Title 809 | Chapter 010 | Regulation 003


SUPERSEDED
This document is no longer current.
View Current Regulation
PREVIOUS VERSION
The previous document that this document is based upon is available.
View Previous Version
PUBLIC PROTECTION CABINET
Kentucky Horse Racing Commission
(Amended at ARRS Committee)

809 KAR 10:003.Technical requirements and oversight.

Section 1.

Sports Wagering Standards. A licensee shall use a sports wagering system to offer, conduct, or operate sports wagering in accordance with KRS Chapter 230 and KAR Titles 809 and 810applicable laws and these regulations. Only an approved licensee may process, accept, offer, or solicit sports wagers.

(1)

The licensee shall operate in conformity with the license conditions issued by the racing commission pursuant to KRS 230.290(2) and (3) and GLI-33 Standards.

(2)

A sports wagering system shall meet the requirementsspecifications established in subsection (1) of this section and KAR Title 809these regulations. Failure to comply with the requirementsapproved specifications, internal controls, or technical specifications may result in disciplinary action by the racing commission.

Section 2.

Testing and Certification of Sports Wagering System. Prior to conducting sports wagering, and annually thereafter, the sports wagering system utilized by the licensee shall be submitted to ana nationally recognized, independent testing laboratory approved by the racing commission in the best interests of sports wagering for certification testing. Certification and racing commission approval shall be received prior to the use of any sports wagering system to conduct sports wagering. The licensee shall beis responsible for all costs associated with testing and obtaining ofsuch certifications.

(1)

To obtain a temporary license, a licensee may submit to the racing commission a certification report of an independent testing laboratory of a system in operation in another jurisdiction in the United States where the licensee is currently licensed or permitted. The report shallmust certify the system to either the GLI-33 Standards or, at the discretion of the racing commission, a standard deemed to be the equivalent of the GLI-33 Standards. This alternative certification report shallmust include a list of all critical files and associated signatures and an appendix thatwhich lists the differences of any controlled items or processes required to be certified in Kentucky which were not certified in the jurisdiction in which the report was issued. Upon review of the certification report, the racing commission shallwill make a determination on whether to accept the certification or require additional information, or documentation, or testing.

(2)

Unless otherwise authorized by the racing commission, the independent testing laboratory shall be provided access to the sports wagering system's controlled software source code, along with the means to verify compilation of thesuch source code. The result of the compiled source code shall be identical to that in the software submitted for evaluation.

(3)

If the sports wagering system meets or exceeds the GLI-33 Standards and the commission's regulatory requirements in KAR Title 809, the independent testing laboratory approved by the racing commission in the best interests of sports wagering shall certify the sports wagering system. Licensees shall not offerare prohibited from offering sports wagering in Kentucky without such certification.

Section 3.

Integration Requirements. The licensee shall be responsible for sports wagering offered by the licensee through other service providers and suppliers, and other licensees ifwhere applicable.

(1)

The servers and equipment of service providers and suppliers shallwill be considered part of the licensee's sports wagering system and shall comply with these regulations.

(2)

The licensee shall guarantee that any integration with the servers and other equipment of another licensee is completed in a way that complies with KAR Title 809these regulations.

(3)

An independent testing laboratory shall conduct integration testing and certification for each critical server and other equipment with the licensee's sports wagering system prior to its deployment and as requested by the racing commission.

Section 4.

Change Management Processes. The licensee shall submit change management processes to the racing commission for approval pursuant to subsection (1) of this section. The change management processes shall includedetail evaluation procedures for identifying the criticality of updates and determining which updates shall be submitted to the approved independent testing laboratory for review and certification.

(1)

These Change management processes shall be:

(a)

Developed in accordance with the Kentucky Horse Racing Commission license conditions issued by the commission pursuant to KRS 230.290(3) and the GLI-CMP Guide;

(b)

Approved by the racing commission prior to its deployment in accordance with this administrative regulation; and

(c)

Available for audit by the racing commission or its designee at any time.

(2)

Quarterly change reports shall be issued to the racing commission for review to ensure risk is being assessed according to the change management processes and all documentation for all changes to the critical components isare complete.

(3)

At least once annually, each product operating under the approved change management processes shall be fully certified to comply with KAR Titles 809 and 810the specifications established in these regulations and other technical conditions in accordance with KRS 230.290(3)specifications as prescribed by the racing commission and shall be accompanied by formal certification documentation from an independent testing laboratory. The licensee mayshall be allowed to seek approval for an extension beyond the annual approval if hardship can be demonstrated. Granting of a hardship waiver shall be atis the sole discretion of the racing commission, upon written proof of good cause by the licensee.

