The WLA and EL Security and Operational Risks Seminar was held in Oslo, Norway, from 21-23 October, with over 80 participants, including 60 delegates from 27 countries of the five WLA regions.
Hosted by Norsk Tipping AS, the 3-day event focused on Trust in the Supply Chain: Resilience and Oversight aimed to explore how lotteries and sports betting operators can strengthen the integrity of their operations, by building resilient supply chains and implementing robust oversight mechanisms.
As the morning session got underway, Melissa Azam, WLA Security, CSR and Events Coordinator, introduced a video welcome address from Alessandro Pacciuci, Chair of the WLA Security and Risk Management Committee, in which he emphasized:
“Risk management and security have radically evolved. They are no longer just reactive measures. They have become strategic pillars of resilience and sustainability.”
While Piet Van Baeveghem, Secretary General, EL, stressed that without public trust there is no lottery, in his opening address.
Public trust requires secure lottery operations
So how does the industry achieve and maintain this trust?
Through ensuring operational integrity of the lotteries, which requires the security of supply chains, and there are many aspects to this.
Whether ticket production or digital draw systems – maintaining transparency, security, and responsiveness is key to sustaining public trust and ensuring regulatory compliance in the evolving gaming landscape.
Security is paramount at all times
Keynote speaker Sofie Nystrøm, CEO, Fortified Technologies, Norway echoed the message of the importance of ensuring secure operations with the example of the recent Amazon Web Services outage, which affected major apps, financial institutions and many businesses worldwide.
Good practices and third-party risk management
Speaking about good practices and third-party risk management, Fabien Marechal, Head of Corporate Cybersecurity at FDJ United, underscored the growing risk of third parties for lotteries, due to the vast amounts of sensitive data and substantial financial transactions they handle on a daily basis.
“A third party is not only a third party, it is a part of your external company.”
Managing third parties is essential to:
- Protect financial assets
- Maintaining public trust
- Ensure regulatory compliance.
The third-party risk management (TPRM) process involves many teams, including: cybersecurity, legal, compliance, business continuity, IT, purchasing and more. Marechal emphasized the importance of:
- Having a central player in charge of the transversal TPRM
- Allocating key resources on critical activities
- Mobilizing a C-level when monitoring key third party risks
- Establishing a 2-level comitology
AI for the gaming and betting industry
Artificial intelligence (AI) is redefining the cybersecurity landscape. Its machine learning capabilities, predictive analytics, and automatic content generation make it perfect for deployment across operations of the regulated lotteries and sports betting operators and unfortunately for use by illegal operators.
This incredible technology can be used to defend and attack our industry, so what is the best approach to AI?
According to Gennaro Borrelli, ICT Security Senior Manager, Brightstar Lottery, Italy, understanding its dual role helps develop effective strategies to defend against evolving cyber threats.
“Deep fakes are the new way to attack.”
Borrelli listed key automated and adaptive attack techniques include:
- Generative phishing attacks
- Adaptive malware behavior
- Deepfake and voice cloning
- Automated real-time attacks
This is counterbalanced by AI powered strategies, such as:
- AI-powered behavioral detection
- Automated incident response
- AI-enhanced threat intelligence
- Zero trust and XDR strategies
So what does this mean for WLA lotteries and sports betting operators?
Given that the sector faces risks like digital fraud, system manipulation, and unauthorized data access through AI attacks, and players may be threatened by impersonation and targeted phishing attacks on lottery platforms, it is paramount to ensure effective defense requires proactive, multilayered, and collaborative approaches. This means, for instance, technology and training, and continuously monitor and adapt as required using AI, to ensure security across all operations.
Risk management in energy supply and maintenance services
In today’s world, we can’t do anything without electricity and with increasing power outages, it is vital for businesses to put this scenario into their risk management plans.
Some main reasons for outages, are the weather, technical failures, poor maintenance and physical or cyber attacks, with the result of disrupted essential services, economic loss, and social vulnerability.
Against this backdrop, Pablo Berloso Gómez, Head of Technical Office Department, SELAE, talked about resilience, strategic planning, and international cooperation as key to mitigating future risks.
With much to consider from business process risk management to data centres, electrical power infrastructure, supply chain resilience, including contingency plans for lottery draw operations, Berloso Gómez concluded that efficient management of specialized maintenance services ensures the operational availability of critical infrastructure and supports business continuity, acting with responsibility, sustainability, security, and integrity.
Third party risk management at Hungarian lottery
Speakers Tician Balogh, Infosecurity Team Leader and Krisztian Pallai, Head of Information Security, at the Hungarian Lottery Szerencsejáték Zrt provided insights into their TPRM process.
With over 1000 suppliers of which 66 belonged to the critical group, 22 made the top critical list, covering six departments ( IT, Commercial, Economic, Game developmentand Strategy, MarCom and Security). Of the 22 top critical, nine fell under IT.
“Defining key aspects for new contracts is not administrative, it is logical.”
Risk management areas covered included:
- Strategic
- Information security
- Processes
- People
- Suppliers
- Corruption
- Environmental
- Facility
Several tools were cited, such as the OpenSSAM (Open Cyber Security Awareness Machine) platform designed to support cybersecurity analysts across Europe in tracking security incidents efficiently by monitoring a wide range of information sources and useful for TPRM activities, and other open-source intelligence tools for assessing third-party suppliers.
What value does a WLA audit bring to an organization?
The answer to this question is many benefits.
Audits enable lotteries to demonstrate that they are following industry best practices through certification, but they also address:
- Rapid digital transformation (mobile, iLottery, AI, data analytics)
- New threats: cybersecurity, fraud, data breaches
- Rising regulatory scrutiny
- Customer expectations for transparency and integrity
Hans Peter Østrem, WLA-SCS Auditor, Lead auditor ISO9001, ISO27001 ISO27701, Management System Certification, DNV Business Assurance Norway AS, stressed that auditors are advisors who promote awareness, collaboration, and innovation; help builds trust between teams, and facilitate benchmarking with peers.
“Every finding is an opportunity, not a fault.”
Østrem concluded that the WLA audit is a continuous improvement loop that aims to help organizations adapt and improve their processes and controls.
It should generate insights and findings, and lead to targeted actions and implementations, based on the evaluation.
