planning to strengthen cybersecurity reporting rules after recent cyberattacks showed that casinos are not alerting authorities quickly enough. The change is mainly a response to the 2023 ransomware attacks on MGM Resorts and Caesars Entertainment, which disrupted casino operations, affected hotel services and revealed delays in reporting the problems.

To address this, the Nevada Gaming Control Board held a public workshop on 4 December 2025. The meeting was led by NGCB Chair Mike Dreitzer and made it clear that cybersecurity is now a major priority for the state’s gambling regulators.

Faster Reporting at the Center of the Proposal

The main change being suggested is to Regulation 5.260, which explains how casinos must report cyberattacks. Right now, casinos have 72 hours to tell regulators after they confirm an incident. The new rule would cut that down to 24 hours.

Regulators say faster reporting is important so they do not find out about big cyberattacks from the news or other sources. Quick alerts would help the NGCB understand the risks to casino operations, customer data and overall safety.

Under the plan, casinos would need to notify regulators by phone or email within 24 hours of confirming an attack. They would then file a detailed report within five days and send updates every 30 days until the issue is solved. The rules apply to incidents that affect gaming systems, customer data or daily operations. Regulators also said they will not set strict definitions because casino operations differ in size and complexity.

Concerns About the Tight Timeline

Industry groups questioned whether the 24 hour deadline is practical. The Nevada Resort Association said casinos often depend on outside cybersecurity firms to confirm an attack, and those firms may need more than 24 hours. The NGCB clarified that the countdown starts only when the casino itself confirms the incident. A warning from an outside vendor does not start the timer.

Casino security teams also pointed out that many alerts turn out to be false alarms and do not always indicate real problems. Regulators agreed but said casinos should have clear internal procedures to decide when an alert should be reported.

Next Steps for Approval

Research presented at the workshop showed that Nevada casinos have dealt with many cyber incidents over the past 15 years. The industry is a major target because casinos handle large amounts of money every day and store sensitive customer information that hackers want.

The proposed rule changes will now go to the Nevada Gaming Commission on 18 December 2025 for review. If the commission approves them, the state will adopt a stricter and more proactive system for tracking and managing cyber risks across the casino industry.