As Ontario’s iGaming market grows, the cybersecurity expectations for operators are increasing. The Alcohol and Gaming Commission of Ontario (AGCO) requires all licensed iGaming operators to follow strict cybersecurity rules. In this article, we outline what iGaming operators in Ontario need to know about AGCO’s cybersecurity regulations. We will pay special attention to MFA requirements, best practices for implementation, and how to remain compliant in 2025 and beyond. 1. AGCO Cybersecurity Requirements: An Overview The Ontario Alcohol and Gaming Commission (AGCO) mandates strict cybersecurity standards in its Registrar’s Standards for Internet Gaming to be implemented by all Internet gaming licensees from licensed online casinos and sportsbooks. The standards aim to protect the integrity, security, and fairness of Ontario iGaming business. Key requirements include: Secure Authentication – operators must implement strong access controls to prevent unauthorized access to player data and internal systems. Access Management – only authorized staff should have access to sensitive systems based on job requirement and function. Data Protection – all sensitive data must be encrypted both in transit and at rest. System and Network Security – operators must use firewalls, anti-malware tools, and intrusion detection systems to protect their infrastructure. Ongoing Risk Assessments – regular evaluations must be conducted to identify and address cybersecurity risks. Incident Response and Recovery – there must be provisions for discovery, response, and recovery from cyber security incidents. Logging and Monitoring – systems log activity and access, with monitoring to detect suspicious behavior. Third-Party Security – third-party integrations and services must comply with the same level of security. While not all control is specified at a level of technical specifics, AGCO does expect that operators take a risk-based approach and apply security controls commensurate with the sensitivity of information and systems. MFA would be a central control in that context, and especially for protecting privileged access and sensitive user data. Requirement Area Checklist Items Access Control Role-based access is enforced across all systems Default/admin passwords are changed and secured Inactive user accounts are regularly reviewed and removed Access rights are reviewed periodically Secure Authentication Multi-Factor Authentication (MFA) is enabled for all privileged/admin users MFA is offered to all players as an optional feature Strong password policies are enforced No shared accounts are used for system access Data Protection Player data is encrypted in transit and at rest Sensitive data is...