Policy

There’s a 17-year-old cybersecurity rule at the center of the Robinhood hack

The last time the SEC's regulations governing cybersecurity at financial institutions were updated, Snoop Dogg's 'Drop It Like It's Hot' was dominating the charts.

SEC headquarters in Washington

Consumers have been dealing with a wave of cyberattacks.

Photo: Saul Loeb/AFP via Getty Images

The data breach Robinhood recently disclosed sounds like the parade of hacks consumers have become numb to by 2021: Attackers fooled a customer support worker by phone, then gained access to millions of email addresses and tried to extort the company, Robinhood said.

Under current federal regulations, Robinhood's obligations to secure its systems before such a breach could happen, however, were anything but modern by the standards of tech.

Cybersecurity requirements for brokerages are largely governed by a SEC rule from the year 2000, which even after an amendment a few years later requires companies to put in place little more than "written policies and procedures that address administrative, technical, and physical safeguards for the protection of customer records and information."

The lack of specific cybersecurity requirements on Robinhood and other financial institutions — for instance, rules demanding encryption or multi-factor authentication — reflects an era when cyberattacks were far less sophisticated. At the time, policy-makers hoped to establish baseline standards for business behavior, rather than trying to keep up with the cutting edge of technology.

But as hackers obtain information on hundreds of millions of people in breach after breach and hold critical infrastructure hostage, even officials in other parts of the government have concluded that existing frameworks are insufficient to protect consumers' most delicate information and that updates are needed.

The FTC has its own rule, from 2003, on cybersecurity for financial institutions such as mortgage brokers and tax-prep firms that aren't under the SEC's purview. In October, however, the FTC announced an update to its regulation. The new rule, elements of which will become effective over the next year, is the culmination of a years-long process the FTC said was designed to address new technical trends and protect consumers.

"In the twenty years since the Rule was first issued, the complexity of information security has increased drastically, the use of computer networks in every aspect of life has expanded exponentially, and, most notably, an unending chain of damaging data breaches caused by inadequate security have cost Americans heavily," FTC chair Lina Khan and commissioner Rebecca Kelly Slaughter said in a statement supporting the new rules.

In contrast to the SEC's regulations, the new FTC rules include requirements for the use of encryption, multi-factor authentication, annual penetration testing, guardrails on access to information that employees don't need and disposal of some long-unused unnecessary data.

"It's become such a serious impact on the economy and on individuals' lives that it's now at that point" where the government wants to make changes, said Sharon Klein, chair of the privacy, security and data protection practice at the law firm Blank Rome.

Karthik Rangarajan, Robinhood's head of security, even testified at an FTC workshop last year. (Robinhood also engages in business lines other than brokering, such as cash management, that leave it subject to regulation by other agencies in addition to the SEC.) While Rangarajan didn't weigh in on every aspect of FTC's proposal at the time, he did repeatedly tout the importance of having responsibility for cybersecurity programs lying "on the security team, or on the single person that is the designated head of security." The newly updated FTC rule requires a single person to be identified as responsible for security as one of its prescriptions.

The SEC's rules, alternatively, have few such mandates and were last updated in late 2004, when Snoop Dogg's "Drop It Like It's Hot" was dominating the charts. Still, the SEC's interpretation of what companies must do has evolved since George W. Bush's first presidential term.

The SEC regulations say "policies and procedures must be reasonably designed" to ensure security and protect records, a standard that's developed alongside more recent cybersecurity best practices and court cases. The agency does enforce those more updated standards: It went after nine firms this year under those guidelines, all of which settled. Authorities may well find the potential gaps in training, and the broad access to personal data that Robinhood customer service workers appear to have had prior to the breach, failed to meet the "reasonable" standard in place today, Klein said.

The Robinhood hackers, for instance, got access to "an internal tool that presented them the option of tampering with user accounts" as well as the ability to see user information including balances and trades, according to a Vice report.

"Even old school, it's going to be pretty easy to find a violation in terms of what I'll call the lack of cyber-discipline or -hygiene," Klein said.

Robinhood said it had not uncovered evidence the intruders made any changes, Vice reported. "Certain authorized Robinhood employees have the ability to update accounts as necessary to provide customer support or service accounts, as is standard at most financial institutions and platforms," the company said in a statement.

But breaches are a perennial problem only getting worse, and if companies are trying to do their best to tackle the problem, many are still confused about what their best looks like. In 2019, the SEC released a Risk Alert saying it had found companies regulated by its cybersecurity rule that weren't even writing down their own safeguards — the most basic requirement of the agency's regulation.

The alert also identified "written policies and procedures that contained numerous blank spaces designed to be filled in" and written policies that completely overlooked key issues such as personal devices, broadly disseminated passwords and poor physical data security, "such as in unlocked file cabinets in open offices."

Against that backdrop, policy-makers have been looking to tighten cybersecurity policy all around. The new FTC rules take after New York State financial regulations that went into effect in 2017, and President Joe Biden recently issued an executive order on cybersecurity. Congress, too, continues to bandy around its perennial frustrations with rules for notifications for cyber incidents.

Cybercrime is likely to keep rising, particularly since the pandemic sent many workers home to potentially less-secure environments, and firms with financial information make for particularly attractive targets for attackers.

"They need to only get that right once, and you have to get it right every time," Klein said.

