Betting on Security

Introduction

In the digital age, cybersecurity has become a paramount concern for all companies with a digital footprint. There is one industry which despite being worth US$249 billion and being subject to regular attacks, is severely lagging.[1] With large amounts of cash and vast reserves of sensitive data, including personally identifying information (“PII”), gaming companies represent an attractive target to the modern cybercriminal. Europe and the UK with strict privacy laws have taken a lead in cybersecurity. Meanwhile, in the United States, the regulatory structure that oversees the gaming industry has not caught up to the advancements in technology. Gaming has only recently been legalized in many US states so this could be the reason for the lag. Resistance from the industry itself could also be a factor. Whatever the reason, recent high-profile attacks have demonstrated that this area now needs to be a priority.

Present Cybersecurity State of the Gaming Industry

Cyberattacks are the newest form of terrorism and the gaming industry has suffered its share. In early 2020, MGM confirmed that they had experienced a data breach in the summer of 2019.[2] The company had not originally made the breach public, notifying only impacted customers.[3] This decision unravelled, however, when approximately 10.6 million records of customer PII, including names, home addresses, phone numbers, emails, and dates of birth, were leaked as a free download on a hacking forum.[4] MGM later corrected that the breach was much larger than initially reported and believed to have affected over 142 million customers of the brand.[5] In May 2022, the incident resurfaced when a data dump was discovered containing all 142 million records from the 2019 hack.[6] No financial, payment card, or password data was stolen, however all 142 million records went on sale on the dark web for US $2,900.[7]

In September 2023, MGM dealt with another massive breach that disrupted their entire IT system and took over a week to resolve.[8] Once again, hackers were able to retrieve basic customer PII and in some cases, social security numbers and/or passport numbers.[9] MGM stated that it did not believe customer passwords, bank account numbers, or payment card information were affected by the hack. However, with the depth of PII that was stolen, the cybercriminals have more than enough data to access password or financial information from the affected individuals.[10] This hack was particularly problematic because all MGM properties – it operates fourteen hotels on the Las Vegas Strip and double that number, globally – were believed to have been affected to some degree with reports stating that room keys stopped working, slot machines were down and winning paid from a fanny pack.[11] The attack was a “vishing” or social engineering attack where the hackers, armed with basic information about an employee, called that person’s work IT hotline looking for a password reset. This relatively unsophisticated approach exposed a lack of policies for user verification.[12] Ten days after the systems went offline, MGM released a statement claiming that all properties were operating normally, however MGM employees reported they were still not able to access their work email accounts and that hotel reservations had to be made by phone or via third-party websites.[13] An SEC filing made by MGM almost one month after the initial attack appeared to confirm they they were still restoring some guest-facing systems for the company.[14] In the same filing, the company estimated a negative impact of approximately US$100 million in the third quarter from the incident, and noted that it had incurred, “less than US$10 million in one-time expenses… related to the cybersecurity issue.”[15] The company further claimed that they expected the loss to be contained in the third quarter, but admitted that it has not determined the “full scope of costs and related impacts of this issue.”[16] That number clearly does not account for the inevitable class action lawsuits that will be filed regarding the incident.

Caesars Entertainment was the target of a similar hack just days before MGM’s September 2023 incident.[17] Hackers got a copy of the Caesars loyalty card member database, which included social security and driver’s license numbers.[18] In this case, hackers first breached a third-party IT vendor before using that pathway to access the Caesars network.[19] It is rumored that Caesars paid out US$ tens of millions in ransom to avoid operational disruptions similar to that experienced by MGM.[20] Caesars and MGM are not along: in April 2023, one of Canada’s largest gaming companies, Gateway Casinos, was the target of a cyberattack resulting in 14 of their casinos being shut down for two weeks.[21]

People are by far, the biggest vulnerability in cybersecurity, but they are just one small part of an array of entry points available to hackers looking to gain access to a company’s systems. Social engineering attacks are on the rise because they are significantly faster, more effective, and harder to prevent than traditional hacking methods.[22] These typically progress to distributed denial-of-service (“DDoS”) (like MGM’s September 2023 attack) and in many cases, successful ransoms. According to the 2022 Internet Crime Report produced by the FBI’s Internet Crime Complaint Center, the total number of cybercrime complaints decreased five percent from the prior year, however the dollar losses increased significantly by 49 percent (US$6.9 billion in 2021 to US$10.2 billion in 2022).[23] The alarming rate at which dollar losses have increased over the last few years should be an indicator to all sectors that it is time to prioritize cybersecurity.

