UKGC Withholds Operator Security Audit Data
Regulator cites costs to refuse release of compliance figures for mandatory Remote Technical Standards.
The UK Gambling Commission has refused a Freedom of Information request for data on operator compliance with mandatory security audits. Citing excessive costs, the regulator withheld figures on how many firms passed, failed, or were fined for non-compliance in 2023, leaving a gap in public knowledge regarding the cybersecurity of UK-licensed operators.
Article Content
The UK Gambling Commission (UKGC) has declined to release key information regarding how many licensed gambling operators are complying with mandatory annual security standards, a Saferwager investigation can reveal.
In response to a Freedom of Information (FOI) request dated 14 December 2023, the regulator withheld all data on the success and failure rates of security audits for the 2023 calendar year, citing the cost of retrieving the information would exceed the statutory limit.
Why This Data Matters
All UK-licensed remote gambling operators are required to undergo an annual security audit against the Remote Gambling and Software Technical Standards (RTS). These audits are a critical consumer protection measure, designed to ensure operators have robust systems to protect:
- Player account details and personal data
- Customer funds
- The integrity of gambling and betting systems
Without access to compliance data, it is impossible for the public and researchers to assess the overall health of the industry's cybersecurity posture or to know if operators are being held accountable for security failings.
Details of the Request and Refusal
The FOI request sought specific, aggregate figures on RTS compliance for 2023, asking for:
- The total number of operators required to complete an audit.
- How many successfully passed and submitted their report.
- How many failed to meet the requirements.
- The number of failures due to non-submission versus non-compliance.
- How many fines were issued for these failures.
The UKGC refused the entire request under Section 12 of the Freedom of Information Act, which allows public bodies to decline requests where the cost of processing would exceed £450, or 18 hours of staff time.
The Commission stated that while most of the requested data was "easily identifiable," one question proved problematic. The request asked how many operators used an ISO27001 audit (a common international security standard) as their evidence. The UKGC claimed that to answer this, it would need to manually review every single audit document submitted.
Because this single question was deemed too costly to answer, the regulator chose to withhold all information, including the compliance and enforcement data it had acknowledged was simple to retrieve.
A Gap in Transparency
The Commission's decision leaves consumers and the industry in the dark about fundamental security compliance. It is currently not public knowledge how many operators successfully met their security obligations in 2023, how many failed, or whether any regulatory action was taken as a result.
The refusal also raises questions about the UKGC's own data management processes, specifically why identifying the type of audit submitted by an operator is not a readily searchable data point.
While the UKGC invited the requester to submit a refined request, this initial refusal means that, for now, crucial information on the security and integrity of the UK's remote gambling sector remains unavailable for public scrutiny.