Section 5.

Geolocation Requirements. Mobile sports wagers shall be initiated, received, and otherwise placed in the authorized geographic boundaries within the Commonwealth of Kentucky.

(1)

The geographic boundaries shall be approved by the racing commission.

(2)

The licensee shall use geolocation or geofencing technology pursuant to KRS 230.805 and to monitor and block unauthorized attempts to place sports wagers ifwhen an individual or patron is physically outside the authorized geographic boundaries within the Commonwealth of Kentucky at the time the sports wager is placed.

(2)(3)

The licensee shall trigger:

(a)

A geolocation check prior to the placement of the first wager after login or upon a change of IP address;

(b)

Recurring periodic geolocation checks as follows:

1.

For static connections, at least every twenty (20) minutes or five (5) minutes if within one (1) mile of the border; and

2.

For mobile connections, at intervals to be based on a patron's proximity to the border with an assumed travel velocity of seventy (70) miles per hour or a demonstrated average velocity of a roadway/path, not to exceed twenty (20) minutes.

(3)(4)

Mechanisms shall be in place to detect software, programs, virtualization, and other technology that couldmay obscure or falsify the patron's physical location for the purpose of placing sports wagers.

(4)(5)

The geolocation services used by the licensee shall be certified by an authorized, independent testing laboratory approved by the commission in the best interests of sports wagering. The commission or its designee may conduct applicable field testing upon certificationthe approved independent testing laboratory, including, without limitation, applicable field testing as authorized by the commission, before its deployment.

(5)(6)

The racing commission may enter into agreements with other jurisdictions or entities to facilitate, administer, and regulate multi-jurisdictional sports wagering by licensees pursuant to KRS 230.805.

Section 6.

Data Security. A licensee's data security policies shall comply with KRS 230.805. Nothing in this section shall preclude the use of internet or cloud-based hosting of such data and information or disclosure as required by Commonwealth or federal law or a court order.

Section 7.

Location of Servers, Security, and Cloud Storage. A licensee shall maintain in secure locations in the Commonwealth its primary servers used to transmit information for purposes of accepting or settling of wagers on a sporting event placed by patrons in the Commonwealth.

(1)

The location of all other technology and servers used by a licensee in connection with sports wagering shall be approved by the racing commission in the bests interests of sports wagering and shall be accessible by the racing commission.

(2)

The racing commission, based on good cause identified by the licensee, may approve of the use of internet or cloud-based hosting of duplicate data or data not related to transactional wagering data upon written request of a licensee.

Section 8.

Integrity and Security Assessments. Each licensee shall run integrity and security assessments that comply with GLI-33 Standards.

(1)

Each licensee shall, within ninety (90) calendar days after commencing operations in Kentucky, and annually thereafter, have integrity and security assessments of the sports wagering system conducted by a third-party contractor experienced in security procedures, including, without limitation, computer security and systems security. The third-party contractor shall be selected by the licensee and shall be subject to approval of the racing commission in accordance with subsection (3) of this section. Such Integrity and security assessments shall include a review of the following:

(a)

Network vulnerability;

(b)

Application vulnerability;

(c)

Application code;

(d)

Wireless security;

(e)

Security policy and processes;

(f)

Security and privacy program management;

(g)

Technology infrastructure and security controls;

(h)

Security organization and governance; and

(i)

Operational effectiveness.

(2)

The scope of the integrity and security assessments shall beis subject to approval of the racing commission and shall be based oninclude the following:

(a)

A vulnerability assessment of all digital platforms, Web sites, mobile applications, internal, external, and wireless networks with the intent of identifying vulnerabilities of all devices, the sports wagering systems, and applications transferring, storing, or processing personally identifiable information or other sensitive information connected to or present on the networks;

(b)

A penetration test of all digital platforms, Web sites, mobile applications, internal, external, and wireless networks to confirm if identified vulnerabilities of all devices, the sports wagering systems, and applications are susceptible to compromise;

(c)

A review of the firewall rules to verify the operating condition of the firewall and the effectiveness of its security configuration and rule sets performed on all of the perimeter firewalls and the internal firewalls;

(d)

A security control assessment conducted in accordance with the provisions established in KAR Title 809outlined in the racing commission's regulations, including the technical security controls establishedspecified within the GLI-33 Standards, and with generally accepted professional standards approved by the racing commission.

