10 November, 2021

Roundtable: Data and Compliance

Industry leaders from Continent 8 Technologies, Internet Vikings and W2 discuss compliance risks within gaming, as well as the storage and protection of data, with Peter Lynch

What are the greatest compliance risks facing the gaming industry?

 

Warren Russell:

One of the key factors the operators and all stakeholders within the industry need to understand is the changing face of regulation; now more than ever legislation is driven by public opinion and international politics. Be that data sovereignty due to Brexit, responsible gambling highlighted by public figures and multimedia platforms, or the opening up of new markets. The positive and negative impact of any changes needs to be taken into account and failure to properly understand that will cause the biggest issues. If we simply look at ‘risk to the industry’ being fines levied, then this is often due to systems and processes not keeping up with change, rather than a deliberate attempt to flout or ignore regulation.

 

Rickard Vikström:


iGaming is an agile and fast-developing, yet relatively young, industry. As a consequence, it is exposed to a number of compliance risks. Be it GDPR, licensing challenges or staying on top of ever-changing regulations across multiple jurisdictions, our compliance departments always have their hands full. However, I would like to emphasise the issue that is beyond our control at the moment. That is the absence of a working banking system which increases the risk of money laundering and other fraudulent activities. Unfortunately, the payment and payment/bank withdrawal system for iGaming is counter-effective. We are being largely pressured to work with iGaming-specific banks because there is hesitancy in the larger banks. On the contrary, the industry should attempt to build an ecosystem where they work together with the well-known reliable banks, who are good with such pivotal elements as KYC (Know Your Customer) and AML (Anti-Money Laundering).

 

David Brace:

The sheer velocity of the expansion in regulated markets, globally, represents the biggest challenge to all parties in the gaming industry. The number of new jurisdictions looking to take advantage of the boom in online gaming, coupled with the race to be first to market in every location, represents the biggest compliance risk to the industry. Every new market has its own set of rules covering some or all aspects of licensee’s businesses, from KYC & AML responsibilities to age verification, and player locations requirements to data sovereignty and locality requirements. This, combined with the recent surge in M&A activity worldwide, means many organisations are facing a mountain of compliance work in combining new obligations with merging and revalidating existing regimes

 

Given the rise of technology that aggregates information, how important is it to protect data?

 

Warren Russell:

Data protection is the single biggest risk facing any organisation that processes Personally Identifiable Information. The fines and reputational damage an organisation can face under GDPR far outweigh pretty much any other regulatory penalty, so protecting your customer data cannot be understated. We work in a highly competitive sector so anything that damages the integrity of your brand or your solution is going to give you problems, serious problems – and this is only looking at it from a business perspective. If you take into account the actual reason for being security focused, neither I nor anyone else wants their personal information available for use for nuisance or nefarious actions. So ignore data protection at your peril.

 

Rickard Vikström:

Without a shadow of a doubt, data protection should be one of the top priorities of every company, especially in the iGaming sector. Currently, personal data is the main target for internet hackers. It is extremely valuable on its own, not to mention online payments& transactions. While iGaming remains one of the fastest-growing industries in the world, continuously increasing the amount of online data and revenue it accumulates, both businesses and players remain prey to online criminals. First and foremost, it is critical to control how data can be accessed, as well as having different layers of security so that not all information is stored in one place. Unfortunately, there will always be security flaws, hence we need to construct architecture that is able to withstand intrusion, just as we have been learning and building physical security over the past 100 years. For instance, the Marriott/Starwood hack is the perfect example that shows how costly having all data in the same place can be. Not only were they fined £18.4m ($25.3m), but 500 million customers and the brand’s reputation were compromised.

Another crucial point I would like to bring to everybody’s attention is the importance of both external and internal security. When it comes to data security breaches, everybody instantly thinks of external intruders. However, an angry employee, who can destroy his or her company by easily stealing data, still remains an unresolved issue. Something that is considered to be a taboo topic for many.

