Title 809 | Chapter 010 | Regulation 003
SUPERSEDED
This document is no longer current.
PUBLIC PROTECTION CABINET
Kentucky Horse Racing Commission
(New Administrative Regulation)
809 KAR 10:003.Technical requirements and oversight.
Section 1.
Sports Wagering Standards. A licensee shall use a sports wagering system to offer, conduct, or operate sports wagering in accordance with applicable laws and these regulations. Only an approved licensee may process, accept, offer, or solicit sports wagers.(1)
The licensee shall operate in conformity with the license conditions issued by the racing commission pursuant to KRS 230.290(3) and GLI-33 Standards.(2)
A sports wagering system shall meet the specifications established in subsection (1) of this section and these regulations. Failure to comply with the approved specifications, internal controls, or technical specifications may result in disciplinary action by the racing commission.Section 2.
Testing and Certification of Sports Wagering System. Prior to conducting sports wagering, and annually thereafter, the sports wagering system utilized by the licensee shall be submitted to a nationally recognized, independent testing laboratory approved by the racing commission for certification testing. Certification and racing commission approval shall be received prior to the use of any sports wagering system to conduct sports wagering. The licensee is responsible for all costs associated with testing and obtaining such certifications.(1)
To obtain a temporary license, a licensee may submit to the racing commission a certification report of an independent testing laboratory of a system in operation in another jurisdiction in the United States where the licensee is currently licensed or permitted. The report must certify the system to either the GLI-33 Standards or, at the discretion of the racing commission, a standard deemed to be the equivalent of the GLI-33 Standards. This alternative certification report must include a list of all critical files and associated signatures and an appendix which lists the differences of any controlled items or processes required to be certified in Kentucky which were not certified in the jurisdiction in which the report was issued. Upon review of the certification report, the racing commission will make a determination on whether to accept the certification or require additional information or documentation or testing.(2)
Unless otherwise authorized by the racing commission, the independent testing laboratory shall be provided access to the sports wagering system's controlled software source code along with the means to verify compilation of such source code. The result of the compiled source code shall be identical to that in the software submitted for evaluation.(3)
If the sports wagering system meets or exceeds the GLI-33 Standards and the commission's regulatory requirements in KAR Title 809, the independent testing laboratory approved by the racing commission shall certify the sports wagering system. Licensees are prohibited from offering sports wagering in Kentucky without such certification.Section 3.
Integration Requirements. The licensee shall be responsible for sports wagering offered by the licensee through other service providers and suppliers, and other licensees where applicable.(1)
The servers and equipment of service providers and suppliers will be considered part of the licensee's sports wagering system and shall comply with these regulations.(2)
The licensee shall guarantee that any integration with the servers and other equipment of another licensee is completed in a way that complies with these regulations.(3)
An independent testing laboratory shall conduct integration testing and certification for each server and other equipment with the licensee's sports wagering system prior to its deployment and as requested by the racing commission.Section 4.
Change Management Processes. The licensee shall submit change management processes to the racing commission for approval. The change management processes shall detail evaluation procedures for identifying the criticality of updates and determining which updates shall be submitted to the approved independent testing laboratory for review and certification.(1)
These change management processes shall be:(a)
Developed in accordance with the Kentucky Horse Racing Commission license conditions issued by the commission pursuant to KRS 230.290(3) and the GLI-CMP Guide;(b)
Approved by the racing commission prior to its deployment; and(c)
Available for audit by the racing commission or its designee at any time.(2)
Quarterly change reports shall be issued to the racing commission for review to ensure risk is being assessed according to the change management processes and all documentation for all changes to the critical components are complete.(3)
At least once annually, each product operating under the approved change management processes shall be fully certified to the specifications established in these regulations and other technical specifications as prescribed by the racing commission and accompanied by formal certification documentation from an independent testing laboratory. the licensee shall be allowed to seek approval for extension beyond the annual approval if hardship can be demonstrated. Granting of a hardship waiver is the sole discretion of the racing commission, upon written proof of good cause by the licensee.Section 5.
Geolocation Requirements. Mobile sports wagers shall be initiated, received, and otherwise placed in the authorized geographic boundaries within the Commonwealth of Kentucky.(1)
The geographic boundaries shall be approved by the racing commission.(2)
The licensee shall use geolocation or geofencing technology pursuant to KRS 230.805 and to monitor and block unauthorized attempts to place sports wagers when an individual or patron is physically outside the authorized geographic boundaries within the Commonwealth of Kentucky at the time the sports wager is placed.(3)
The licensee shall trigger:(a)
A geolocation check prior to the placement of the first wager after login or upon a change of IP address;(b)
Recurring periodic geolocation checks as follows:1.
For static connections, at least every twenty (20) minutes or five (5) minutes if within one (1) mile of the border; and2.
