Nevada regulators advance tighter cyberattack reporting after 2023 MGM and Caesars breaches

Nevada gaming regulators have held a dedicated public workshop to advance changes to the state’s cybersecurity reporting rules, directly linked to the September 2023 cyberattacks that affected major Strip operators MGM Resorts and Caesars Entertainment. The workshop, held on Thursday 4 December 2025 and presided over by Nevada Gaming Control Board (NGCB) chair Mike Dreitzer, focused on proposed amendments to Regulation 5.260 aimed at tightening timelines and procedures for reporting cyber incidents to the Board.

At the opening of the session, officials recalled that current rules require licensees to notify the NGCB of a cyberattack within 72 hours once the incident is confirmed. The draft amendments discussed at the workshop would reduce that window to 24 hours. Regulators stressed that this earlier notification point is intended to ensure that the Board is informed quickly when an operator becomes aware of a confirmed attack affecting gaming systems, customer data, key operational platforms or regulatory compliance.

During the workshop, a representative of the Nevada Attorney General’s Office walked through the detailed structure of the proposed rule. Under the draft, a licensee would first need to contact the NGCB within 24 hours of determining that a reportable cyber incident has occurred. That initial contact could be made through a phone call or email and would be followed by a formal Initial Cyber Incident Response report within five calendar days. After that, the operator would provide 30-day updates until the incident is documented as fully resolved. The proposal also contemplates the option for a meeting with the Board instead of filing a written incident report, provided that the meeting and subsequent documentation occur within the same 30-day framework.

The workshop made clear that the amendments are designed to address lessons from the 2023 attacks, which disrupted operations and systems at MGM Resorts and Caesars Entertainment and highlighted gaps in how incidents were communicated to the regulator. Board members referred to those events as complex situations that generated substantial operational and reputational impact, and they underlined the importance of receiving direct information from licensees rather than learning about incidents through the media or third parties.

Industry stakeholders, including the Nevada Resort Association (NRA), used the workshop to express concerns about the feasibility of the shortened reporting timeline. The NRA argued that many operators rely on third-party cybersecurity vendors whose contracts allow up to 48 hours to notify the licensee of a potential incident. Companies then usually seek additional time to evaluate the information internally before confirming whether an event meets the threshold for a reportable breach. In response, regulators indicated that the 24-hour requirement would be calculated from the point at which the operator itself is informed of a confirmed attack, not from the initial technical detection by a vendor.

Participants also focused on the distinction between serious breaches and routine events that do not cause material impact. Representatives from casino companies noted that security teams investigate numerous alerts every day that never escalate into confirmed cyber incidents. They warned that, without clear boundaries, the new rule could generate a high volume of notifications about events that fall short of a material breach. Board members acknowledged these concerns but indicated they were reluctant to set a rigid, one-size-fits-all definition of “material” due to differences in size, systems and risk profiles across Nevada licensees.

Another point highlighted in the workshop was the growing volume and sophistication of cyber threats facing Nevada’s gaming sector. Reference was made to recent academic work outlining dozens of cyber incidents affecting casinos in the state over the past decade and a half, many of them occurring in more recent years. Regulators and stakeholders agreed that large resort operators, local casinos and digital gaming platforms all present attractive targets because of the concentration of transactional data, payment flows and interconnected systems.

Throughout the session, Dreitzer repeatedly underlined that the proposed changes do not attempt to prescribe specific cybersecurity technologies or architectures for operators. Instead, the focus is on governance and communication: ensuring that licensees have internal processes to detect, assess and escalate incidents and that the NGCB is notified in a timely and consistent manner. The Board chair also emphasised that information submitted under the amended regulation would be subject to the same confidentiality protections that apply to other regulatory filings.

The workshop further placed these cyber proposals within a broader agenda of regulatory updates being led by the NGCB. Since taking over as chair in June 2025, Dreitzer has overseen multiple rule reviews and amendments in areas such as chip redemption, private gaming salons and surveillance, and the Board has signalled that cybersecurity is now a permanent pillar of its regulatory priorities. Officials noted that several other amendment processes are running in parallel, covering different parts of Nevada’s gaming framework.

At the conclusion of the workshop, regulators invited additional written comments from operators, trade bodies, technical providers and other interested parties to refine the language of the cyber reporting amendments. The final version of the proposal is scheduled to be considered by the Nevada Gaming Commission at its meeting on 18 December 2025. If approved, the updated rules would formalise the new 24-hour notification requirement, the five-day initial incident report and the 30-day update cycle, all expressly linked to cyber incidents that have a material impact on licensed gaming operations or associated systems.

With the workshop completed and the amendments moving to the Commission stage, Nevada’s gaming regulators have now formally anchored the experience of the 2023 cyberattacks into a revised reporting framework. The process described at the session sets out how future cyber incidents must be communicated, documented and followed up between casino licensees and the NGCB, using the MGM and Caesars breaches as a clear reference point for the regulatory response.