Another notable development – expanding connectivity – has created further cybersecurity weaknesses. The Internet of Things (“IoT”) plays a prominent parts in casino technology through items such as smart lighting, cameras, remote check-in/check-out, and event trackable casino chips.[24] In 2017, hackers were able to access a non-disclosed casino’s database of high-roller customers through a smart thermometer located in a fish tank connected to the casino’s IoT.[25] Six years on, it is to be hoped that IoT loopholes have been patched but entities need to actively monitor their network flow to reveal vulnerabilities.

Regulatory Efforts: a comparison between US and UK regulation

1. US Gaming Cybersecurity Regulations

The US does not currently have an overarching data privacy law that applies on a federal level, but there are state-specific privacy laws that vary in scope and protection. Many of these privacy laws set out cybersecurity breach response provisions that gaming companies operating in that state must abide by, but only about 25 percent of the 50 states in the US have comprehensive consumer data privacy laws.

Nevada’s privacy law is very weak and does not aide much in cybersecurity regulation, that said, the Nevada Gaming Commission (“NGC”) is the only gaming regulatory body in the US to implement a set of cybersecurity specific regulations for its licensees to adhere to.[26] In December 2022, the NGC approved and adopted NGC Regulation 5.260, to be effective January 1, 2023.[27] The new regulations have been covered in past editions of the IMGL Magazine[28] but in summary they defined cyber attacks, set out record keeping requirements, risk assessment and monitoring best practice, and listed the actions required of covered entities in the event of a cyber attack. They also set a higher bar for larger operators in terms of personal responsibility and independent audit requirements.

It is worth noting that in August 2023, the Massachusetts Gaming Commission (“MGC”) approved and enacted 205 CMR 257: Sports Wagering Data Privacy, a strict privacy regulation that includes a provision that states: “In the event of a suspected data breach, gaming operators must immediately notify the MGC and commence an investigation within five days of discovery (emphasis added).”[29] Similar to the NGC regulation, the MGC regulation is broad and specifies that the MGC must be notified even in the event of a suspected breach and not just a confirmed breach. This is a start to more effective cybersecurity regulation, although it only applies to sports betting operators and not all gaming operators within the state. Massachusetts gaming operators are required to notify the MGC under Massachusetts state privacy law in the event of a breach, however there is no specific regulation from MGC that applies to all licensees.

Furthermore, the Securities and Exchange Commission recently adopted guidelines stating that publicly traded firms must disclose material information pertaining to their cybersecurity risk management, processes, and oversight.[30] Form 8-K has been amended to include Item 1.05, which requires the company to disclose a material cybersecurity incident when it happens.[31] Whilst the company itself has the ability to determine whether or not the incident is considered “material,” the SEC has noted that it will expect doubts about materiality to be resolved in favor of protecting investors.[32] Item 1.05 8-K is required to be filed within four business days after the company concludes that the incident was material.[33] Additionally, starting with the first annual report for a fiscal year ending on or after December 15, 2023, companies will be required to report the following information required by Item 1.06 in Regulation S-K:

• the registrant’s processes, if any, for assessing, identifying, and managing material risks from cybersecurity threats in sufficient detail for a reasonable investor to understand those processes;
• whether any risks from cybersecurity threats, including as a result of any previous cybersecurity incidents, have materially affected or are reasonably likely to materially affect the registrant, including its business strategy, results of operations, or financial condition and, if so, how;
• a description of management’s role in assessing and managing the registrant’s material risks from cybersecurity threats; and
• a description of the board of directors’ oversight of risks from cybersecurity threats including, if applicable, identifying any board committee or subcommittee responsible for the oversight of risks from cybersecurity threats and describing the processes by which the board or such committee is informed about such risks.[34]

This is helpful to cybersecurity regulation because the largest gaming companies in the country are publicly traded, however it does not cover any of the privately owned gaming companies in the country. Without a comprehensive consumer data privacy law on the federal level, the US will take years to reach the level of cybersecurity regulation that the advancements in technology currently require.

