Sec.12-865-33. Cybersecurity  

(a) Each gaming entity licensee shall maintain a cybersecurity program designed to protect the confidentiality, integrity and availability of the electronic wagering platform and a gaming entity licensee’s associated information systems.

(b) The cybersecurity program shall be based on a risk assessment and designed to perform the following core cybersecurity functions as outlined under the NIST Cybersecurity Framework 1.1, or other requirements set forth by the department under section 12-865-3(n) of the Regulations of Connecticut State Agencies, including:

(1) Identify and assess internal and external cybersecurity risks that may threaten the security or integrity of the electronic wagering platform or patron information stored on a gaming entity’s information systems;

(2) Use defensive infrastructure and implement policies and procedures to protect the electronic wagering platform and the gaming entity licensee’s information systems, and the nonpublic information stored on those information systems, from unauthorized access or use or other malicious acts;

(3) Detect cybersecurity events;

(4) Respond to identified or detected cybersecurity events to mitigate any negative effects;

(5) Recover from cybersecurity events and restore normal operations and services; and

(6) Fulfill applicable regulatory reporting obligations.

(c) All documentation and information relevant to the gaming entity licensee’s cybersecurity program shall be made available to the department upon request.

(d) The cybersecurity program for each gaming entity licensee shall include monitoring and testing, developed in accordance with the gaming entity licensee’s risk assessment, designed to assess the effectiveness of the gaming entity licensee’s cybersecurity program. The monitoring and testing shall include continuous monitoring or periodic penetration testing and vulnerability assessments. Absent effective continuous monitoring, or other systems to detect, on an ongoing basis, changes in information systems that may create or indicate vulnerabilities, gaming entity licensees shall conduct:

(1) Annual penetration testing of the gaming entity licensee’s information systems determined each given year based on relevant identified risks in accordance with the risk assessment; and

(2) Bi-annual vulnerability assessments, including any systematic scans or reviews of information systems reasonably designed to identify publicly known cybersecurity vulnerabilities in the gaming entity licensee’s information systems based on the risk assessment.

(e) Each gaming entity licensee shall securely maintain systems that, to the extent applicable and based on its risk assessment:

(1) Are designed to reconstruct material financial transactions sufficient to support normal operations and obligations of the gaming entity licensee; and

(2) Include audit trails designed to detect and respond to cybersecurity events that have a reasonable likelihood of materially harming any material part of the normal operations of the gaming entity licensee.

(f) As part of its cybersecurity program, based on the gaming entity licensee’s risk assessment, each gaming entity licensee shall limit user access privileges to information systems that provide access to nonpublic information and shall periodically review such access privileges.

(g) As part of its cybersecurity program, each gaming entity licensee shall include policies and procedures for the secure deletion on a periodic basis of any patron information that is no longer necessary for business operations or for other legitimate business purposes of the gaming entity licensee, except where such information is otherwise required to be retained by law or regulation.

(h) Each gaming entity licensee shall implement controls, including encryption, to protect patron information and other nonpublic information held or transmitted by the gaming entity licensee both in transit over external networks and at rest.

(i) As part of its cybersecurity program, each gaming entity licensee shall establish a written incident response plan designed to promptly respond to, and recover from, any cybersecurity event materially affecting the confidentiality, integrity or availability of the gaming entity licensee’s information systems or the continuing functionality of any aspect of the gaming entity licensee’s business or operations. Such incident response plan shall address the following areas:

(1) The internal processes for responding to a cybersecurity event;

(2) The goals of the incident response plan;

(3) The definition of clear roles, responsibilities and levels of decision-making authority;

(4) External and internal communications and information sharing;

(5) Identification of requirements for the remediation of any identified weaknesses in Information systems and associated controls;

(6) Documentation and reporting regarding cybersecurity events and related incident response activities; and

(7) The evaluation and revision as necessary of the incident response plan following a cybersecurity event.

(j) Each gaming entity licensee shall notify the department immediately, but in no event later than seventy-two hours, from a determination that a cybersecurity event has occurred that is either of the following:

(1) A cybersecurity event impacting the gaming entity licensee of which notice is required to be provided to any government body, self-regulatory agency or any other supervisory body; or

(2) A cybersecurity event that has a reasonable likelihood of materially harming any material part of the normal operation or operations of the gaming entity licensee.