There’s a 17-year-old cybersecurity rule at the center of the Robinhood hack

The last time the SEC's regulations governing cybersecurity at financial institutions were updated, Snoop Dogg's 'Drop It Like It's Hot' was dominating the charts.

SEC headquarters in Washington

Consumers have been dealing with a wave of cyberattacks.

Photo: Saul Loeb/AFP via Getty Images

The data breach Robinhood recently disclosed sounds like the parade of hacks consumers have become numb to by 2021: Attackers fooled a customer support worker by phone, then gained access to millions of email addresses and tried to extort the company, Robinhood said.

Under current federal regulations, Robinhood's obligations to secure its systems before such a breach could happen, however, were anything but modern by the standards of tech.

Cybersecurity requirements for brokerages are largely governed by a SEC rule from the year 2000, which even after an amendment a few years later requires companies to put in place little more than "written policies and procedures that address administrative, technical, and physical safeguards for the protection of customer records and information."

The lack of specific cybersecurity requirements on Robinhood and other financial institutions — for instance, rules demanding encryption or multi-factor authentication — reflects an era when cyberattacks were far less sophisticated. At the time, policy-makers hoped to establish baseline standards for business behavior, rather than trying to keep up with the cutting edge of technology.

But as hackers obtain information on hundreds of millions of people in breach after breach and hold critical infrastructure hostage, even officials in other parts of the government have concluded that existing frameworks are insufficient to protect consumers' most delicate information and that updates are needed.

The FTC has its own rule, from 2003, on cybersecurity for financial institutions such as mortgage brokers and tax-prep firms that aren't under the SEC's purview. In October, however, the FTC announced an update to its regulation. The new rule, elements of which will become effective over the next year, is the culmination of a years-long process the FTC said was designed to address new technical trends and protect consumers.

"In the twenty years since the Rule was first issued, the complexity of information security has increased drastically, the use of computer networks in every aspect of life has expanded exponentially, and, most notably, an unending chain of damaging data breaches caused by inadequate security have cost Americans heavily," FTC chair Lina Khan and commissioner Rebecca Kelly Slaughter said in a statement supporting the new rules.

In contrast to the SEC's regulations, the new FTC rules include requirements for the use of encryption, multi-factor authentication, annual penetration testing, guardrails on access to information that employees don't need and disposal of some long-unused unnecessary data.

"It's become such a serious impact on the economy and on individuals' lives that it's now at that point" where the government wants to make changes, said Sharon Klein, chair of the privacy, security and data protection practice at the law firm Blank Rome.

Karthik Rangarajan, Robinhood's head of security, even testified at an FTC workshop last year. (Robinhood also engages in business lines other than brokering, such as cash management, that leave it subject to regulation by other agencies in addition to the SEC.) While Rangarajan didn't weigh in on every aspect of FTC's proposal at the time, he did repeatedly tout the importance of having responsibility for cybersecurity programs lying "on the security team, or on the single person that is the designated head of security." The newly updated FTC rule requires a single person to be identified as responsible for security as one of its prescriptions.

The SEC's rules, alternatively, have few such mandates and were last updated in late 2004, when Snoop Dogg's "Drop It Like It's Hot" was dominating the charts. Still, the SEC's interpretation of what companies must do has evolved since George W. Bush's first presidential term.

The SEC regulations say "policies and procedures must be reasonably designed" to ensure security and protect records, a standard that's developed alongside more recent cybersecurity best practices and court cases. The agency does enforce those more updated standards: It went after nine firms this year under those guidelines, all of which settled. Authorities may well find the potential gaps in training, and the broad access to personal data that Robinhood customer service workers appear to have had prior to the breach, failed to meet the "reasonable" standard in place today, Klein said.

The Robinhood hackers, for instance, got access to "an internal tool that presented them the option of tampering with user accounts" as well as the ability to see user information including balances and trades, according to a Vice report.

"Even old school, it's going to be pretty easy to find a violation in terms of what I'll call the lack of cyber-discipline or -hygiene," Klein said.

Robinhood said it had not uncovered evidence the intruders made any changes, Vice reported. "Certain authorized Robinhood employees have the ability to update accounts as necessary to provide customer support or service accounts, as is standard at most financial institutions and platforms," the company said in a statement.

But breaches are a perennial problem only getting worse, and if companies are trying to do their best to tackle the problem, many are still confused about what their best looks like. In 2019, the SEC released a Risk Alert saying it had found companies regulated by its cybersecurity rule that weren't even writing down their own safeguards — the most basic requirement of the agency's regulation.

The alert also identified "written policies and procedures that contained numerous blank spaces designed to be filled in" and written policies that completely overlooked key issues such as personal devices, broadly disseminated passwords and poor physical data security, "such as in unlocked file cabinets in open offices."

