Read the full stored bill text
A1549
ASSEMBLY, No. 1549
STATE OF NEW JERSEY
222nd LEGISLATURE
�
PRE-FILED FOR INTRODUCTION IN THE 2026 SESSION
Sponsored by:
Assemblyman CLINTON CALABRESE
District 36 (Bergen and Passaic)
SYNOPSIS
���� Establishes Gaming Cybersecurity Intelligence and
Response Council.
CURRENT VERSION OF TEXT
���� Introduced Pending Technical Review by Legislative
Counsel.
��
An Act
establishing the Gaming Cybersecurity
Intelligence and Response Council and supplementing Title 5 of the Revised
Statutes.
����
Be It
Enacted
by the Senate and General Assembly of
the State of New Jersey:
���� 1.� This act shall be known
and may be cited as the �Gaming Cybersecurity Intelligence and Response Council
Act.�
���� 2.� a.� There is established
in the Division of Gaming Enforcement the Gaming Cybersecurity Intelligence and
Response Council.� The purpose of the council shall be to facilitate strategic
coordination among regulators, operators, and cybersecurity experts to enhance
cybersecurity in the State�s gaming industry.
���� b.� The council shall be
comprised of seven members, as follows:
���� (1) the director of the
Division of Gaming Enforcement, or a designee;
���� (2) the director of the New
Jersey Office of Homeland Security and Preparedness, or a designee;
���� (3) three members, appointed
by the Governor, who shall be employed by, or represent, licensed casino and
sportsbook operators in this State; and
���� (4) two members, appointed by
the Governor, who shall be employed by, or represent, public institutions of
higher education with cybersecurity centers in this State.
���� c.� Any vacancy in the
membership of the council shall be filled in the same manner in which the
original appointment was made.
���� d.� The council shall be
entitled to call to its assistance and avail itself of the services of the
officials and employees of the State and its political subdivisions, and their
departments, boards, bureaus, commissions, and agencies as it may require and
as may be available to it for its purposes.
���� e.� The council shall convene
and hold its first meeting as soon as practicable after the appointment of its
members, and shall meet not less than twice per year thereafter.� At the
initial organizational meeting, the members shall elect a chairperson and
vice-chairperson from among the members of the council by a majority vote.� The
council may appoint a secretary, who need not be a member of the council. �
���� f.� Members of the council
shall serve without compensation but shall be reimbursed for necessary and
reasonable expenses incurred in the performance of their duties within the
limits of funds appropriated or otherwise made available to the council for its
purposes.
���� g.� The council may invite
representatives from appropriate federal agencies and national cybersecurity
organizations, including the Cybersecurity and Infrastructure Security Agency,
the Multi-State Information Sharing and Analysis Center, and the Federal Bureau
of Investigation to serve as non-voting observers or technical advisors to
support coordination and cybersecurity threat awareness.
���� h.� The council shall, at
regular intervals, but not less than twice per year, develop confidential
briefings and training exercises for casino licensees, sports wagering
licensees, and their employees, and disseminate cybersecurity threat alerts,
incident response protocols, and risk mitigation guidance. �These briefings,
exercises, and alerts shall be considered sensitive security information and
shall not be publicly disclosed.� Records and materials associated with such
briefings, exercises, and alerts shall not be considered �government records�
within the meaning of P.L.1963, c.73 (C.47:1A-1 et seq.). �Access to such
materials shall be limited to authorized personnel and licensees as determined
by the division in consultation with the New Jersey Cybersecurity and Communications
Integration Cell within the Office of Homeland Security and Preparedness. �Nothing
in this section shall require the disclosure of proprietary information, law
enforcement sensitive material, or operational cybersecurity procedures. �Participation
in briefings and training exercises may be prioritized for any licensee or
contracted operator determined by the division to present a heightened
cybersecurity risk.
���� i.� The council shall be
authorized to participate in the Multi-State Information Sharing and Analysis
Center and any other national or state-wide cybersecurity forums as may be
appropriate.
���� j.� The council may establish
subcommittees as necessary to address specific cybersecurity topics, including
but not limited to, incident response coordination, threat intelligence
sharing, training development, and regulatory recommendations.