 

David Brace:

Data is arguably the most valuable asset that an online gambling organisation has, and the rise in publicised high-profile data breaches reflects this. What’s more, the volume of data collected and stored by all organisations is increasing. It is predicted that cyber crime will cost the world $10.5tn annually by 2025 – no business is immune, and companies of all sizes are being hit by increasingly sinister attacks that have the potential to take them offline. This causes disruptions to products, services and revenues, but most importantly reputations. The iGaming industry is one of the most attacked sectors; our quarterly DDoS statistics show a sizable increase in the number of attacks, as well as the severity. For this reason, it is more important than ever for all organisations to take cybersecurity and data protection seriously. Those that do will ensure they are as protected as they can be against these incidents, while those that do not will find themselves incredibly vulnerable; and far more likely to suffer a data breach and the consequences it brings.

 

What is the best practice when it comes to storing data?

 

Warren Russell:

There are so many solutions and companies out there that will help, give you guidance and sometimes even conflict with one another. I guess it comes down to principles, and the key one is people. People are your biggest risk, clicking on that malicious link, password reuse, removable media… etc – this is the most common form of cyber threat leaving businesses exposed – so it all begins with staff awareness; everyone, regularly. Make sure it is at the top of your list of things to do – are my team aware of data protection risks? From there, it becomes more technical and pretty much common sense – keep your security architecture and processes confidential – the more people who know them the higher the risk (a common question in an RFP), then encryption, IDS, IPS, secure transfer… the list goes on. Too much for the character limit I have here!

 

Rickard Vikström:


My number one recommendation is access control and segregation. Don't have it all in one place – simple as that! We always recommend different layers and microservices, or at least multiple tables within the database instead of a single unified database, to avoid the entire information being retrieved due to cross-site-scripting vulnerability. On the other hand, it is easier said than done. It is quite challenging to architect a system that is equally efficient and secure without overly complicating it. The main issue with architecting a system like that is that it takes a long time to build. In the meantime, ideally, you should be working with security access-control lists (ACLs) from the beginning. It will pay off in the long run.

 

David Brace:

We have more than 20 years of experience protecting data in the online gaming space. Our knowledge tells us that organisations, in terms of data security, should take a layered approach. There is a range of solutions this should include: DDoS, WAF, Endpoint Protection, and Security Information and Event Management (SIEM). Most recently, we have enhanced our Secure offering with Managed Threat Detection & Response solutions. This is a complete end-to-end proactive threat solution combining advanced SIEM/EDR/SOAR/ML technologies with proven 24/7 SOC resources. This gives businesses and organisations unprecedented visibility, and response capabilities, against known and unknown threats – at a time when cybercriminals are really upping the ante.

 

How can the management of data help with responsible gambling practices?

 

Warren Russell:

We are experts in using data to maximise business opportunities, not just in gambling but across all different types of verticals – targeted marketing is the ever-present now, regardless of the platform you are on or across. Now we need to become experts in managing that same data to help identify patterns and highlight any risks. I am sure many of us saw the recent Paul Merson documentary which gave some level of insight into the data that is available to operators; and while I am in no way advocating that it is the operator’s sole responsibility to prevent gambling harm, I think this is a much larger topic where many stakeholders, including the player, all have a degree of responsibility to one another. I think the operator and its relevant supply partners are very well positioned to act as the ‘warning bell.'

 

Rickard Vikström:


Data management is directly linked to responsible gaming. For example, if (though I should probably say when) a large well-known iGaming operator gets hacked, someone can steal its customers’ contact details and then market to unlicensed or offshore casinos. This is something that has already happened in the past and will continue to happen in the future, because there is too much money involved. Nonetheless, we as an industry need to work together to upgrade our systems and tighten security measures, to protect the players. I will repeat myself again: the best practice is to segregate the data and limit the number of people who have access to it, as well as have firewalls in place; so that data cannot leave the hosting environment or your company premises.

 

David Brace:

Data can be used by operators to identify unusual behaviours in both individuals and groups, raising flags for player protection or unusual betting patterns. Responsible gambling is a major talking point in the industry and, with proper data management, companies can be more proactive with their approach to analyzing behaviours and profiles of players, to identify if someone could be a problem gambler. The maturation of the machine-learning method of data analysis can also help with responsible gambling practices. The ability to automatically explore, analyse and leverage data at machine speed rather than human speed could revolutionise the way organisations interact with their customers, including making interventions as soon as possible problem play is identified. Machine learning provides organisations with the ability to automatically generate an understandable big-picture view efficiently, taking a vast number of disparate data points and turning them into actionable strategies. By leveraging this, operators and suppliers can take responsible gambling, and safe gaming, to the next level.