Fintech

Judge Zia Faruqui is trying to teach you crypto, one ‘SNL’ reference at a time

His decisions on major cryptocurrency cases have quoted "The Big Lebowski," "SNL," and "Dr. Strangelove." That’s because he wants you — yes, you — to read them.

The ways Zia Faruqui (right) has weighed on cases that have come before him can give lawyers clues as to what legal frameworks will pass muster.

Photo: Carolyn Van Houten/The Washington Post via Getty Images

“Cryptocurrency and related software analytics tools are ‘The wave of the future, Dude. One hundred percent electronic.’”

That’s not a quote from "The Big Lebowski" — at least, not directly. It’s a quote from a Washington, D.C., district court memorandum opinion on the role cryptocurrency analytics tools can play in government investigations. The author is Magistrate Judge Zia Faruqui.

Keep Reading Show less
Veronica Irwin

Veronica Irwin (@vronirwin) is a San Francisco-based reporter at Protocol covering fintech. Previously she was at the San Francisco Examiner, covering tech from a hyper-local angle. Before that, her byline was featured in SF Weekly, The Nation, Techworker, Ms. Magazine and The Frisc.

The financial technology transformation is driving competition, creating consumer choice, and shaping the future of finance. Hear from seven fintech leaders who are reshaping the future of finance, and join the inaugural Financial Technology Association Fintech Summit to learn more.

Keep Reading Show less
FTA
The Financial Technology Association (FTA) represents industry leaders shaping the future of finance. We champion the power of technology-centered financial services and advocate for the modernization of financial regulation to support inclusion and responsible innovation.
Enterprise

AWS CEO: The cloud isn’t just about technology

As AWS preps for its annual re:Invent conference, Adam Selipsky talks product strategy, support for hybrid environments, and the value of the cloud in uncertain economic times.

Photo: Noah Berger/Getty Images for Amazon Web Services

AWS is gearing up for re:Invent, its annual cloud computing conference where announcements this year are expected to focus on its end-to-end data strategy and delivering new industry-specific services.

It will be the second re:Invent with CEO Adam Selipsky as leader of the industry’s largest cloud provider after his return last year to AWS from data visualization company Tableau Software.

Keep Reading Show less
Donna Goodison

Donna Goodison (@dgoodison) is Protocol's senior reporter focusing on enterprise infrastructure technology, from the 'Big 3' cloud computing providers to data centers. She previously covered the public cloud at CRN after 15 years as a business reporter for the Boston Herald. Based in Massachusetts, she also has worked as a Boston Globe freelancer, business reporter at the Boston Business Journal and real estate reporter at Banker & Tradesman after toiling at weekly newspapers.

Image: Protocol

We launched Protocol in February 2020 to cover the evolving power center of tech. It is with deep sadness that just under three years later, we are winding down the publication.

As of today, we will not publish any more stories. All of our newsletters, apart from our flagship, Source Code, will no longer be sent. Source Code will be published and sent for the next few weeks, but it will also close down in December.

Keep Reading Show less
Bennett Richardson

Bennett Richardson ( @bennettrich) is the president of Protocol. Prior to joining Protocol in 2019, Bennett was executive director of global strategic partnerships at POLITICO, where he led strategic growth efforts including POLITICO's European expansion in Brussels and POLITICO's creative agency POLITICO Focus during his six years with the company. Prior to POLITICO, Bennett was co-founder and CMO of Hinge, the mobile dating company recently acquired by Match Group. Bennett began his career in digital and social brand marketing working with major brands across tech, energy, and health care at leading marketing and communications agencies including Edelman and GMMB. Bennett is originally from Portland, Maine, and received his bachelor's degree from Colgate University.

Enterprise

Why large enterprises struggle to find suitable platforms for MLops

As companies expand their use of AI beyond running just a few machine learning models, and as larger enterprises go from deploying hundreds of models to thousands and even millions of models, ML practitioners say that they have yet to find what they need from prepackaged MLops systems.

As companies expand their use of AI beyond running just a few machine learning models, ML practitioners say that they have yet to find what they need from prepackaged MLops systems.

Photo: artpartner-images via Getty Images

On any given day, Lily AI runs hundreds of machine learning models using computer vision and natural language processing that are customized for its retail and ecommerce clients to make website product recommendations, forecast demand, and plan merchandising. But this spring when the company was in the market for a machine learning operations platform to manage its expanding model roster, it wasn’t easy to find a suitable off-the-shelf system that could handle such a large number of models in deployment while also meeting other criteria.

Some MLops platforms are not well-suited for maintaining even more than 10 machine learning models when it comes to keeping track of data, navigating their user interfaces, or reporting capabilities, Matthew Nokleby, machine learning manager for Lily AI’s product intelligence team, told Protocol earlier this year. “The duct tape starts to show,” he said.

Keep Reading Show less
Kate Kaye

Kate Kaye is an award-winning multimedia reporter digging deep and telling print, digital and audio stories. She covers AI and data for Protocol. Her reporting on AI and tech ethics issues has been published in OneZero, Fast Company, MIT Technology Review, CityLab, Ad Age and Digiday and heard on NPR. Kate is the creator of RedTailMedia.org and is the author of "Campaign '08: A Turning Point for Digital Media," a book about how the 2008 presidential campaigns used digital media and data.

Latest Stories
Bulletins