Greg Brower, Partner, Brownstein Hyatt Farber Schreck


In your view, what’s the single biggest threat to cybersecurity for gaming operators and regulators, and what advice would you give to protect themselves from risk?


Greg Brower is a partner in the Washington, DC and Nevada offices of Brownstein Hyatt Farber Schreck where his practice is focused on civil and criminal litigation, government investigations, cybersecurity matters, and gaming law. In addition to many years of experience in private practice, Greg also previously served as Deputy General Counsel at the Federal Bureau of Investigation (FBI) and as U.S. Attorney for the District of the Nevada. He has been an adjunct professor at UNLV’s Boyd School of Law, teaching courses in national security law and trial advocacy, and is a member of the advisory board for the Cybersecurity Center at the University of Nevada, Reno.


Among all the cybersecurity threats confronting gaming operators and regulators, I would emphasise the following four: (1) online gaming; (2) the Internet of Tings; (3) vendors; and (4) privacy regulation. While online gaming provides new and exciting ways to meet demand, it also creates potential new points of access into a gaming operator's systems. Especially with the expansion of online sports betting, operators need to be extra-vigilant when it comes to ensuring regulatory compliance and preventing fraud.


Te dramatic increase in the number of Internet of Tings (“IoT”) devices presents a growing cybersecurity challenge for casinos. Te now famous story about the Internet-connected fish tank at a casino being hacked is but one example of how the presence of connected devices can allow for the exploitation of a vulnerabilities in an operator’s system. Te vendor-dependent reality that most casinos now operate under also poses certain cybersecurity threats. Tis is especially true for third-party software which can present


Karin Ashford, Vice President, Legal and Business Affairs, Penn National Gaming


Karin Ashford is the Vice President of Legal and Business Affairs at Penn National Gaming, Inc. In her role, she advises and counsels the company in a variety of substantive areas of law including litigation, employment, cyber, first amendment, election law, shareholder and derivative actions, sovereign immunity challenges, administrative procedures act appeals, constitutional claims, restrictive covenants, wage and hour, intellectual property, class actions, tax appeals, insurance coverage and subrogation, consumer protection, dram shop, sweepstakes, personal injury/wrongful death, RICO, ADA and equine law. She sits on the company’s cyber committee advising on various cyber-related issues such as data privacy, GDPR and similar statutes, cyber coverage, ransomware, website compliance, and social gaming. She began her career as a litigator at Cravath Swaine & Moore and then Stevens & Lee, working on various cases including patent infringement litigation, breach of contract matters, construction disputes, and FCPA.


In your view, what’s the single biggest threat to cybersecurity for gaming operators and regulators, and what advice would you give to protect themselves from risk?


Operators face persistent threats on a daily basis from cyber-criminals attempting to obtain access to internal systems. Security measures are usually able to identify and thwart such attacks, but stronger defenses also incentivise hacker ingenuity. In our industry, malware and ransomeware remain top concerns for operators.


Ransomware is particularly troubling. Gaming operators must remain on alert for such tactics, as they house, and are legally required to hold, a significant amount of customer data. While an operator can have state-of-the-art cyber security defenses, it also has infiltration points with numerous third-party vendors. It is imperative to educate employees with phishing simulations to protect against inadvertent malware uploads from hacker emails and websites, however, the operator’s reach stops there, and it cannot have such training sessions with employees of its vendors. It is much more difficult to protect a company from threats coming through a trusted vendor. Steps must be taken by operators to ensure any potential exposure through these different entry points are kept to a minimum.


Safeguards for malware and ransomware attacks include employee awareness training to help employees recognise if an email, phone call or web site is potentially dangerous. Operators can contractually mandate that their vendors also follow best practices and conduct periodic phishing simulations with their employees. Additional safeguards can be put in place to minimise vendor access in a manner to allow access only when needed to complete the task required, as compared to assigned user names and passwords for each vendor employee that allows access to the operator’s environment at any time.


Operators can also use the due diligence process to


significant vulnerability challenges. Finally, a different, but nevertheless very real threat is posed by the increasingly expanding and complex array of privacy laws and regulations gaming operators are required to comply with. Even a relatively small operator can find itself subject to the laws of jurisdictions, including foreign jurisdictions, where an operator has no physical presence. Tese challenges, and others, are increasingly causing gaming operators of all types and sizes to focus resources and talent to meet the ever-expanding cybersecurity threat. And the same is true for gaming regulators.