For mobile connections, at intervals to be based on a patron's proximity to the border with an assumed travel velocity of seventy (70) miles per hour or a demonstrated average velocity of a roadway/path, not to exceed twenty (20) minutes.(4)
Mechanisms shall be in place to detect software, programs, virtualization, and other technology that may obscure or falsify the patron's physical location for the purpose of placing sports wagers.(5)
The geolocation services used by the licensee shall be certified by the approved independent testing laboratory, including, without limitation, applicable field testing as authorized by the commission, before its deployment.(6)
The racing commission may enter into agreements with other jurisdictions or entities to facilitate, administer, and regulate multi-jurisdictional sports wagering by licensees pursuant to KRS 230.805.Section 6.
Data Security. A licensee's data security policies shall comply with KRS 230.805. Nothing in this section shall preclude the use of internet or cloud-based hosting of such data and information or disclosure as required by Commonwealth or federal law or a court order.Section 7.
Location of Servers, Security, and Cloud Storage. A licensee shall maintain in secure locations in the Commonwealth its primary servers used to transmit information for purposes of accepting or settling of wagers on a sporting event placed by patrons in the Commonwealth.(1)
The location of all other technology and servers used by a licensee in connection with sports wagering shall be approved by the racing commission and shall be accessible by the racing commission.(2)
The racing commission may approve of the use of internet or cloud-based hosting of duplicate data or data not related to transactional wagering data upon written request of a licensee.Section 8.
Integrity and Security Assessments. Each licensee shall run integrity and security assessments that comply with GLI-33 Standards.(1)
Each licensee shall, within ninety (90) calendar days after commencing operations in Kentucky, and annually thereafter, have integrity and security assessments of the sports wagering system conducted by a third-party contractor experienced in security procedures, including, without limitation, computer security and systems security. The third-party contractor shall be selected by the licensee and shall be subject to approval of the racing commission. Such integrity and security assessments shall include a review of the following:(a)
Network vulnerability;(b)
Application vulnerability;(c)
Application code;(d)
Wireless security;(e)
Security policy and processes;(f)
Security and privacy program management;(g)
Technology infrastructure and security controls;(h)
Security organization and governance; and(i)
Operational effectiveness.(2)
The scope of the integrity and security assessments is subject to approval of the racing commission and shall include the following:(a)
A vulnerability assessment of all digital platforms, Web sites, mobile applications, internal, external, and wireless networks with the intent of identifying vulnerabilities of all devices, the sports wagering systems, and applications transferring, storing, or processing Personally Identifiable Information or other sensitive information connected to or present on the networks;(b)
A penetration test of all digital platforms, Web sites, mobile applications, internal, external, and wireless networks to confirm if identified vulnerabilities of all devices, the sports wagering systems, and applications are susceptible to compromise;(c)
A review of the firewall rules to verify the operating condition of the firewall and the effectiveness of its security configuration and rule sets performed on all of the perimeter firewalls and the internal firewalls;(d)
A security control assessment conducted in accordance with the provisions outlined in the racing commission's regulations, including the technical security controls specified within the GLI-33 Standards, and with generally accepted professional standards approved by the racing commission.(e)
If a cloud service provider is in use, an assessment performed on the access controls, account management, logging and monitoring, and over security configurations of their cloud tenant; and(f)
An evaluation of information security services, payment services such as financial institutions and payment processors, geolocation services, and any other services which may be offered directly by the sports wagering licensee or involve the use of service providers.(3)
To qualify as a third-party contractor, the third-party contractor shall demonstrate to the commission's satisfaction, at minimum, the following qualifications:(a)
Relevant education background or in other ways provide relevant qualifications in assessing sports wagering systems;(b)
Certifications sufficient to demonstrate proficiency and expertise as a network penetration tester by recognized certification boards, either nationally or internationally; and(c)
At least three (3) years' experience performing integrity and security assessments on sports wagering systems; and(4)
The third-party contractor's full security audit report containing the overall evaluation of sports wagering in terms of each aspect of security shall be provided to the racing commission no later than thirty (30) calendar days after the assessment is conducted and shall include the following:(a)
Scope of review;(b)
Name and company affiliation, contact information, and qualifications of the individual or individuals who conducted the assessment;(c)
Date of assessment;(d)
Findings;(e)
Recommended corrective action, if applicable; and(f)
The licensee's response to the findings and recommended corrective action.(5)
It is acceptable to reuse the results of prior assessments within the past year conducted by the same third-party contractor when the testing was conducted pursuant to accepted industry standards as approved by the commission, such as International Organization for Standardization ("ISO")/International Electrotechnical Commission ("IEC") standards, the NIST Cybersecurity Framework ("CSF"), the Payment Card Industry Data Security Standards ("PCI-DSS"), or the equivalent. Such reuse shall be noted in the third-party contractor's security audit report. This reuse option does not include any critical components of a sports wagering system unique to the Commonwealth which will require fresh assessments.(6)
If the third-party contractor's security audit report recommends corrective action, the licensee shall provide the racing commission with a remediation plan and any risk mitigation plans which detail the Licensee's actions and schedule to implement the corrective action.(a)
The remediation and risk mediation plans shall be presented within a time period prescribed by the racing commission, which shall be based on at least the following factors:1.
