly traded, however it does not cover any of the privately owned gaming companies in the country. Without a comprehensive consumer data privacy law on the federal level, the US will take years to reach the level of cybersecurity regulation that the advancements in technology currently require. UK Gaming Cybersecurity Regulations The 2018 Data Protection Act is the UK’s implementation of the European Union’s General Data Protection Regulation (“GDPR”). The GDPR requires that personal data must be processed securely using appropriate technical and organizational measures but it does not mandate a specific set of
10 Kelci S. Binau, New Cybersecurity Regulations from the Nevada Gaming Commission, CLARK COUNTY BAR ASS’N. 11 https://www.imgl.org/publications/imgl-magazine-volume-3-no-2-tbd/getting-up-to-speed-with-cyber-security/ 12 Hunton Andrews Kurth, Massachusetts Sports Wagering and Data Privacy Regulations Take Effect (Sept. 25, 2023) 13 MICHAEL BEST, SEC Adopts New Cybersecurity Disclosure Rules (Sept. 6, 2023)
PAGE 46
IMGL MAGAZINE | APRIL 2024
Made with FlippingBook flipbook maker