2. UK Gaming Cybersecurity Regulations

The 2018 Data Protection Act is the UK’s implementation of the European Union’s General Data Protection Regulation (“GDPR”).[35] The GDPR requires that personal data must be processed securely using appropriate technical and organizational measures but it does not mandate a specific set of cybersecurity measures that are required.[36] The GDPR expects companies to take appropriate action and manage risk based on the contents of the data processed and the risks posed by their specific business practices.[37] The UK Gambling Commission is at the forefront of cybersecurity regulation for its licensees because it has had to adopt regulations that, at the very least, comply with GDPR.

All licensed remote gambling operators and gambling software operators must comply with specific licensing requirements, including technical standards, and provide annual security audit reports to the UK Gambling Commission.[38] Additionally, newly licensed remote gambling operators must submit a security audit report within six months of being granted a license, whether or not they have started trading.[39] The UK Gambling Commission has put out Remote gambling an software technical standards (“RTS”) that are split into very specific technical standards and minimum security requirements that are expected to be met by the licensed remote gambling operators and gambling software operators.[40] The security requirements outline the minimum expected information security standards that apply to any UK Gambling Commission license holder.[41]

The RTS security requirements are based on specific controls from Annex A of ISO/IEC 27001:2013.[42] This is an internationally recognized and certified standard to manage information security that is published jointly by the International Organization for Standardization and the International Electrotechnical Commission. UK Gambling Commission licensees do not need to be certified to the ISO/IEC 27001 standard; however, they are required to undergo an independent audit annually and submit report findings to the Gambling Commission.[43] The RTS requirements utilize approximately 50 percent of the controls needed to be ISO/IEC 27001 certified.[44] The requirements focus only on specific controls outlined in the international standard and do not require licensees to implement framework elements that can be found in the ISO/IEC standard.[45]

The UK Gambling Commission has stated that its aim in setting out security standards is to ensure customers are not exposed to unnecessary security risks by choosing to participate in remote gambling.[46] This situation is not completely analogous to the landscape in the US, as the bulk of PII gathered from customers in the US is from activity in its land-based casinos rather than remote operations. The UK Gambling Commission has noted that the security standards apply to these critical systems:

• electronic systems that record, store, process, share, transmit or retrieve sensitive customer information, for example, credit/debit card details, authentication information, customer account balances
• electronic systems that generate, transmit, or process random numbers used to determine the outcome of games or virtual events
• electronic systems that store results or the current state of a customer’s gamble
• points of entry to and exit from the above systems (other systems that are able to communicate directly with core critical systems)
• communication networks that transmit sensitive customer information.[47]

Some of the systems that the UK Gambling Commission has highlighted as those that are most critical to achieving the Gambling Commission’s aim include policies for information security, mobile devices and teleworking, termination and change of employment responsibilities, management and disposal of media, access control, operations and communications security, system acquisition, incident management, compliance, and supplier relationships.[48] Supplier relationship policies can be especially important in the gaming sector because companies often utilize third party companies, if they are allowed to, in order to cut costs and outsource work more efficiently. As noted in the Caesars hack, oftentimes third-party relationships and systems can represent another easy point of entry for the intrepid hacker as they are attached to the same system where the PII is stored, without the same level of security controls. The UK Gambling Commission’s cybersecurity controls are significantly more onerous to the licensee and protective of the customer than any of its counterparts in the American regulatory structure.

Mitigation: insurance rather than investment

One of the biggest issues with cybersecurity regulations in the United States is that the gaming industry is yet to fully face up to the challenge. Instead of investing in more sophisticated cybersecurity and educating their employees to a higher level, the gaming industry has chosen to rely on cybersecurity insurance in the event of an incident or breach. MGM’s CEO William Hornbuckle has been quoted complaining about the rising costs of cybersecurity insurance and indicated that the company’s cybersecurity insurance would cover most of the company’s losses from the September 2023 incident.[49]

While cybersecurity insurance is not currently required by the NGC, most gaming companies have the insurance anyway.[50] The MGC, however, does require that licensees have cybersecurity insurance.[51] Given that both Caesars and MGM utilized their cybersecurity insurance within the same month for large dollar amounts, it is likely that insurance terms and premiums may not be as favorable within the gaming industry due to the risks that these types of businesses represent to the insurer.[52]

According to the World Economic Forum, governments and cybersecurity professionals can create a better landscape by taking three specific actions.[53]  First, countries and their governments must become more agile and timely in updating national cybersecurity strategies as well as the legal and regulatory framework in place regarding the internet.[54] The legal field is notoriously slow, and there is often pushback from the private sector when it comes to meaningful cybersecurity reform. This is one reason why the US does not have a comprehensive privacy law on the federal level.

