6 November, 2023 | NOV DEC 2023

Don't gamble with cybersecurity

Daniela Guerreiro, Associate at law firm MdME and Gambling Insider contributor, assesses lessons learned from recent cyber attacks

Multiple news sources have been reporting cyber attacks targeting US gaming companies, with Caesars Casino and MGM Resorts being the poster-children victim of these incidents.

In the MGM case, it seems that the attack has been so severe MGM had to shut down several systems to better protect the data, affecting everything from hotel room digital keys to slot machines. MGM’s cybersecurity issues have been intermittent and have even resulted in guests and patrons’ personal data leaks.

These events show that gaming operators – even if subject to stringent cybersecurity measures and the heavy scrutiny of regulators – are not immune to cybersecurity breaches.

The attacks on US gaming operators have just highlighted the rising prevalence of cyber threats and the relevance of appropriate cybersecurity systems: other than the immediate financial losses suffered by the gaming operator itself, being victim of a cyber attack could also erode customer trust, as it could entail personal data breaches, making patrons vulnerable and resulting in reputational damages for the gaming operator.

The impact on the image and revenue streams is imminent. In other words: the stakes are high.

Being a well-known and reputed gaming hub, these US occurrences prompted a discussion about the cyber resiliency across the globe. In the case of Macau, according to some insiders, it seems that some gaming operators conducted the relevant internal security checks to further shield against cybersecurity vulnerabilities.

Some voices have assured that gaming operators in Macau have robust systems to prevent the occurrence of incidents, partly due to the Macau Cybersecurity Law enacted in 2019.

The Macau Cybersecurity Law regulates the cybersecurity system of Macau, by establishing specific duties to operators of critical infrastructures. In summary, gaming operators are precisely deemed an ‘operator of a critical infrastructure’ under the Macau Cybersecurity Law.

Gaming operators in Macau have been establishing strict cybersecurity measures prior to the Cybersecurity Law as a best-practice commitment; such best practices became enforceable duties.

Being victim of a cyber attack could also erode customer trust, as it could entail personal data breaches, making patrons vulnerable and resulting in reputational damages for the gaming operator

Under the Macau Cybersecurity Law, operators of critical infrastructures (such as gaming operators) are required to comply with several duties, including responsibilities of organisational nature, as well as procedural, preventive and reactive measures, self-evaluation and cooperation with public authorities. 

In the Macau example, the Cybersecurity Law requires gaming operators to appoint a person responsible for overseeing the cybersecurity systems, adopt appropriate technical measures to protect the systems, conduct self-evaluations and submit reports on its own systems annually.

Moreover, gaming operators are required to work closely with the Cybersecurity Incident Alert and Response Center (CARIC) – the entity responsible and specialised in alerting and responding to cybersecurity incidents and report any potential cybersecurity incidents directly to the CARIC.

With the increasing relevance of technology and cyberspaces, cybercriminals are becoming bolder and more sophisticated. It is imperative to rethink cybersecurity in the gaming sector.

One way to better respond to threats and to prioritise business continuity, is to have gaming operators strengthen its infrastructures. This could be achieved by conducting regular risk assessments.

Gaming operators should analyse and constantly monitor its information systems and assess potential risks. Having identified these risks, gaming operators will be in a better position to find the best mitigation strategy and develop an incident response plan.

The incident response plan should be as detailed as possible: it should define the responsibilities of each actor, the communication channels between each member and the specific duties to be undertaken in the event of a cybersecurity incident.

Another actionable plan is to raise awareness about cyber risks within the organisation. It is essential to educate employees about potential threats, to ensure the personnel can carry out their work efficiently while keeping the organisation secure.

Cybersecurity in the gaming sector can also benefit from open dialogues with other industry players, to share cybersecurity intelligence and foster an environment of collective combat against the common enemy: cyber attacks.

The gaming industry is extremely profitable and has grown exponentially in recent years. Unfortunately, this popularity also attracts cybercriminals, who see this sector as a lucrative target and a goldmine of personal data.

Although zero-risk is impossible in practice, the proper implementation of cybersecurity measures can greatly mitigate the existent risks. By staying on top of recent cybercrime trends and staying vigilant by implementing robust cybersecurity measures, the gaming sector can overcome its challenges and continue to thrive.