IGSA calls on sector to strengthen cybersecurity efforts

The International Gaming Standards Association (IGSA) collaborates with key stakeholders in the gambling industry to develop standardized regulatory policies and operational processes. However, IGSA’s leadership asserts that the industry must intensify its efforts to mitigate risks associated with artificial intelligence (AI) and cybersecurity.

In a detailed March interview, IGSA President Mark Pace emphasized that cybersecurity remains a paramount concern within the gambling sector.

Pace highlighted that mature markets, notably within the European Union (EU), have already initiated steps to implement industry standards centered on responsible and sustainable gambling practices. A significant milestone in this effort was the introduction of the 2021 data reporting standard, EN17531, which streamlines data reporting and facilitates the flow of information between EU regulators.

Despite these advancements, Pace pointed out that many regulations in the gambling sector remain disjointed, complicating the adoption of coherent standards across the industry. He posits that by standardizing up to 90% of technical requirements, the sector can address this fragmentation effectively.

Global operators are grappling with the difficulties of navigating myriad regulations across various markets, particularly within Europe. Pace is proactively championing initiatives to alleviate this regulatory fragmentation.

Founded in 1998, IGSA encompasses a coalition of industry stakeholders from over 20 companies, focused on establishing standards and best practices for suppliers, operators, and regulators. Notable members include European gaming leaders such as IGT, Merkur, Novomatic, and Intralot.

IGSA’s Ambition to Standardize 90% of Technical Requirements in the Gambling Sector

“Striving for 85% to 90% standardization could yield transformative benefits for the industry. Regulatory bodies would then be equipped to address the nuances that arise as they develop,” Pace articulated.

“Full harmonization is a lofty goal. I relinquished that ambition some time ago, given the diverse nature of global markets. However, achieving a certain level of consistency is within our reach.”

To tackle these variances, IGSA assists regulators by providing standards tailored to technical systems, player interfaces, gaming device specifications, and regulatory reporting frameworks.

According to Pace, while each market presents distinctive challenges grounded in local culture and governance, these differences account for only a minor fraction of the hurdles faced, suggesting the potential effectiveness of formalized structures.

The IGSA actively engages with organizations like the International Association of Gaming Regulators and maintains dialogue with individual regulators to better understand their needs and streamline regulatory compliance.

Establishing Cybersecurity Standards in Gaming

Another critical area of focus for Pace is enhancing the industry’s defenses against cyber threats. The cybersecurity of gaming systems and online platforms poses significant challenges for both regulators and operators alike.

Pace pointed out that cybersecurity audits are often not mandated in many jurisdictions, and where they do exist, they frequently amount to “rudimentary” checks. He is advocating for the implementation of stricter standards and evaluations to bolster the entire technical supply chain’s security.

The urgency of these cybersecurity measures has been underscored by several high-profile incidents in recent years. For example, in September 2023, MGM Resorts International was forced to take certain systems offline after a significant breach, incurring up to $100 million in EBITDAR impact due to operational disruptions.

Additionally, numerous data breaches have compromised player information, which has subsequently appeared on the dark web. In a KPMG webinar last June, industry executives acknowledged that cyber threats have become the “new norm” within the sector, prompting calls for state regulators in the U.S. to adopt a more robust regulatory framework to ensure industry-wide protection.

The Importance of Comprehensive Supply Chain Vetting

In response to these cybersecurity challenges, some regulatory bodies, such as Ireland’s new oversight entity, have instituted requirements for licensees to implement measures safeguarding customer data integrity and the security of gaming systems.

Pace reminds us, “When considering cyber resiliency from an IT perspective, attention often focuses on micro-segmentation of networks and identifying vulnerabilities within routers and networking components. However, such evaluations must extend to the very origins of the technology—right down to the manufacturing of chips.”

Greater scrutiny is essential regarding companies that supply chips for land-based gaming machines, as well as those responsible for their integration into printed circuit boards and gaming hardware.

Past instances of compromised supply chains serve as a reminder that nefarious actors can infiltrate these channels long before products reach their final destinations.

Enhancing Cybersecurity Awareness within the Gambling Sector

Pace acknowledges that while companies cannot eradicate all potential threats, the sector must improve its overall awareness regarding cybersecurity risks.

“Implementing a cyber resiliency framework involves multiple facets. This is precisely what our cyber resiliency committee is focused on developing,” Pace explained.

He advocates for industries and regulatory authorities to move beyond superficial penetration testing and standard vulnerability assessments. Instead, organizations should evaluate onboarding processes, consider bring-your-own-device (BYOD) policies, and formulate comprehensive contingency plans to respond effectively to cyberattacks. Regular audits must also become an ingrained practice.

Pace cautions that while regulations and protocols can enhance preparedness, they will never entirely eliminate the threat posed by malicious actors.

“It’s impossible to achieve total prevention. Our aim should be to continually improve our defenses. Just as one may try to build a better mousetrap, adversaries will always seek out the weakest link. The objective is to make it as daunting as possible for them to discover vulnerabilities,” Pace emphasized.

IGSA’s Call for Greater Transparency

The IGSA is also advocating for enhanced transparency within the gambling sector.

“We should cultivate an industry ethos where incidents like breaches are disclosed promptly rather than waiting six months to acknowledge ‘Oh, we were hacked.’ There must be accountability and a commitment to share such incidents in real time,” Pace warned.

The cyber threat landscape operates on shared information, with cybercriminals actively exchanging insights on system vulnerabilities and stolen credentials.

Pace insists, “By concealing breaches due to shame or fear, we only deepen the challenges faced by the industry as a whole.”

IGSA’s Initiatives on AI Guidelines and Combating Fragmentation

Pace has previously indicated that IGSA is in the process of establishing an Ethical AI Standards Committee (AIC) to standardize AI technologies within the gambling sector. This initiative aims to craft a framework delineating how AI standards can be structured and how regulators should effectively engage with AI technologies.

Pace stated, “I have spoken with regulators who are attempting to grasp AI algorithm development intricacies, but I advise them that this approach may be futile.”

“Instead, focus on critical aspects, including what data the AI algorithms will analyze, the accuracy of this data, and whether it contains any inherent biases.”

This year, IGSA is poised to release eight standards or “best practices” for AI deployment tailored specifically to the gambling industry.

Mark Pace is slated to speak at the upcoming Payments, Fraud & Compliance Gaming Leaders’ Summit, an exclusive in-person event designed for select senior leaders, decision-makers, and budget-holders within the iGaming sector.

The summit will take place on May 20-21, 2025.