Physical Address
304 North Cardinal St.
Dorchester Center, MA 02124
Nevada regulators have moved forward with revisions to the state cybersecurity reporting framework, drawing on lessons from the 2023 attacks that disrupted major casino operators. A public workshop held by the Nevada Gaming Control Board examined how licensees should escalate cyber incidents to the regulator under a more defined timeline.
Good to Know
- Draft rules reduce the cyber incident notification window from 72 hours to 24 hours.
- Operators must file an initial report within five days and follow with 30-day updates.
- MGM Resorts and Caesars Entertainment cyber incidents shaped many of the proposed changes.
Nevada Reviews Faster Cyber Reporting Rules After Major Casino Attacks
Regulators opened the workshop by outlining how the current system functions and why they aim to shorten the reporting period. Under the rule in place today, operators contact the Board within 72 hours once an incident is confirmed. The proposal debated during the session compresses that window to 24 hours to ensure the Board receives direct information before details reach outside parties.
A representative from the Nevada Attorney General Office presented the structure of the draft. Under the revised framework, an operator must alert the NGCB within 24 hours of confirming a reportable cyber event that affects gaming systems, customer records, operational platforms or compliance-linked technology. Phone or email contact would be acceptable for that first notification. A formal written submission would follow within five calendar days, and operators would then provide updates every 30 days until the matter reaches full resolution. A meeting with the Board could substitute for a written incident report as long as it occurs on the same 30-day timeline.
Discussion repeatedly circled back to the severe MGM Resorts and Caesars Entertainment outages in 2023. Workshop participants referenced those incidents as examples of how gaps in communication complicated regulatory oversight. Board members noted that they learned about parts of those events through outside channels rather than through immediate operator briefings. The workshop highlighted the need for reliable governance structures that allow regulators to track evolving threats with minimal delay.
Get 125% / $2,500 on 1st deposit!
New players only. Exclusive Welcome Bonus of up to $2,500
Industry stakeholders, including the Nevada Resort Association, raised questions about how operators would meet the shorter timeline. Many casino groups rely on outside cybersecurity vendors that take up to 48 hours to notify an operator about a confirmed breach. Industry representatives argued that they often need additional time after vendor notification to assess whether an event meets the regulatory threshold. Regulators clarified that the 24-hour period would begin only once an operator is informed that a confirmed, reportable incident exists, not at the moment a vendor first detects indicators of compromise.
Participants also pressed for clearer boundaries around materiality. Security teams review large volumes of alerts that never escalate beyond routine investigation. Casino representatives expressed concern that the proposed rule might require unnecessary notifications for minor incidents. Regulators acknowledged the operational burden but also noted that setting a rigid definition across operators of varying size and technology profiles could create unintended consequences.
The increasing complexity and frequency of cyber incidents formed a major part of the discussion. Reference was made to recent research showing dozens of attacks on Nevada gaming properties over the past fifteen years, with more cases emerging in recent periods. Stakeholders agreed that large resort operators, local casinos and digital platforms all represent attractive targets due to payment systems, player databases and interconnected networks.
NGCB chair Mike Dreitzer pointed out that the proposal does not mandate any specific tools or cybersecurity architectures. The focus remains on internal processes, early communication and consistent escalation procedures. He stressed that information submitted to the Board would receive standard confidentiality protections, mirroring other regulatory filings.
350% or 5BTC + 150 Spins!
New players only. Exclusive Welcome Bonus of 350% + 150 Free Spins
Cyber policy forms part of a broader regulatory review underway since Dreitzer became chair in June 2025. Other amendments involving chip redemption, private salons and surveillance protocols are advancing in parallel, underscoring how cybersecurity now stands as a permanent regulatory priority for Nevada.
Regulators invited written feedback from operators, vendors, trade associations and other parties following the workshop. The updated rule package is scheduled for review by the Nevada Gaming Commission on 18 December 2025. Approval at that meeting would formalise the 24-hour notification requirement, the five-day initial report and the 30-day follow-up structure for cyber incidents that materially affect licensed gaming operations or connected systems.
The post Nevada Workshop Examines 24-Hour Cyber Incident Reporting Plan for Casinos appeared first on iGaming.org.