Nevada regulators advance tighter cyberattack reporting after 2023 MGM and Caesars breaches
Summary
Nevada’s Gaming Control Board (NGCB) held a public workshop on 4 December 2025, led by chair Mike Dreitzer, to discuss draft amendments to Regulation 5.260 that would tighten cyber-incident reporting by gaming licencees. Key changes under consideration include shortening the initial notification window from 72 hours to 24 hours, requiring a formal Initial Cyber Incident Response report within five calendar days, and providing 30-day updates until resolution. The proposals were explicitly framed as a response to the disruptive 2023 breaches at MGM Resorts and Caesars Entertainment and aim to improve direct communication between operators and the regulator.
Key Points
- The NGCB workshop reviewed amendments to Regulation 5.260 to speed up cyber-incident reporting after the 2023 MGM and Caesars attacks.
- Proposed timeline: initial contact to NGCB within 24 hours of confirming a reportable incident; a five-day formal initial report; then 30-day progress updates until resolved.
- The 24-hour clock would start when the operator itself is made aware of a confirmed attack, not when a third-party vendor first detects an alert.
- Industry groups, including the Nevada Resort Association, warned of practical problems — vendor contracts and internal verification can take longer than 24 hours.
- Regulators emphasised the rules target governance and communications, not mandating specific security technologies; filings retain confidentiality protections.
- The NGCB plans to send the final proposal to the Nevada Gaming Commission on 18 December 2025 for consideration.
Content summary
The workshop walked attendees through the proposed rule structure: a quick phone call or email within 24 hours to alert the Board, a fuller initial incident report within five days, and continuing 30-day updates. Regulators repeatedly cited the MGM and Caesars incidents as showing the danger of regulators learning of breaches via media rather than directly from licencees. Operators countered that many daily security alerts never become material incidents and that third-party vendors often have notification timelines built into contracts. The NGCB signalled it would avoid a rigid universal definition of “material” given the varied size and risk profiles of Nevada licencees.
Context and relevance
This proposal sits alongside a wider regulatory review under chair Mike Dreitzer and formally embeds lessons from the 2023 breaches into Nevada’s reporting framework. For casino operators, technology suppliers and risk teams, the changes would tighten deadlines for escalation and record-keeping, increase regulator oversight of incident response timelines, and likely prompt updates to vendor contracts and internal playbooks. More broadly, it reflects an industry trend towards quicker, more standardised reporting after high-profile cyberattacks.
Why should I read this?
Short version: if you run IT, security or compliance for a Nevada casino (or supply them), this could force you to change your incident playbook — fast. The article saves you the workshop playback: 24-hour heads-up, five-day formal report, 30-day updates, Commission decision on 18 December. Worth a skim now so you’re not scrambling later.
