IMGL Magazine April 2024

CYBER SECURITY

cybersecurity measures that are required. 14 The GDPR expects companies to take appropriate action and manage risk based on the contents of the data processed and the risks posed by their specific business practices. The UK Gambling Commission is at the forefront of cybersecurity regulation for its licensees because it has had to adopt regulations that, at the very least, comply with GDPR. All licensed remote gambling operators and gambling software operators must comply with specific licensing requirements, including technical standards, and provide annual security audit reports to the UK Gambling Commission. 15 Additionally, newly licensed remote gambling operators must submit a security audit report within six months of being granted a license, whether or not they have started trading. The UK Gambling Commission has put out Remote gambling an software technical standards (“RTS”) that are split into very specific technical standards and minimum security requirements that are expected to be met by the licensed remote gambling operators and gambling software operators. The security requirements outline the minimum expected information security standards that apply to any UK Gambling Commission license holder. 16 The RTS security requirements are based on specific controls from Annex A of ISO/IEC 27001:2013. This is an internationally recognized and certified standard to manage information security that is published jointly by the International Organization for Standardization and the International Electrotechnical Commission. UK Gambling Commission licensees do not need to be certified to the ISO/IEC 27001 standard; however, they are required to undergo an independent audit annually and submit report findings to the Gambling Commission. The RTS requirements utilize approximately 50 percent of the controls needed to be ISO/IEC 27001 certified. The requirements focus only on specific controls outlined in the international standard and do not require licensees to implement framework elements that can be found in the ISO/IEC standard. The UK Gambling Commission has stated that its aim in setting out security standards is to ensure customers are not exposed to unnecessary security risks by choosing to participate in remote gambling. 17 This situation is not completely analogous to the landscape in the US, as the bulk of PII gathered from customers in the US is from activity in its land-based casinos rather than remote operations. The UK Gambling Commission has noted that the security standards apply to these critical systems:

• electronic systems that record, store, process, share, transmit or retrieve sensitive customer information, for example, credit/debit card details, authentication information, customer account balances • electronic systems that generate, transmit, or process random numbers used to determine the outcome of games or virtual events • electronic systems that store results or the current state of a customer’s gamble • points of entry to and exit from the above systems (other systems that are able to communicate directly with core critical systems) • communication networks that transmit sensitive customer information. Some of the systems that the UK Gambling Commission has highlighted as those that are most critical to achieving the Gambling Commission’s aim include policies for information security, mobile devices and teleworking, termination and change of employment responsibilities, management and disposal of media, access control, operations and communications security, system acquisition, incident management, compliance, and supplier relationships. Supplier relationship policies can be especially important in the gaming sector because companies often utilize third party companies, if they are allowed to, in order to cut costs and outsource work more efficiently. As noted in the Caesars hack, oftentimes third-party relationships and systems can represent another easy point of entry for the intrepid hacker as they are attached to the same system where the PII is stored, without the same level of security controls. The UK Gambling Commission’s cybersecurity controls are significantly more onerous to the licensee and protective of the customer than any of its counterparts in the American regulatory structure. Mitigation: insurance rather than investment One of the biggest issues with cybersecurity regulations in the United States is that the gaming industry is yet to fully face up to the challenge. Instead of investing in more sophisticated cybersecurity and educating their employees to a higher level, the gaming industry has chosen to rely on cybersecurity insurance

14 National Cyber Security Centre, General Data Protection Regulation (GDPR), https://www.ncsc.gov.uk/information/gdpr (May 18, 2018). 15 IT GOVERNANCE, Gambling Commission Compliance – Security Requirement 16 EVALIAN, Gambling Commission RTS security compliance (July 17, 2023), https://evalian.co.uk/gambling-commission-rts-security-compliance/ 17 UK Gambling Commission, Remote gambling and software technical standards (RTS)

PAGE 47

IMGL MAGAZINE | APRIL 2024

Made with FlippingBook flipbook maker