Second, governments need to increase international cooperation and information sharing on cyber issues and known cyber criminals.[55] A significant number of large-scale hacking operations are foreign state sponsored. International cooperation between friendly countries could help identify potential attacks and attackers before they happen. Third, public and private sector organizations in all countries should put more effort into educating the public and their own employees about cyber threats.[56]  Cyber crime is a crime of opportunity and education is its enemy. The best way to avoid new malicious schemes is to be aware and vigilant to spot the newest developments and tricks. This is especially true in the case of social engineering attacks. All entities should train and educate their employees to identify sophisticated attempts at social engineering attacks. Governments and large companies are often aware of new schemes and scams in cyberspace, but they often fall short of educating their employees until it is too late, and they have already experienced a breach or other incident.

Conclusion

Hackers adapt to new challenges and technologies over time, collaboration between industry players and regulators is therefore key to impactful cybersecurity policy in the gaming industry. The 2023 MGM and Caesars hacks only serve to demonstrate that the gaming industry is an attractive target and that cyber threats will only increase in the future. Industry leadership and collaboration are an essential part of protecting businesses, investor confidence and consumers alike from these threats. The legal and regulatory processes in the US are entirely too slow to adequately protect consumers. Instead of relying on regulation the industry could adopt a similar framework to the ISO/IEC 27001 standard cybersecurity guidelines. It is likely only a matter of time before the US gets a federal privacy law which will likely closely resemble the GDPR. It would benefit the gaming industry to anticipate such changes and invest in the adequate policies and procedures now. The industry has relied on cybersecurity insurance thus far but as more incidents occur, insurance carriers will continue to raise prices while simultaneously reducing coverage based on risk for the gaming sector. It is incumbent on gaming industry leaders to review the measures outlined above and invest in both systems and staff. As an industry that is worth US$250 billion and counting, it is both important and necessary that greater value be placed information security.

[1] Global Casinos & Online Gambling – Market Size (2005-2029), IBIS World, https://www.ibisworld.com/global/market-size/global-casinos-online-gambling/#:~:text=The%20market%20size%2C%20measured%20by,industry%20increased%2011.8%25%20in%202022 (last visited Dec. 3, 2023).

[2] Catalin Cimpanu, A hacker is selling details of 142 million MGM hotel guests on the dark web, ZDNet (July 13, 2020, 6:49 PM), https://www.zdnet.com/article/a-hacker-is-selling-details-of-142-million-mgm-hotel-guests-on-the-dark-web/.

[3] Id.

[4] Id.

[5] Id.

[6] Id.

[7] Id.

[8] MGM Resorts Update on Recent Cybersecurity Issue, MGM Resorts International (Oct. 5, 2023), https://investors.mgmresorts.com/investors/news-releases/press-release-details/2023/MGM-RESORTS-UPDATE-ON-RECENT-CYBERSECURITY-ISSUE/default.aspx.

[9] Id.

[10] Id.

[11] Rachel Sudbeck, What Everyone Got Wrong About the MGM Hack, Kolide, https://www.kolide.com/blog/what-everyone-got-wrong-about-the-mgm-hack (last visited Dec. 3, 2023).

[12] Id.

[13] Richard N. Velotta & Sean Hemmersmeier, MGM: Operations back to normal; employees cite residual problems, Las Vegas Review-Journal (Sept. 20, 2023 6:23 PM), https://www.reviewjournal.com/business/casinos-gaming/mgm-operations-back-to-normal-employees-cite-residual-problems-2908069/.

[14] United States Securities and Exchange Commission, Form 8K – MGM Resorts International (Oct. 5, 2023), https://www.sec.gov/ix?doc=/Archives/edgar/data/789570/000119312523251667/d461062d8k.htm.

[15] Id.

[16] Id.

[17] William Turton, Caesars Entertainment Paid Millions to Hackers in Attack, Bloomberg (Sept. 13, 2023, 11:52 AM), https://www.bloomberg.com/news/articles/2023-09-13/caesars-entertainment-paid-millions-in-ransom-in-recent-attack?sref=10lNAhZ9&leadSource=uverify%20wall.

