In response to the cyberattacks that occurred in September 2023, impacting major operators on the Strip including MGM Resorts and Caesars Entertainment, Nevada gaming regulators convened a specialized public workshop. This session took place on Thursday, December 4, 2025, directed by Mike Dreitzer, the chair of the Nevada Gaming Control Board (NGCB). The primary focus was on proposed revisions to Regulation 5.260, which aim to expedite the timelines and protocols for reporting cybersecurity incidents to the Board.

During the session, officials revisited the current mandates requiring licensees to inform the NGCB of any cyberattack within a 72-hour window after the incident has been confirmed. The newly discussed amendments would tighten this reporting window to just 24 hours. Regulators emphasized that such swift notifications are crucial for keeping the Board informed as soon as operators recognize a confirmed breach that affects gaming systems, customer data, or compliance with regulations.

A representative from the Nevada Attorney General’s Office detailed the proposed regulatory structure during the workshop. According to the draft, licensees must first contact the NGCB within 24 hours of confirming a cybersecurity incident. This initial contact can be made via phone or email, followed by a formal Initial Cyber Incident Response report within five calendar days. Additionally, operators must provide updates every 30 days until the incident is considered fully resolved. There is also the possibility of convening a meeting with the Board instead of submitting a written report, provided that the meeting and subsequent documentation occur within the same 30-day timeframe.

The session made it evident that these amendments are specifically tailored to incorporate lessons learned from the 2023 incidents, which caused significant operational and reputational damage to MGM Resorts and Caesars Entertainment. Board members referred to these events as complex scenarios that highlighted critical gaps in communication between operators and the regulator. They stressed the necessity of receiving accurate information from licensees instead of relying on media reports or third-party sources.

Industry stakeholders, including the Nevada Resort Association (NRA), also shared their concerns regarding the practicality of the shortened reporting timeline. The NRA raised points that many operators depend on third-party cybersecurity vendors, whose contracts may allow up to 48 hours for notifying the licensee of a potential incident. Companies generally require additional time to internally assess the situation before determining if it constitutes a reportable breach. In response, regulators clarified that the 24-hour timeframe would begin from when the operator is informed of the confirmed attack, not from the initial detection by a vendor.

Attendees also discussed the differentiation between serious breaches and minor events that do not have significant repercussions. Casino representatives noted that their security teams handle numerous alerts daily that often don’t escalate to confirmed cyber incidents. They warned that without precise definitions of “material impact,” the new regulation could result in an overwhelming amount of notifications for lesser events. Board members recognized these concerns but were hesitant to establish a rigid, universal definition of “material,” citing variability in size, systems, and risk profiles among Nevada licensees.

Another topic raised during the workshop was the rising frequency and sophistication of cyber threats confronting Nevada’s gaming industry. Recent academic studies highlighted numerous cyber incidents affecting casinos in the state over the last 15 years, particularly in the more recent timeline. Both regulators and stakeholders acknowledged that large resorts, local casinos, and online gaming platforms are appealing targets due to the concentration of transaction data, payment methods, and interconnected systems.

Throughout the discussion, Dreitzer consistently emphasized that the proposed changes are not intended to dictate specific cybersecurity technologies or frameworks for operators. Instead, the emphasis lies on governance and communication: ensuring that licensees have the internal protocols to detect, evaluate, and escalate incidents, along with timely notifications to the NGCB. The Board’s chair also reaffirmed that information shared under the revised regulation would enjoy the same confidentiality protections applicable to other regulatory submissions.

The workshop also linked these cybersecurity proposals to a broader framework of regulatory reforms being led by the NGCB. Since his appointment as chair in June 2025, Dreitzer has supervised multiple rule reviews and amendments in areas including chip redemption, private gaming lounges, and surveillance. The Board has indicated that cybersecurity will now be a constant focus within its regulatory agenda, with several other amendment processes occurring simultaneously across different segments of Nevada’s gaming landscape.

At the conclusion of the workshop, regulators encouraged stakeholders, including operators, trade organizations, technical providers, and others, to submit further written feedback to refine the language of the proposed cyber reporting amendments. The finalized proposal is set to be reviewed by the Nevada Gaming Commission during its meeting on December 18, 2025. If approved, the revised regulations would formalize the new 24-hour notification guideline, alongside the five-day initial incident report and the 30-day update cycle, specifically related to cybersecurity incidents with material effects on licensed gaming operations or associated systems.

With the workshop wrapped up and the amendments progressing to the Commission stage, Nevada’s gaming regulators have effectively integrated the lessons from the 2023 cyberattacks into an updated reporting framework. The procedures outlined during the session delineate how future cyber incidents are to be communicated, documented, and followed up between casino licensees and the NGCB, using the breaches at MGM and Caesars as critical points of reference for the regulatory response.