(e)

If a cloud service provider is in use, an assessment performed on the access controls, account management, logging and monitoring, and over security configurations of their cloud tenant; and

(f)

An evaluation of information security services, payment services such as financial institutions and payment processors, geolocation services, and any other services that couldwhich may be offered directly by the sports wagering licensee or involve the use of service providers.

(3)

To qualify as a third-party contractor, the third-party contractor shall demonstrate to the commission's satisfaction, at minimum, the following qualifications:

(a)

Relevant education background or in other ways provide relevant qualifications in assessing sports wagering systems;

(b)

Certifications sufficient to demonstrate proficiency and expertise as a network penetration tester by recognized certification boards, either nationally or internationally; and

(c)

At least three (3) years' experience performing integrity and security assessments on sports wagering systems.; and

(4)

The third-party contractor's full security audit report containing the overall evaluation of sports wagering in terms of each aspect of security shall be provided to the racing commission no later than thirty (30) calendar days after the assessment is conducted and shall include the following:

(a)

Scope of review;

(b)

Name and company affiliation, contact information, and qualifications of the individual or individuals who conducted the assessment;

(c)

Date of assessment;

(d)

Findings;

(e)

Recommended corrective action, if applicable; and

(f)

The Licensee's response to the findings and recommended corrective action, if applicable.

(5)

The licensee mayIt is acceptable to reuse the results of prior assessments within the past year conducted by the same third-party contractor ifwhen the testing was conducted pursuant to accepted industry standards as approved by the commission, such as International Organization for Standardization ("ISO")/International Electrotechnical Commission ("IEC") standards, the NIST Cybersecurity Framework ("CSF"), the Payment Card Industry Data Security Standards ("PCI-DSS"), or the equivalent. Such Reuse shall be noted in the third-party contractor's security audit report. This reuse option shalldoes not include any critical components of a sports wagering system unique to the Commonwealth thatwhich will require fresh assessments.

(6)

If the third-party contractor's security audit report recommends corrective action, the licensee shall provide the racing commission with a remediation plan and any risk mitigation plans that statewhich detail the licensee's actions and schedule to implement the corrective action.

(a)

The remediation and risk mediation plans shall be presented within a time period establishedprescribed by the racing commission, which shall be based on at least the following factors:

1.

The Severity of the problem to be corrected;

2.

The Complexity of the problem to be corrected; and

3.

The Risks associated with the problem to be corrected.

(b)

After considering the factors established in paragraph (a)1. through 3. of this subsection and in the best interests of sports wagering, the commission may require suspension of operations until implementation of any critical corrective actionaction(s).

(c)

Once the corrective action has been taken, the licensee shall provide the racing commission with documentation evidencing completion.

Section 9.

Quarterly Vulnerability Scans. Internal and external network vulnerability scans shall be run at least quarterly and after any significant change to the sports wagering system or network infrastructure.

(1)

Testing procedures shall include protocol verifying that four (4) quarterly internal and external scans took place in the past twelve (12) months and that re-scans occurred until all "Medium Risk" (CVSS 4.0 or Higher) vulnerabilities were resolved or accepted via a formal risk acceptance program approved by the racing commission. Internal scans shallshould be performed from an authenticated scan perspective. External scans maycan be performed from an uncredentialed perspective.

(2)

The quarterly scans shallcan be performed by either a qualified employee of the licensee or a qualified third-party contractor selected by the licensee and subject to approval of the racing commission pursuant to Section 8(3) of this section.

(3)

Verification of scans shall be submitted to the racing commission on a quarterly basis and within thirty (30) calendar days of running the scan. The scan verifications shall include a remediation plan and any risk mitigation plans for those vulnerabilities not able to be resolved. The commission may, in accordance with Section 8(6)(a)1. through 3. of this administrative regulation and in the best interests of sports wagering, impose disciplinary action in the event of critical unresolved vulnerabilities or vulnerabilities that continue unabated.

HISTORY: (50 Ky.R. 547, 1332, 1509; eff. 4-2-2024.)

FILED WITH LRC: December 11, 2023
CONTACT PERSON: Jennifer Wolsing, General Counsel, Kentucky Horse Racing Commission, 4063 Iron Works Parkway, Building B, Lexington, Kentucky 40511, phone (859) 246-2040, fax (859) 246-2039, email jennifer.wolsing@ky.gov.

7-Year Expiration: 4/2/2031

Last Updated: 7/1/2024


Page Generated: 9/19/2024, 12:15:11 PM