[18] Id.

[19] Id.

[20] Id.

[21] David O’Connor, Gateway Casinos Warn Employees that Their Personal Information ‘Likely’ Compromised, Casino.org (June 14, 2023), https://www.casino.org/news/gateway-casinos-warn-employees-information-compromised/.

[22] PlexTrac, Why Social Engineering Is So Effective, https://plextrac.com/why-social-engineering-is-so-effective/ (last visited Dec. 3, 2023).

[23] Fed. Bureau of Investigation, Internet Crime Report (2022), https://www.ic3.gov/Media/PDF/AnnualReport/2022_IC3Report.pdf.

[24] Centripetal, The Critical Cyber Threats That Are Targeting Casinos, https://www.casino.org/news/gateway-casinos-warn-employees-information-compromised/ (last visited Dec. 3, 2023).

[25]Id.

[26] Kelci S. Binau, New Cybersecurity Regulations from the Nevada Gaming Commission, Clark County Bar Ass’n, https://clarkcountybar.org/new-cybersecurity-regulations-from-the-nevada-gaming-commission/#:~:text=The%20new%20regulations%20require%20covered,5.260(1). (last visited Dec. 3, 2023).

[27] Id.

[28] https://www.imgl.org/publications/imgl-magazine-volume-3-no-2-tbd/getting-up-to-speed-with-cyber-security/

[29] Hunton Andrews Kurth, Massachusetts Sports Wagering and Data Privacy Regulations Take Effect (Sept. 25, 2023), https://www.huntonprivacyblog.com/2023/09/25/massachusetts-sports-wagering-and-data-privacy-regulations-take-effect/#:~:text=On%20August%208%2C%202023%2C%20the,Information%20or%20Personally%20Identifiable%20Information.

[30] Michael Best, SEC Adopts New Cybersecurity Disclosure Rules (Sept. 6, 2023), https://www.michaelbest.com/Newsroom/322215/SEC-Adopts-New-Cybersecurity-Disclosure-Rules.

[31] Id.

[32] Id.

[33] Id.

[34] Id.

[35] The Data Protection Act 2018 (UK).

[36] National Cyber Security Centre, General Data Protection Regulation (GDPR), https://www.ncsc.gov.uk/information/gdpr (May 18, 2018).

[37] Id.

[38] It Governance, Gambling Commission Compliance – Security Requirements, https://www.itgovernance.co.uk/gambling-commission-compliance#:~:text=What%20does%20the%20gambling%20commission,provide%20annual%20security%20audit%20reports. (last visited Dec. 3, 2023).

[39] Id.

[40] Id.

[41] Evalian, Gambling Commission RTS security compliance (July 17, 2023), https://evalian.co.uk/gambling-commission-rts-security-compliance/.

[42] Id.

[43] Id.

[44] Id.

[45] Id.

[46] UK Gambling Commission, Remote gambling and software technical standards (RTS), https://www.gamblingcommission.gov.uk/standards/remote-gambling-and-software-technical-standards/4-remote-gambling-and-software-technical-standards-rts-security-requirements (Nov. 23, 2023).

[47] Id.

[48] Id.

[49] Rachel Sudbeck, supra note 12.

[50] Richard N. Velotta, Should regulators require casinos have cybersecurity insurance?, Las Vegas Review-Journal (Oct. 9, 2023 4:17 PM), https://www.reviewjournal.com/business/casinos-gaming/should-regulators-require-casinos-have-cybersecurity-insurance-2918321/.

[51] Id.

[52] Claire Wilkinson, Casino breaches may prompt cautious cyber pricing: Guy Carpenter, Business Insurance (Sept. 20, 2023), https://www.businessinsurance.com/article/20230920/NEWS06/912359953/Casino-breaches-may-prompt-cautious-cyber-pricing-Guy-Carpenter.

[53] Belisario Contreras, 3 ways governments can address cybersecurity in the post-pandemic world, World Economic Forum (Jun. 29, 2020), https://www.weforum.org/agenda/2020/06/3-ways-governments-can-address-cyber-threats-cyberattacks-cybersecurity-crime-post-pandemic-covid-19-world/.

[54] Id.

[55] Id.

[56] Id.