WLA to launch new iteration of its global security control standard

In general, what security challenges have WLA members faced over the past four years, since WLA SCS 2020 was published?

In recent years, a number of reasons have contributed to the new security challenges our industry faces.

For instance, a growing number of lotteries have adopted so-called managed, or cloud solutions for different components of their gaming systems, such as software as a service, or full gaming platform as a service. More than ever, they must manage security with respect to third party suppliers, in order to ensure the integrity of their entire gaming operations.

Online lottery products, sports, and e-sports betting have become more common, as lottery operators adapt and deliver the desired customer preferences that have evolved since the pandemic.  

In contrast, security threats have not ceased, they continue to grow with greater sophistication.  Artificial intelligence (AI) is improving organization performance, but it also aids hackers in mounting progressively more effective cyberattacks.  For example, Generative AI is growing rapidly, thereby introducing further risk of more realistic phishing attacks.

Data sprawling across information systems, in other words, where shadow data appears, has led to a boom in data hoarding and the risk of frequent data leaks.

Additionally, regulations continue to strengthen requirements for hosting data, approving changes, providing notification of security incidents, personal information security and more.

What can users of the standard expect from WLA SCS:2024?

The WLA Security Control Standard 2020 introduced new concepts – notably the S Section for gaming system supplier and operator controls, and a section for cloud security controls. Over the past four years, these controls have proved challenging for members, raising many questions and requiring diverse action plans.

Bearing this in mind, and given the above mentioned security challenges faced by members, WLA SCS:2024 will provide clearer guidance on how to deal with the security of suppliers, and managed services, be it in hosted data centers, or in the cloud.

We have also reorganized some controls, to simplify the standard. For example, some controls have been moved to the general section, since they are applicable to all game offerings. Other general security controls that are already detailed in ISO/IEC 27001, Information security, cybersecurity and privacy protection – Information security management systems – Requirements, have also been simplified.

Importantly, a section has been created for Random Number Generators, since they are at the heart of all lottery game operations.

We have also added comprehensive M controls, which apply to any lottery participating in games administered by the Multi-State Lottery Association (MUSL).

Looking ahead, what technologies will impact the ongoing development of the standard?

Today, technology is ubiquitous, and it has an ongoing impact on our IT systems. We will continue to follow developments in artificial intelligence, blockchain, and distributed computing, as well as cloud solutions, and quantum computers.

If required, we will develop new sections in future iterations of the WLA security control standard to cover these technologies and to aid our members in managing them within their daily operations.

On this point, the annual December WLA/European Lotteries Security and Operational Risks Seminar 2024 will cover the theme of New Threats and Opportunities: Evolving AI and Security Risks.

AI technologies are at the forefront of modern security strategies. They bring unprecedented opportunities and unsurprisingly, new risks. As these technologies evolve, their application in security will be increasingly critical for global organizations, including the legal lotteries and sports betting operators.

The seminar will examine these aspects, and provide attendees with a comprehensive overview of how to leverage AI technologies to improve protection, and better manage risks.

‍