The severity of the problem to be corrected;2.
The complexity of the problem to be corrected; and3.
The risks associated with the problem to be corrected.(b)
The commission may require suspension of operations until implementation of any critical corrective action(s).(c)
Once the corrective action has been taken, the licensee shall provide the racing commission with documentation evidencing completion.Section 9.
Quarterly Vulnerability Scans. Internal and external network vulnerability scans shall be run at least quarterly and after any significant change to the sports wagering system or network infrastructure.(1)
Testing procedures shall include protocol verifying that four (4) quarterly internal and external scans took place in the past twelve (12) months and that re-scans occurred until all "Medium Risk" (CVSS 4.0 or Higher) vulnerabilities were resolved or accepted via a formal risk acceptance program approved by the racing commission. Internal scans should be performed from an authenticated scan perspective. External scans can be performed from an uncredentialed perspective.(2)
The quarterly scans can be performed by either a qualified employee of the licensee or a qualified third-party contractor selected by the licensee and subject to approval of the racing commission.(3)
Verification of scans shall be submitted to the racing commission on a quarterly basis and within thirty (30) calendar days of running the scan. The scan verifications shall include a remediation plan and any risk mitigation plans for those vulnerabilities not able to be resolved. The commission may impose disciplinary action in the event of critical unresolved vulnerabilities or vulnerabilities that continue unabated.JONATHAN RABINOWITZ, Chair
RAY PERRY, Secretary
APPROVED BY AGENCY: July 10, 2023
FILED WITH LRC: July 10, 2023 at 4:00 p.m.
PUBLIC HEARING AND COMMENT PERIOD: A public hearing on this administrative regulation shall be held on September 22, 2023, at 9:00 a.m. at Kentucky Horse Racing Commission, 4063 Iron Works Parkway, Building B, Lexington, Kentucky 40511. Individuals interested in being heard at this hearing shall notify this agency in writing by five workdays prior to the hearing, of their intent to attend. If no notification of intent to attend the hearing was received by that date, the hearing may be cancelled. A transcript of the public hearing will not be made unless a written request for a transcript is made. If you do not wish to be heard at the public hearing, you may submit written comments on the proposed administrative regulation. Written comments shall be accepted through September 30, 2023. Send written notification of intent to be heard at the public hearing or written comments on the proposed administrative regulation to the contact person.
CONTACT PERSON: Jennifer Wolsing, General Counsel, Kentucky Horse Racing Commission, 4063 Iron Works Parkway, Building B, Lexington, Kentucky 40511, phone (859) 246-2040, fax (859) 246-2039, email jennifer.wolsing@ky.gov.
REGULATORY IMPACT ANALYSIS AND TIERING STATEMENT
Contact Person:
Jennifer Wolsing
(1) Provide a brief summary of:
(a) What this administrative regulation does:
This administrative regulation establishes technical standards for sports wagering systems and establishes testing procedures to ensure the integrity of the systems.
(b) The necessity of this administrative regulation:
This administrative regulation is necessary to establish technical standards for sports wagering systems in the Commonwealth of Kentucky and a process by which the systems can be tested and certified by independent laboratories.
(c) How this administrative regulation conforms to the content of the authorizing statutes:
KRS 230.260(16)(a) requires the racing commission to promulgate regulations to establish standards related to sports wagering, including standards for "maintaining and auditing books and financial records, securely maintaining records of bets and wagers, integrity requirements for sports wagering and related data,. .. surveillance and monitoring systems, and other reasonable technical criteria related to conducting sports wagering." KRS 230.811(2) requires tracks and service providers to "comply with the standards established by the racing commission. .. to ensure the integrity of the system of sports wagering." KRS 230.805(g) establishes requirements for geolocation, technology, and servers.
(d) How this administrative regulation currently assists or will assist in the effective administration of the statutes:
This regulation assists in the effective administration of the statutes by establishing standards for sports wagering in Kentucky, including technical standards for sports wagering systems.
(2) If this is an amendment to an existing administrative regulation, provide a brief summary of:
(a) How the amendment will change this existing administrative regulation:
N/A. This is a new regulation.
(b) The necessity of the amendment to this administrative regulation:
N/A. This is a new regulation.
(c) How the amendment conforms to the content of the authorizing statutes:
N/A. This is a new regulation.
(d) How the amendment will assist in the effective administration of the statutes:
N/A. This is a new regulation.
(3) List the type and number of individuals, businesses, organizations, or state and local governments affected by this administrative regulation:
This regulation affects the licensed tracks that apply for and receive a license to conduct sports wagering in the Commonwealth. There are currently nine (9) licensed tracks operating in the Commonwealth. Each track is allowed to contract with up to three (3) service providers. Therefore, up to 27 service providers may be affected by this regulation. Independent testing labs that certify these systems will be impacted by this regulation. Additionally, there is an unknown number of patrons who will choose to engage in sports wagering.
