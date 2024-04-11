ARTICLE

In August 2023, the Malta Gaming Authority (hereinafter the 'Authority' or 'MGA') launched a closed consultation directed at Licensees to provide their feedback in relation to the revised instances that require the submission of an Incident Report1, and the updated reporting instrument (the 'Technical – Information Security Incident')2, in line with the Authority's commitment to an open and transparent decision-making process. The closed consultation spanned a period of six (6) weeks which concluded on 9 October 2023.

The feedback gathered was analysed by the Authority to evaluate the impact of the amendments on stakeholders and to ensure that decisions are taken in a transparent and accountable manner.

The Updated Reporting Requirements

The predominant concern highlighted from the feedback received was the necessity for the updated reporting instrument to cater for ongoing Incidents that may still be evolving at the time of submission. In response to this, the Authority has decided to structure the new 'Technical – Information Security Incident' into separate phases, thereby enabling Licensees to submit an Incident Report even when an Incident is still ongoing.

In this respect, the initial section of the updated reporting instrument will collect generic information in relation to the Incident3. Through the feedback collected as part of the consultation process, suggestions were also made by respondents in relation to additional information that can be collated through the reporting instrument. Consequently, the following recommendations made by respondents are being incorporated and added to the initial phase of the updated reporting instrument:

The 'type of information security breach', whereby users may select the following options from a drop-down menu: Internal non-malicious;

Internal malicious;

External non-malicious;

External malicious; and

Unknown. Confirmation as to whether any essential regulatory data has been lost as a result of the Incident; A risk classification of the Incident according to the Licensee's risk assessment (Low, Medium, or High)4; Separate date and time fields to indicate the time when the Incident was detected in addition to when the Incident actually occurred; and In addition to an indication of any other B2Cs/B2Bs affected, users will also have the option to list any other third-party service providers involved.

As indicated above, a key observation from the feedback was the need for an updated reporting instrument capable of catering for Incidents that are still ongoing and yet to be resolved entirely. In response to this feedback, the Authority will be updating the reporting instrument such that if the Incident has not yet been resolved, the report will allow users to submit the following information:

Confirmation as to whether any external attacks on the system are still ongoing; A detailed description with respect to the current situation of the Incident; and Any remedial actions and mitigation measures being undertaken.

Furthermore, in response to concerns raised by respondents, the Authority has acknowledged that the seventy-two (72) hour notification timeframe may pose challenges for Licensees in compiling the necessary information related to the Incident. Therefore, the reporting instrument will be updated to provide Licensees with the functionality to submit the report with a current snapshot of the Incident and adhere to the notification timeframe, and then update further details at a later stage.

When the Incident has been completely resolved, or if within the seventy-two (72) hours notification timeframe, the Incident has entirely subsided and the Licensee has implemented remedial actions to resolve the Incident, the user will be requested to submit the following detailed information in relation to the Incident:

The root cause of the Incident; Any remedial actions taken; Preventive actions undertaken to address the root cause; and Duration of downtime with respect to online channels of delivery.

The final step of the report will prompt users to submit relevant supporting documentation depending on the stage of the Incident. Licensees will be obliged to submit a post-Incident analysis report only once the Incident has been entirely resolved.

The MGA's Revised Reporting Requirements

In line with the consultation document and the feedback received, the Authority will be limiting the scope of events requiring notification to the Authority solely to information security Incidents, as established by Article 37(2)(c) and (d) of the GACD, which states the following:

"Licensees shall notify the Authority forthwith, and in any case no later than three (3) working days after, the following: ...

(c) Any breach of the licensee's information security that adversely affects the confidentiality of information relating to players.

(d) Any breach of the licensee's information security that precludes players from accessing their accounts for a period exceeding twelve (12) hours."

Footnotes

1. Incident Report is defined as the report which is submitted to the Authority notifying the incident, in terms of articles 37(2)(c) and (d) of the Gaming Authorisations and Compliance Directive (Directive 3 of 2018) and any relevant instrument or guidance issued in relation thereto.

2. The proposed title of the incident reporting tool which shall be made available through the Authority's Licensee relationship management system (Licensee Portal).

3. Incident is as an event or circumstance which is required to be notified to the Authority in terms of articles 37(2)(c) and (d) of the Gaming Authorisations and Compliance Directive (Directive 3 of 2018) and any relevant instrument or guidance issued in relation thereto.

4. In order to make this classification, Licensees shall take into consideration the number of players affected, the impact on regulatory obligations, geographic spread, reputational, operational, and economic impact when conducting a risk assessment of the incident.

