Kyanite Blue
Practical Guides

iGaming Cyber Incident Response: What to Do in the First 72 Hours

When a breach occurs, operators who have rehearsed their response contain it in hours. Operators who haven't contain it in days — or don't contain it at all. The difference in cost between a 4-hour response and a 4-day response is measured in millions. This guide gives you the exact playbook for the first 72 hours.

Operators with incident response plans contain breaches 3x faster than those without.

Hour 0–4: Initial Containment

  • Invoke your incident response plan — designate incident commander, assemble team
  • Isolate affected systems immediately — disconnect, don't power off (preserve forensic evidence)
  • Preserve logs — ensure SIEM/log retention is not overwriting during the incident
  • Initial scope assessment — what systems, what data, what is the blast radius?
  • Internal escalation — CEO, Legal, Compliance must be notified within hours, not days
  • Engage external IR support if in-house capability is insufficient

Hour 4–24: Assessment and Notification Decisions

  • Determine if the incident involves personal data — if yes, GDPR clock is running
  • DORA major incident classification: if this meets DORA criteria, MGA must be notified within 4 hours of classification
  • GDPR: if there is likely high risk to individuals, IDPC must be notified within 72 hours
  • Legal hold: preserve all evidence, do not delete or overwrite anything
  • Player communications: assess whether direct notification is required or prudent

Hour 24–72: Remediation and Regulatory

  • Root cause identification: how did they get in, what did they access, what did they take?
  • MGA notification submission if DORA-classified major incident
  • IDPC GDPR notification if personal data is confirmed or likely involved
  • Begin remediation: patch the vulnerability, reset credentials, review access controls
  • External communications: if media attention is likely, prepare coordinated statement

Frequently Asked Questions

Should we pay the ransom if we are hit by ransomware?

Law enforcement universally advises against paying. Payment does not guarantee recovery, marks you as a viable target for future attacks, and may have legal consequences if the group is sanctioned. BlackFog prevents ransomware from completing the exfiltration phase that drives double-extortion demands.

How do we notify the MGA of a breach?

Use the MGA's official Player Protection and Cybersecurity Reporting Portal. For DORA-classified major incidents, the initial notification must be made within 4 hours. You will need: incident timeline, systems affected, estimated data impact, and initial containment actions taken.

Build your incident response plan with our team

Kyanite Blue specialises in cybersecurity for iGaming operators. MGA-licensed operators across Malta trust our stack.

Get in touch

Featured Product

BlackFog

Learn more

Related Articles

Ready to secure your iGaming operation?

MGA-licensed operators across Malta trust Kyanite Blue.

Book a call Browse all guides