(4) Provide an analysis of how the entities identified in question (3) will be impacted by either the implementation of this administrative regulation, if new, or by the change, if it is an amendment, including:
(a) List the actions that each of the regulated entities identified in question (3) will have to take to comply with this administrative regulation or amendment:
Licensed tracks and service providers offering sports wagering must observe the regulatory requirements when offering wagers. Independent testing labs must certify that sports wagering systems comply with the technical standards of this administrative regulation.
(b) In complying with this administrative regulation or amendment, how much will it cost each of the entities identified in question (3):
Compliance costs are uncertain, but licensed tracks and service providers offering sports wagering are likely to incur costs to comply with the regulations, including the cost of paying independent labs to certify their systems.
(c) As a result of compliance, what benefits will accrue to the entities identified in question (3):
Licensed tracks, independent testing laboratories, and service providers will benefit from having clear standards for sports wagering. Kentuckians will benefit from the effective administration of sports wagering.
(5) Provide an estimate of how much it will cost the administrative body to implement this administrative regulation:
(a) Initially:
It is estimated that the commission will spend approximately $2.4 million to implement sports wagering in Kentucky in the first year.
(b) On a continuing basis:
It is further estimated that the commission will spend approximately $1.2 million annually to continue regulating sports wagering in Kentucky on a yearly basis.
(6) What is the source of the funding to be used for the implementation and enforcement of this administrative regulation:
The funding to implement and enforce sports wagering in Kentucky will come from the sports wagering administrative fund, as established in KRS 230.817. The service providers will be required to pay the labs to test and certify their systems.
(7) Provide an assessment of whether an increase in fees or funding will be necessary to implement this administrative regulation, if new, or by the change if it is an amendment:
No increase in fees or funding will be necessary to implement this administrative regulation.
(8) State whether or not this administrative regulation establishes any fees or directly or indirectly increases any fees:
This regulation does not establish any new fees or increase any current fees.
(9) TIERING: Is tiering applied?
Tiering is not applied, because this amended regulation will apply similarly to all similarly situated entities in an equal manner.
FISCAL NOTE
(1) What units, parts, or divisions of state or local government (including cities, counties, fire departments, or school districts) will be impacted by this administrative regulation?
The Kentucky Horse Racing Commission will be affected by this administrative regulation.
(2) Identify each state or federal statute or federal regulation that requires or authorizes the action taken by the administrative regulation.
KRS 230.260(16), KRS 230.805, and KRS 230.811(2) authorize the actions taken by this regulation.
(3) Estimate the effect of this administrative regulation on the expenditures and revenues of a state or local government agency (including cities, counties, fire departments, or school districts) for the first full year the administrative regulation is to be in effect.
(a) How much revenue will this administrative regulation generate for the state or local government (including cities, counties, fire departments, or school districts) for the first year?
This regulation will not generate revenue during the first year.
(b) How much revenue will this administrative regulation generate for the state or local government (including cities, counties, fire departments, or school districts) for subsequent years?
This regulation will not generate revenue during subsequent years.
(c) How much will it cost to administer this program for the first year?
It is estimated that the commission will spend approximately $2.4 million in the first year to implement sports wagering in Kentucky.
(d) How much will it cost to administer this program for subsequent years?
It is further estimated that the commission will spend approximately $1.2 million annually to continue regulating sports wagering in Kentucky in subsequent years.
Note: If specific dollar estimates cannot be determined, provide a brief narrative to explain the fiscal impact of the administrative regulation.
Revenues (+/-):
Neutral
Expenditures (+/-):
Neutral
Other Explanation:
N/A
(4) Estimate the effect of this administrative regulation on the expenditures and cost savings of regulated entities for the first full year the administrative regulation is to be in effect.
(a) How much cost savings will this administrative regulation generate for the regulated entities for the first year?
This administrative regulation is not expected to generate cost savings for the regulated entities during the first year.
(b) How much cost savings will this administrative regulation generate for the regulated entities for subsequent years?
This administrative regulation is not expected to generate cost savings for the regulated entities during subsequent years.
(c) How much will it cost the regulated entities for the first year?
In the first year, licensed tracks offering sports wagering and service providers will likely incur costs to have their systems tested and certified by independent labs. Licensed tracks and service providers may incur additional costs to ensure compliance with the regulations.
(d) How much will it cost the regulated entities for subsequent years?
In subsequent years, service providers will likely incur costs to have their systems tested and certified by independent labs. Licensed tracks and service providers offering sports wagering may incur additional costs to ensure compliance with the regulations.
Note: If specific dollar estimates cannot be determined, provide a brief narrative to explain the fiscal impact of the administrative regulation.
Cost Savings (+/-):
None.
Expenditures (+/-):
Expenditures are uncertain. See (c) and (d) above.
Other Explanation:
N/A
(5) Explain whether this administrative regulation will have a major economic impact, as defined below.
"Major economic impact" means an overall negative or adverse economic impact from an administrative regulation of five hundred thousand dollars ($500,000) or more on state or local government or regulated entities, in aggregate, as determined by the promulgating administrative bodies. [KRS 13A.010(13)]. This regulation is not anticipated to have a major economic impact on Kentucky for the reasons stated above.
