Michigan Gaming Control Board (MGCB) Cybersecurity Compliance Standards
The rise of online gaming and sports betting has brought unprecedented opportunities—and cybersecurity risks—for licensed operators in Michigan. To protect player data, ensure platform integrity, and prevent fraud, the Michigan Gaming Control Board (MGCB) has implemented rigorous technical standards rooted in national and industry frameworks.
Operators licensed under the Michigan Gaming Control and Revenue Act (1996) and the Lawful Internet Gaming Act (2019) are held to high standards, including mandatory compliance with Gaming Laboratories International (GLI) Standard GLI-19: Interactive Gaming Systems, version 2.0. These requirements apply across platforms, games, payment systems, and responsible gaming databases.
Key GLI-19 Cybersecurity Requirements
The MGCB has incorporated GLI-19 by reference into the Michigan Administrative Code (R 432.614), creating a baseline of security controls across all licensed platforms. Here’s a breakdown of the technical expectations:
- System Security: Platforms must be hardened with firewalls, intrusion detection and prevention systems (IDPS), and secure communication protocols such as TLS/SSL.
- Data Protection: Personal and financial data must be encrypted at rest and in transit, using algorithms like AES-256.
- Access Controls: Multi-factor authentication (MFA) and role-based access controls (RBAC) are required to restrict access to sensitive systems.
- Audit Trails: Tamper-proof logging of all user and administrative activity is required to support investigations and compliance audits.
- Vulnerability Management: Regular penetration testing and vulnerability scanning must be performed to identify and remediate risks.
- Incident Response: Operators must document and test cyber incident response and recovery plans—particularly for data breaches.
Certification is mandatory before any gaming system can operate. Platforms and games must undergo independent cybersecurity testing and receive approval from the MGCB or an authorized lab.
Consumer Data & Payment Protection
Operators are responsible for protecting the privacy and integrity of consumer data. Following the 2023 cyberattacks that impacted platforms like DraftKings, FanDuel, and BetMGM, the Michigan Attorney General stressed the importance of robust breach notification processes and consumer protections. The MGCB expects operators to:
- Monitor for compromised credentials.
- Support secure payment platforms (credit card, PayPal, cryptocurrency).
- Ensure all payment systems are designed to prevent unauthorized transactions.
Responsible Gaming Security
Security isn’t just about protecting finances—it also includes responsible gaming tools. Operators must secure:
- Self-Exclusion Databases like the Disassociated Persons List.
- Responsible Gaming Interfaces that allow users to manage their time and spending.
The MGCB requires that these systems are protected with access controls and regular audits to prevent data leaks or manipulation.
Enforcement and Oversight
The MGCB actively audits operators and coordinates with the Michigan Attorney General, State Police, and Department of Technology, Management, and Budget. In 2025 alone, 52 unlicensed offshore gaming sites were targeted with legal action for failing to meet cybersecurity standards.
Non-compliance with cybersecurity standards can lead to disciplinary action, including license revocation, cease-and-desist orders, and prosecution.
Risk Management Frameworks & Best Practices
Though GLI-19 is the primary benchmark, MGCB encourages alignment with additional cybersecurity frameworks, including:
- NIST SP 800-53 – Recommended for risk-based assessments.
- CIS Controls v8 – Offers prioritized, practical guidance.
- NIST SP 800-61 & SP 800-171 – For incident response and data protection.
Operators are expected to maintain an Asset Register that includes:
- Network maps and IP/non-IP inventory
- Inventory of communication devices, firewalls, software
- Documentation of network services and endpoint devices
For legacy systems, especially among smaller operators or older ships (as noted in similar assessments), hybrid compliance models may be necessary—combining updated policies with expert external auditing.
Incident Reporting & Tribal Considerations
All cyberattacks must be promptly reported to the MGCB. While tribal casinos operate under National Indian Gaming Commission (NIGC) and tribal rules, MGCB still audits compact compliance, including security expectations when applicable.
Conclusion
Whether you’re operating an online sportsbook, retail casino, or tribal gaming entity with online components, cybersecurity is not optional—it’s a regulatory and reputational mandate. By adopting GLI-19 standards, aligning with federal frameworks, and implementing continuous monitoring, gaming operators can protect both their customers and their licenses.
Need help aligning with MGCB requirements or implementing a secure platform?
Contact The Saturn Partners to learn how our cybersecurity engineering and vSOC solutions can support your compliance and defense efforts.