IGSA wants to end fragmented gambling regulations and strengthen cybersecurity

Speaking to iGB in a March interview, IGSA president Mark Pace has highlighted cybersecurity as a key concern for the gambling sector.

Pace points to mature markets like the EU having already taken steps to establish industry standards with regard to responsible and sustainable gambling, as well as how to report data and facilitate movement of information between regulators in the EU. This includes the 2021 data reporting standard ‘EN17531’.

But when it comes to the gambling sector, Pace notes regulations remain largely fragmented and this makes it difficult to adopt standards and practices across the wider industry. He believes the sector can solve that fragmentation by standardising up to 90% of technical requirements.

Global operators face difficulties in adapting to regulations across many markets, particularly in Europe. Pace is campaigning to end that fragmentation.

IGSA was founded in 1998 and brings together industry players from across 20 companies to develops standards and best practices for suppliers, operators and regulators. Members of the organisation include European gaming giants IGT, Merkur, Novomatic and Intralot.

IGSA miming to standardise 90% of technical requirements in gambling sector

“If we focused on getting 85% to 90% standardisation, it would have a tremendous beneficial impact on the industry. Then [regulators] can deal with the differences that exist as they emerge and as they continue to evolve,” Pace says.

“You’re never going to get [full] harmonisation. And I’ve given up on that a long time ago. It’s impossible, the world is so different, yet, I think we could achieve some level of sameness.”

To navigate these differences, IGSA provides regulators with standards across areas such as technical systems and player interfaces, gaming device standards and regulatory reporting interfaces.

Pace says individual markets present unique challenges specific to each country’s culture or governance. But these differences are such a small percentage of the challenges faced and formal structures can help mitigate a majority of the issues faced.

The IGSA communicates, and in some cases partners, with entities such as the International Association of Gaming Regulators, as well as regulators on an individual level to better understand and navigate their needs.

IGSA setting cybersecurity standards

Also at the top of Pace’s priority list is the sector’s protection against cyber threats. He says cybersecurity of gaming systems and online platforms remain a critical challenge for regulators and operators.

Pace tells iGB that cybersecurity audits are not a requirement in many markets. If they do have some checks in place, Pace says they can often be “rudimentary”. He is advocating for more stringent checks and standards to be put in place to better protect the entire technical supply chain.

Cybersecurity concerns have grown within the industry, as a number of high-profile cases rocked operators in the last couple of years. In September 2023, MGM was forced to shut down some of its systems after a number were compromised. The incident cost the operator up to $100 million in EBITDAR impact during the period.

A number of player data breaches have also compromised systems and resulted in player information being leaked on the dark web. In a KPMG webinar hosted in June last year, industry executives warned cyber threats “were a new norm” for the sector. State regulators in the US have been urged to take a more serious stance on technical requirements to ensure the sector is better protected.

Companies should be vetting every part of their supply chain

Some regulators, like Ireland’s recently formed entity have put in place requirements for licensees to adopt measures to protect customer data and the integrity of their gaming systems.

“If you think about cyber resiliency from an IT perspective, a lot of focus is pointed towards micro-segmentation of networks, understanding vulnerability points in terms of routers and other networking components. But they don’t go all the way back to the beginning, where the chip’s made,” Pace tells iGB.

Greater vetting should be applied to the companies providing the chips for land-based gaming machines, says Pace. As well as the facility that installs them on the printed circuit board integrators, and then into gaming machines or operator hardware.

There have been instances in the past where bad actors have infiltrated supply chains to interfere with chips before they have reached their final destination.

Gambling sector should be more aware of cybersecurity risks

Pace acknowledges that companies can’t prevent every possible threat but insists the sector should be better aware of the risks.

“If you are implementing a cyber resiliency scheme, here are some of the things that you ought to consider. That’s really what we’re creating in our cyber resiliency committee,” Pace says.

“A set of best practices to help regulators and regulatory authorities understand this very complex environment and focus them on the things that need to be done.”

Companies and regulators need to move beyond just penetration testing and standard vulnerability assessments, Pace adds.

They should look at what the onboarding process is, what the bring your own device policy is, what the contingency plan is when an attack occurs. Companies should also ensure regular audits are taking place.

Pace warns regulators despite being better prepared, they will never be able to fully prevent threat actors from causing damage.

“It’s impossible to prevent. The best that you can do is to try and improve on what you’re already doing. This is like building a better mousetrap. The bad actors will always try and find the weak link, you need to make it as difficult as possible for them to find that weakness. That’s all that you can do,” Pace states.

IGSA calls for greater transparency

IGSA also calls on industry stakeholders for more transparency across the sector.

“None of this ‘that casino got hacked’ and then six months later they say, ‘oh, yeah we got hacked’. There has to be a level of responsibility and a level of transparency to be able to share that happened [in real time]. Because, quite frankly, the bad actors talk to each other, the good actors sometimes don’t,” Pace warns.

There is a whole market of information exchange that cybersecurity threat actors engage in on a daily basis, where they sell or share system vulnerabilities or stolen credentials.

“If we are too ashamed because we got hacked and we don’t disclose the details, then we’re only making it worse for ourselves as an industry,” Pace notes.

IGSA AI guidelines and blocking fragmentation

Pace previously told iGB IGSA is preparing an ethical AI standards committee (AIC) to standardise AI technologies in the gambling sector. The working group is aiming to create a framework that demarcates how AI standards can be set out, as well as how regulators should approach AI.

“I talked to regulators who tell me they have tried to understand how AI algorithms have been developed. They’re trying to do a deep dive into AI and I tell them, ‘You’re wasting your time’,” Pace said in March.

“What you need to focus on are things like, ‘What data are you going to let the AI algorithms consume? What is the accuracy level of the data? Does the data already have an inherent bias in it?’”

IGSA is expected to publish eight standards or “best practices” for AI deployment within the gambling sector this year.

Mark Pace will be speaking at the upcoming Payments, Fraud & Compliance Gaming Leaders’ Summit. This is an invite-only, in-person event for selected senior leaders, decision-makers and budget-holders in the igaming industry.

The event will run on 20 and 21 May 2025.