PUBLIC PROTECTION CABINET
Kentucky Horse Racing Commission
(New Administrative Regulation)
809 KAR 10:003.Technical requirements and oversight.
Section 1.
Sports Wagering Standards. A licensee shall use a sports wagering system to offer, conduct, or operate sports wagering in accordance with applicable laws and these regulations. Only an approved licensee may process, accept, offer, or solicit sports wagers.(1)
The licensee shall operate in conformity with the license conditions issued by the racing commission pursuant to KRS 230.290(3) and GLI-33 Standards.(2)
A sports wagering system shall meet the specifications established in subsection (1) of this section and these regulations. Failure to comply with the approved specifications, internal controls, or technical specifications may result in disciplinary action by the racing commission.Section 2.
Testing and Certification of Sports Wagering System. Prior to conducting sports wagering, and annually thereafter, the sports wagering system utilized by the licensee shall be submitted to a nationally recognized, independent testing laboratory approved by the racing commission for certification testing. Certification and racing commission approval shall be received prior to the use of any sports wagering system to conduct sports wagering. The licensee is responsible for all costs associated with testing and obtaining such certifications.(1)
To obtain a temporary license, a licensee may submit to the racing commission a certification report of an independent testing laboratory of a system in operation in another jurisdiction in the United States where the licensee is currently licensed or permitted. The report must certify the system to either the GLI-33 Standards or, at the discretion of the racing commission, a standard deemed to be the equivalent of the GLI-33 Standards. This alternative certification report must include a list of all critical files and associated signatures and an appendix which lists the differences of any controlled items or processes required to be certified in Kentucky which were not certified in the jurisdiction in which the report was issued. Upon review of the certification report, the racing commission will make a determination on whether to accept the certification or require additional information or documentation or testing.(2)
Unless otherwise authorized by the racing commission, the independent testing laboratory shall be provided access to the sports wagering system's controlled software source code along with the means to verify compilation of such source code. The result of the compiled source code shall be identical to that in the software submitted for evaluation.(3)
If the sports wagering system meets or exceeds the GLI-33 Standards and the commission's regulatory requirements in KAR Title 809, the independent testing laboratory approved by the racing commission shall certify the sports wagering system. Licensees are prohibited from offering sports wagering in Kentucky without such certification.Section 3.
Integration Requirements. The licensee shall be responsible for sports wagering offered by the licensee through other service providers and suppliers, and other licensees where applicable.(1)
The servers and equipment of service providers and suppliers will be considered part of the licensee's sports wagering system and shall comply with these regulations.(2)
The licensee shall guarantee that any integration with the servers and other equipment of another licensee is completed in a way that complies with these regulations.(3)
An independent testing laboratory shall conduct integration testing and certification for each server and other equipment with the licensee's sports wagering system prior to its deployment and as requested by the racing commission.Section 4.
Change Management Processes. The licensee shall submit change management processes to the racing commission for approval. The change management processes shall detail evaluation procedures for identifying the criticality of updates and determining which updates shall be submitted to the approved independent testing laboratory for review and certification.(1)
These change management processes shall be:(a)
Developed in accordance with the Kentucky Horse Racing Commission license conditions issued by the commission pursuant to KRS 230.290(3) and the GLI-CMP Guide;(b)
Approved by the racing commission prior to its deployment; and(c)
Available for audit by the racing commission or its designee at any time.(2)
Quarterly change reports shall be issued to the racing commission for review to ensure risk is being assessed according to the change management processes and all documentation for all changes to the critical components are complete.(3)
At least once annually, each product operating under the approved change management processes shall be fully certified to the specifications established in these regulations and other technical specifications as prescribed by the racing commission and accompanied by formal certification documentation from an independent testing laboratory. the licensee shall be allowed to seek approval for extension beyond the annual approval if hardship can be demonstrated. Granting of a hardship waiver is the sole discretion of the racing commission, upon written proof of good cause by the licensee.Section 5.
Geolocation Requirements. Mobile sports wagers shall be initiated, received, and otherwise placed in the authorized geographic boundaries within the Commonwealth of Kentucky.(1)
The geographic boundaries shall be approved by the racing commission.(2)
The licensee shall use geolocation or geofencing technology pursuant to KRS 230.805 and to monitor and block unauthorized attempts to place sports wagers when an individual or patron is physically outside the authorized geographic boundaries within the Commonwealth of Kentucky at the time the sports wager is placed.(3)
The licensee shall trigger:(a)
A geolocation check prior to the placement of the first wager after login or upon a change of IP address;(b)
Recurring periodic geolocation checks as follows:1.
For static connections, at least every twenty (20) minutes or five (5) minutes if within one (1) mile of the border; and2.