���� k.� The council shall develop
and submit an annual report summarizing its activities and providing strategic,
high level recommendations for enhancing cybersecurity in the gaming industry.�
The report shall be submitted to the Governor and the Legislature pursuant to
section 2 of P.L.1991, c.164 (C.52:14-19.1), and published in accordance with
the safeguards set forth in this subsection.� The report shall include, at a
minimum:
���� (1) a non-sensitive summary of
cybersecurity trends and risks affecting the gaming sector in the preceding
calendar year, presented in aggregate and in de-identified format;
���� (2) an overview of council
activities, including briefings, training sessions, advisories, and external
coordination;
���� (3) an anonymized summary of
operator engagement and participation in council programs or voluntary
certification initiatives;
���� (4) policy, operational, or
regulatory recommendations to improve cybersecurity resilience in New Jersey�s
gaming industry; and
���� (5) a summary of collaboration
with national or federal cybersecurity organizations, excluding classified or
operational content.
���� The report shall be redacted
or presented in summary form to ensure that no information is disclosed that
could compromise cybersecurity defenses, weaken threat mitigation or incident
response efforts, expose system vulnerabilities, or interfere with ongoing
investigations.� No specific breach data, technical indicators, or operator
specific vulnerabilities shall be included in the public report.
���� 3.� This act shall take effect
immediately.
STATEMENT
���� This bill establishes the �Gaming
Cybersecurity Intelligence and Response Council Act.�
���� The bill establishes in the
Division of Gaming Enforcement the Gaming Cybersecurity Intelligence and
Response Council.� The purpose of the council will be to facilitate strategic
coordination among regulators, operators, and cybersecurity experts to enhance
cybersecurity in the State�s gaming industry.
���� Under the bill, the council will
be comprised of seven members, as follows:
���� (1) the director of the
Division of Gaming Enforcement, or a designee;
���� (2) the director of the New
Jersey Office of Homeland Security and Preparedness, or a designee;
���� (3) three members, appointed
by the Governor, who will be employed by, or represent, licensed casino and
sportsbook operators in this State; and
���� (4) two members, appointed by
the Governor, who will be employed by, or represent, public institutions of
higher education with cybersecurity centers in this State.
���� The bill permits the council to
invite representatives from appropriate federal agencies and national
cybersecurity organizations, including the Cybersecurity and Infrastructure
Security Agency, the Multi-State Information Sharing and Analysis Center, and
the Federal Bureau of Investigation to serve as non-voting observers or
technical advisors to support coordination and cybersecurity threat awareness.
���� The bill requires the council
to, at regular intervals, but not less than twice per year, develop
confidential briefings and training exercises for casino licensees, sports
wagering licensees, and their employees, and disseminate cybersecurity threat
alerts, incident response protocols, and risk mitigation guidance.� These
briefings, exercises, and alerts are to be considered sensitive security
information and will not be publicly disclosed.� Access to such materials is to
be limited to authorized personnel and licensees as determined by the division
in consultation with the New Jersey Cybersecurity and Communications
Integration Cell within the Office of Homeland Security and Preparedness.�
Participation in briefings and training exercises may be required for those
determined by the division to present a heightened cybersecurity risk.
���� The bill authorizes the
council to participate in the Multi-State Information Sharing and Analysis
Center and any other national or state-wide cybersecurity forums as may be
appropriate.� The council may also establish subcommittees as necessary to
address specific cybersecurity topics, including but not limited to, incident
response coordination, threat intelligence sharing, training development, and
regulatory recommendations.
���� The bill requires the council
to develop and submit an annual report summarizing its activities and providing
strategic, high level recommendations for enhancing cybersecurity in the gaming
industry.� The report will be submitted to the Governor and the Legislature and
will include, at a minimum:
���� (1) a non-sensitive summary of
cybersecurity trends and risks affecting the gaming sector in the preceding
calendar year, presented in aggregate and in de-identified format;
���� (2) an overview of council
activities, including briefings, training sessions, advisories, and external
coordination;
���� (3) an anonymized summary of
operator engagement and participation in council programs or voluntary
certification initiatives;
���� (4) policy, operational, or
regulatory recommendations to improve cybersecurity resilience in New Jersey�s
gaming industry; and
���� (5) a summary of collaboration
with national or federal cybersecurity organizations, excluding classified or
operational content.
���� The bill requires that the
report be redacted or presented in summary form to ensure that no information
is disclosed that could compromise cybersecurity defenses, weaken threat
mitigation or incident response efforts, expose system vulnerabilities, or
interfere with ongoing investigations.� No specific breach data, technical
indicators, or operator specific vulnerabilities is to be included in the
public report.