Among the challenges for regulators is how to adequately regulate an industry that in many ways is outpacing the regulators’ ability to provide adequate oversight because of the rapid evolution of new technologies. New Jersey recently adopted a regulation requiring all casinos to have an information security officer (ISO), to be responsible for the integrity and security of all casino computer systems, including protection against data breaches. Tis idea seems likely to catch on in other jurisdictions as regulators struggle to better understand, and thus better oversee, the increasingly complicated nature of their licensees’ cyber reality.


risk assess a vendor before engagement. Contract language should contain the necessary cyber security standards for vendors and clearly denote indemnification obligations should there be infiltration through a vendor. Lawyers should pay particular attention to any liability caps that may be present on a vendor’s form contract to ensure that such caps either provide sufficient cushion for the type of cyber breach that can occur on the systems touched by the vendor, or that the cap would not apply in the event of a cyber breach. Requiring vendors who access systems to purchase cyber policies sufficient in amounts to cover potential liability is also now becoming standard. Again, the amounts of coverage can vary by vendor, but it should be sufficient to cover potential losses. What was novel coverage five years ago has now become standard.


Another emerging vulnerability stems from increasing casino presence online. Online sports betting, online real money gaming, online social gaming, and player loyalty applications present different types of threats. While online is newer to the industry here in the US, safeguards do exist and will continue to develop as threats are identified. Operators using third parties for their online services will have to ensure these partners are vetted, secure and held accountable through contracts and security assessments. Online gaming partners should disclose results from security assessments in order to grow a level of trust with the industry. Operators of online games should also implement safeguards to limit the amount of information that can become available to an attacker who is able to breach the security of an online application. Analytics using historical player data and patterns can also be used to identify historical patterns and predict fraudulent activity.


Lawyers and IT professionals play a role in recognising these threats and minimising impact. Operators must continue to stay vigilant to identify new threats as the industry embraces new technologies.


NEWSWIRE / INTERACTIVE / MARKET DATA P81


Page 1  |  Page 2  |  Page 3  |  Page 4  |  Page 5  |  Page 6  |  Page 7  |  Page 8  |  Page 9  |  Page 10  |  Page 11  |  Page 12  |  Page 13  |  Page 14  |  Page 15  |  Page 16  |  Page 17  |  Page 18  |  Page 19  |  Page 20  |  Page 21  |  Page 22  |  Page 23  |  Page 24  |  Page 25  |  Page 26  |  Page 27  |  Page 28  |  Page 29  |  Page 30  |  Page 31  |  Page 32  |  Page 33  |  Page 34  |  Page 35  |  Page 36  |  Page 37  |  Page 38  |  Page 39  |  Page 40  |  Page 41  |  Page 42  |  Page 43  |  Page 44  |  Page 45  |  Page 46  |  Page 47  |  Page 48  |  Page 49  |  Page 50  |  Page 51  |  Page 52  |  Page 53  |  Page 54  |  Page 55  |  Page 56  |  Page 57  |  Page 58  |  Page 59  |  Page 60  |  Page 61  |  Page 62  |  Page 63  |  Page 64  |  Page 65  |  Page 66  |  Page 67  |  Page 68  |  Page 69  |  Page 70  |  Page 71  |  Page 72  |  Page 73  |  Page 74  |  Page 75  |  Page 76  |  Page 77  |  Page 78  |  Page 79  |  Page 80  |  Page 81  |  Page 82  |  Page 83  |  Page 84  |  Page 85  |  Page 86  |  Page 87  |  Page 88  |  Page 89  |  Page 90  |  Page 91  |  Page 92  |  Page 93  |  Page 94  |  Page 95  |  Page 96  |  Page 97  |  Page 98  |  Page 99  |  Page 100  |  Page 101  |  Page 102  |  Page 103  |  Page 104  |  Page 105  |  Page 106  |  Page 107  |  Page 108  |  Page 109  |  Page 110  |  Page 111  |  Page 112  |  Page 113  |  Page 114  |  Page 115  |  Page 116  |  Page 117  |  Page 118  |  Page 119  |  Page 120  |  Page 121  |  Page 122  |  Page 123  |  Page 124