For mobile connections, at intervals to be based on a patron's proximity to the border with an assumed travel velocity of seventy (70) miles per hour or a demonstrated average velocity of a roadway/path, not to exceed twenty (20) minutes.(4)
Mechanisms shall be in place to detect software, programs, virtualization, and other technology that may obscure or falsify the patron's physical location for the purpose of placing sports wagers.(5)
The geolocation services used by the licensee shall be certified by the approved independent testing laboratory, including, without limitation, applicable field testing as authorized by the commission, before its deployment.(6)
The racing commission may enter into agreements with other jurisdictions or entities to facilitate, administer, and regulate multi-jurisdictional sports wagering by licensees pursuant to KRS 230.805.Section 6.
Data Security. A licensee's data security policies shall comply with KRS 230.805. Nothing in this section shall preclude the use of internet or cloud-based hosting of such data and information or disclosure as required by Commonwealth or federal law or a court order.Section 7.
Location of Servers, Security, and Cloud Storage. A licensee shall maintain in secure locations in the Commonwealth its primary servers used to transmit information for purposes of accepting or settling of wagers on a sporting event placed by patrons in the Commonwealth.(1)
The location of all other technology and servers used by a licensee in connection with sports wagering shall be approved by the racing commission and shall be accessible by the racing commission.(2)
The racing commission may approve of the use of internet or cloud-based hosting of duplicate data or data not related to transactional wagering data upon written request of a licensee.Section 8.
Integrity and Security Assessments. Each licensee shall run integrity and security assessments that comply with GLI-33 Standards.(1)
Each licensee shall, within ninety (90) calendar days after commencing operations in Kentucky, and annually thereafter, have integrity and security assessments of the sports wagering system conducted by a third-party contractor experienced in security procedures, including, without limitation, computer security and systems security. The third-party contractor shall be selected by the licensee and shall be subject to approval of the racing commission. Such integrity and security assessments shall include a review of the following:(a)
Network vulnerability;(b)
Application vulnerability;(c)
Application code;(d)
Wireless security;(e)
Security policy and processes;(f)
Security and privacy program management;(g)
Technology infrastructure and security controls;(h)
Security organization and governance; and(i)
Operational effectiveness.(2)
The scope of the integrity and security assessments is subject to approval of the racing commission and shall include the following:(a)
A vulnerability assessment of all digital platforms, Web sites, mobile applications, internal, external, and wireless networks with the intent of identifying vulnerabilities of all devices, the sports wagering systems, and applications transferring, storing, or processing Personally Identifiable Information or other sensitive information connected to or present on the networks;(b)
A penetration test of all digital platforms, Web sites, mobile applications, internal, external, and wireless networks to confirm if identified vulnerabilities of all devices, the sports wagering systems, and applications are susceptible to compromise;(c)
A review of the firewall rules to verify the operating condition of the firewall and the effectiveness of its security configuration and rule sets performed on all of the perimeter firewalls and the internal firewalls;(d)
A security control assessment conducted in accordance with the provisions outlined in the racing commission's regulations, including the technical security controls specified within the GLI-33 Standards, and with generally accepted professional standards approved by the racing commission.(e)
If a cloud service provider is in use, an assessment performed on the access controls, account management, logging and monitoring, and over security configurations of their cloud tenant; and(f)
An evaluation of information security services, payment services such as financial institutions and payment processors, geolocation services, and any other services which may be offered directly by the sports wagering licensee or involve the use of service providers.(3)
To qualify as a third-party contractor, the third-party contractor shall demonstrate to the commission's satisfaction, at minimum, the following qualifications:(a)
Relevant education background or in other ways provide relevant qualifications in assessing sports wagering systems;(b)
Certifications sufficient to demonstrate proficiency and expertise as a network penetration tester by recognized certification boards, either nationally or internationally; and(c)
At least three (3) years' experience performing integrity and security assessments on sports wagering systems; and(4)
The third-party contractor's full security audit report containing the overall evaluation of sports wagering in terms of each aspect of security shall be provided to the racing commission no later than thirty (30) calendar days after the assessment is conducted and shall include the following:(a)
Scope of review;(b)
Name and company affiliation, contact information, and qualifications of the individual or individuals who conducted the assessment;(c)
Date of assessment;(d)
Findings;(e)
Recommended corrective action, if applicable; and(f)
The licensee's response to the findings and recommended corrective action.(5)
It is acceptable to reuse the results of prior assessments within the past year conducted by the same third-party contractor when the testing was conducted pursuant to accepted industry standards as approved by the commission, such as International Organization for Standardization ("ISO")/International Electrotechnical Commission ("IEC") standards, the NIST Cybersecurity Framework ("CSF"), the Payment Card Industry Data Security Standards ("PCI-DSS"), or the equivalent. Such reuse shall be noted in the third-party contractor's security audit report. This reuse option does not include any critical components of a sports wagering system unique to the Commonwealth which will require fresh assessments.(6)
If the third-party contractor's security audit report recommends corrective action, the licensee shall provide the racing commission with a remediation plan and any risk mitigation plans which detail the Licensee's actions and schedule to implement the corrective action.(a)
The remediation and risk mediation plans shall be presented within a time period prescribed by the racing commission, which shall be based on at least the following factors:1.
The severity of the problem to be corrected;2.
The complexity of the problem to be corrected; and3.
The risks associated with the problem to be corrected.(b)
The commission may require suspension of operations until implementation of any critical corrective action(s).(c)
Once the corrective action has been taken, the licensee shall provide the racing commission with documentation evidencing completion.Section 9.
Quarterly Vulnerability Scans. Internal and external network vulnerability scans shall be run at least quarterly and after any significant change to the sports wagering system or network infrastructure.(1)
Testing procedures shall include protocol verifying that four (4) quarterly internal and external scans took place in the past twelve (12) months and that re-scans occurred until all "Medium Risk" (CVSS 4.0 or Higher) vulnerabilities were resolved or accepted via a formal risk acceptance program approved by the racing commission. Internal scans should be performed from an authenticated scan perspective. External scans can be performed from an uncredentialed perspective.(2)
The quarterly scans can be performed by either a qualified employee of the licensee or a qualified third-party contractor selected by the licensee and subject to approval of the racing commission.(3)
Verification of scans shall be submitted to the racing commission on a quarterly basis and within thirty (30) calendar days of running the scan. The scan verifications shall include a remediation plan and any risk mitigation plans for those vulnerabilities not able to be resolved. The commission may impose disciplinary action in the event of critical unresolved vulnerabilities or vulnerabilities that continue unabated.JONATHAN RABINOWITZ, Chair
RAY PERRY, Secretary
APPROVED BY AGENCY: July 10, 2023
FILED WITH LRC: July 10, 2023 at 4:00 p.m.
PUBLIC HEARING AND COMMENT PERIOD: A public hearing on this administrative regulation shall be held on September 22, 2023, at 9:00 a.m. at Kentucky Horse Racing Commission, 4063 Iron Works Parkway, Building B, Lexington, Kentucky 40511. Individuals interested in being heard at this hearing shall notify this agency in writing by five workdays prior to the hearing, of their intent to attend. If no notification of intent to attend the hearing was received by that date, the hearing may be cancelled. A transcript of the public hearing will not be made unless a written request for a transcript is made. If you do not wish to be heard at the public hearing, you may submit written comments on the proposed administrative regulation. Written comments shall be accepted through September 30, 2023. Send written notification of intent to be heard at the public hearing or written comments on the proposed administrative regulation to the contact person.
CONTACT PERSON: Jennifer Wolsing, General Counsel, Kentucky Horse Racing Commission, 4063 Iron Works Parkway, Building B, Lexington, Kentucky 40511, phone (859) 246-2040, fax (859) 246-2039, email jennifer.wolsing@ky.gov.
REGULATORY IMPACT ANALYSIS AND TIERING STATEMENT
Contact Person:
Jennifer Wolsing
(1) Provide a brief summary of:
(a) What this administrative regulation does:
This administrative regulation establishes technical standards for sports wagering systems and establishes testing procedures to ensure the integrity of the systems.
(b) The necessity of this administrative regulation:
This administrative regulation is necessary to establish technical standards for sports wagering systems in the Commonwealth of Kentucky and a process by which the systems can be tested and certified by independent laboratories.
(c) How this administrative regulation conforms to the content of the authorizing statutes:
KRS 230.260(16)(a) requires the racing commission to promulgate regulations to establish standards related to sports wagering, including standards for "maintaining and auditing books and financial records, securely maintaining records of bets and wagers, integrity requirements for sports wagering and related data,. .. surveillance and monitoring systems, and other reasonable technical criteria related to conducting sports wagering." KRS 230.811(2) requires tracks and service providers to "comply with the standards established by the racing commission. .. to ensure the integrity of the system of sports wagering." KRS 230.805(g) establishes requirements for geolocation, technology, and servers.
(d) How this administrative regulation currently assists or will assist in the effective administration of the statutes:
This regulation assists in the effective administration of the statutes by establishing standards for sports wagering in Kentucky, including technical standards for sports wagering systems.
(2) If this is an amendment to an existing administrative regulation, provide a brief summary of:
(a) How the amendment will change this existing administrative regulation:
N/A. This is a new regulation.
(b) The necessity of the amendment to this administrative regulation:
N/A. This is a new regulation.
(c) How the amendment conforms to the content of the authorizing statutes:
N/A. This is a new regulation.
(d) How the amendment will assist in the effective administration of the statutes:
N/A. This is a new regulation.
(3) List the type and number of individuals, businesses, organizations, or state and local governments affected by this administrative regulation:
This regulation affects the licensed tracks that apply for and receive a license to conduct sports wagering in the Commonwealth. There are currently nine (9) licensed tracks operating in the Commonwealth. Each track is allowed to contract with up to three (3) service providers. Therefore, up to 27 service providers may be affected by this regulation. Independent testing labs that certify these systems will be impacted by this regulation. Additionally, there is an unknown number of patrons who will choose to engage in sports wagering.
(4) Provide an analysis of how the entities identified in question (3) will be impacted by either the implementation of this administrative regulation, if new, or by the change, if it is an amendment, including:
(a) List the actions that each of the regulated entities identified in question (3) will have to take to comply with this administrative regulation or amendment:
Licensed tracks and service providers offering sports wagering must observe the regulatory requirements when offering wagers. Independent testing labs must certify that sports wagering systems comply with the technical standards of this administrative regulation.
(b) In complying with this administrative regulation or amendment, how much will it cost each of the entities identified in question (3):
Compliance costs are uncertain, but licensed tracks and service providers offering sports wagering are likely to incur costs to comply with the regulations, including the cost of paying independent labs to certify their systems.
(c) As a result of compliance, what benefits will accrue to the entities identified in question (3):
Licensed tracks, independent testing laboratories, and service providers will benefit from having clear standards for sports wagering. Kentuckians will benefit from the effective administration of sports wagering.
(5) Provide an estimate of how much it will cost the administrative body to implement this administrative regulation:
(a) Initially:
It is estimated that the commission will spend approximately $2.4 million to implement sports wagering in Kentucky in the first year.
(b) On a continuing basis:
It is further estimated that the commission will spend approximately $1.2 million annually to continue regulating sports wagering in Kentucky on a yearly basis.
(6) What is the source of the funding to be used for the implementation and enforcement of this administrative regulation:
The funding to implement and enforce sports wagering in Kentucky will come from the sports wagering administrative fund, as established in KRS 230.817. The service providers will be required to pay the labs to test and certify their systems.
(7) Provide an assessment of whether an increase in fees or funding will be necessary to implement this administrative regulation, if new, or by the change if it is an amendment:
No increase in fees or funding will be necessary to implement this administrative regulation.
(8) State whether or not this administrative regulation establishes any fees or directly or indirectly increases any fees:
This regulation does not establish any new fees or increase any current fees.
(9) TIERING: Is tiering applied?
Tiering is not applied, because this amended regulation will apply similarly to all similarly situated entities in an equal manner.
FISCAL NOTE
(1) What units, parts, or divisions of state or local government (including cities, counties, fire departments, or school districts) will be impacted by this administrative regulation?
The Kentucky Horse Racing Commission will be affected by this administrative regulation.
(2) Identify each state or federal statute or federal regulation that requires or authorizes the action taken by the administrative regulation.
KRS 230.260(16), KRS 230.805, and KRS 230.811(2) authorize the actions taken by this regulation.
(3) Estimate the effect of this administrative regulation on the expenditures and revenues of a state or local government agency (including cities, counties, fire departments, or school districts) for the first full year the administrative regulation is to be in effect.
(a) How much revenue will this administrative regulation generate for the state or local government (including cities, counties, fire departments, or school districts) for the first year?
This regulation will not generate revenue during the first year.
(b) How much revenue will this administrative regulation generate for the state or local government (including cities, counties, fire departments, or school districts) for subsequent years?
This regulation will not generate revenue during subsequent years.
(c) How much will it cost to administer this program for the first year?
It is estimated that the commission will spend approximately $2.4 million in the first year to implement sports wagering in Kentucky.
(d) How much will it cost to administer this program for subsequent years?
It is further estimated that the commission will spend approximately $1.2 million annually to continue regulating sports wagering in Kentucky in subsequent years.
Note: If specific dollar estimates cannot be determined, provide a brief narrative to explain the fiscal impact of the administrative regulation.
Revenues (+/-):
Neutral
Expenditures (+/-):
Neutral
Other Explanation:
N/A
(4) Estimate the effect of this administrative regulation on the expenditures and cost savings of regulated entities for the first full year the administrative regulation is to be in effect.
(a) How much cost savings will this administrative regulation generate for the regulated entities for the first year?
This administrative regulation is not expected to generate cost savings for the regulated entities during the first year.
(b) How much cost savings will this administrative regulation generate for the regulated entities for subsequent years?
This administrative regulation is not expected to generate cost savings for the regulated entities during subsequent years.
(c) How much will it cost the regulated entities for the first year?
In the first year, licensed tracks offering sports wagering and service providers will likely incur costs to have their systems tested and certified by independent labs. Licensed tracks and service providers may incur additional costs to ensure compliance with the regulations.
(d) How much will it cost the regulated entities for subsequent years?
In subsequent years, service providers will likely incur costs to have their systems tested and certified by independent labs. Licensed tracks and service providers offering sports wagering may incur additional costs to ensure compliance with the regulations.
Note: If specific dollar estimates cannot be determined, provide a brief narrative to explain the fiscal impact of the administrative regulation.
Cost Savings (+/-):
None.
Expenditures (+/-):
Expenditures are uncertain. See (c) and (d) above.
Other Explanation:
N/A
(5) Explain whether this administrative regulation will have a major economic impact, as defined below.
"Major economic impact" means an overall negative or adverse economic impact from an administrative regulation of five hundred thousand dollars ($500,000) or more on state or local government or regulated entities, in aggregate, as determined by the promulgating administrative bodies. [KRS 13A.010(13)]. This regulation is not anticipated to have a major economic impact on Kentucky for the reasons stated above.