Against that backdrop, policy-makers have been looking to tighten cybersecurity policy all around. The new FTC rules take after New York State financial regulations that went into effect in 2017, and President Joe Biden recently issued an executive order on cybersecurity. Congress, too, continues to bandy around its perennial frustrations with rules for notifications for cyber incidents.

Cybercrime is likely to keep rising, particularly since the pandemic sent many workers home to potentially less-secure environments, and firms with financial information make for particularly attractive targets for attackers.

"They need to only get that right once, and you have to get it right every time," Klein said.


2- and 3-wheelers dominate oil displacement by EVs

Increasingly widespread EV adoption is starting to displace the use of oil, but there's still a lot of work to do.

More electric mopeds on the road could be an oil demand game-changer.

Photo: Humphrey Muleba/Unsplash

Electric vehicles are starting to make a serious dent in oil use.

Last year, EVs displaced roughly 1.5 million barrels per day, according to a new analysis from BloombergNEF. That is more than double the share EVs displaced in 2015. The majority of the displacement is coming from an unlikely source.

Keep Reading Show less
Lisa Martine Jenkins

Lisa Martine Jenkins is a senior reporter at Protocol covering climate. Lisa previously wrote for Morning Consult, Chemical Watch and the Associated Press. Lisa is currently based in Brooklyn, and is originally from the Bay Area. Find her on Twitter ( @l_m_j_) or reach out via email (ljenkins@protocol.com).

Sponsored Content

Foursquare data story: leveraging location data for site selection

We take a closer look at points of interest and foot traffic patterns to demonstrate how location data can be leveraged to inform better site selecti­on strategies.

Imagine: You’re the leader of a real estate team at a restaurant brand looking to open a new location in Manhattan. You have two options you’re evaluating: one site in SoHo, and another site in the Flatiron neighborhood. Which do you choose?

Keep Reading Show less

The limits of AI and automation for digital accessibility

AI and automated software that promises to make the web more accessible abounds, but people with disabilities and those who regularly test for digital accessibility problems say it can only go so far.

The everyday obstacles blocking people with disabilities from a satisfying digital experience are immense.

Image: alexsl/Getty Images

“It’s a lot to listen to a robot all day long,” said Tina Pinedo, communications director at Disability Rights Oregon, a group that works to promote and defend the rights of people with disabilities.

But listening to a machine is exactly what many people with visual impairments do while using screen reading tools to accomplish everyday online tasks such as paying bills or ordering groceries from an ecommerce site.

Keep Reading Show less
Kate Kaye

Kate Kaye is an award-winning multimedia reporter digging deep and telling print, digital and audio stories. She covers AI and data for Protocol. Her reporting on AI and tech ethics issues has been published in OneZero, Fast Company, MIT Technology Review, CityLab, Ad Age and Digiday and heard on NPR. Kate is the creator of RedTailMedia.org and is the author of "Campaign '08: A Turning Point for Digital Media," a book about how the 2008 presidential campaigns used digital media and data.


The crypto crash's violence shocked Circle's CEO

Jeremy Allaire remains upbeat about stablecoins despite the UST wipeout, he told Protocol in an interview.

Allaire said what really caught him by surprise was “how fast the death spiral happened and how violent of a value destruction it was.”

Photo: Heidi Gutman/CNBC/NBCU Photo Bank/NBCUniversal via Getty Images

Circle CEO Jeremy Allaire said he saw the UST meltdown coming about six months ago, long before the stablecoin crash rocked the crypto world.

“This was a house of cards,” he told Protocol. “It was very clear that it was unsustainable and that there would be a very high risk of a death spiral.”

Keep Reading Show less
Benjamin Pimentel

Benjamin Pimentel ( @benpimentel) covers crypto and fintech from San Francisco. He has reported on many of the biggest tech stories over the past 20 years for the San Francisco Chronicle, Dow Jones MarketWatch and Business Insider, from the dot-com crash, the rise of cloud computing, social networking and AI to the impact of the Great Recession and the COVID crisis on Silicon Valley and beyond. He can be reached at bpimentel@protocol.com or via Google Voice at (925) 307-9342.

A DTC baby formula startup is caught in the center of a supply chain crisis

After weeks of “unprecedented growth,” Bobbie co-founder Laura Modi made a hard decision: to not accept any more new customers.

Parents unable to track down formula in stores have been turning to Facebook groups, homemade formula recipes and Bobbie, a 4-year-old subscription baby formula company.

Photo: JIM WATSON/AFP via Getty Images

The ongoing baby formula shortage has taken a toll on parents throughout the U.S. Laura Modi, co-founder of formula startup Bobbie, said she’s been “wearing the hat of a mom way more than that of a CEO” in recent weeks.

“It's scary to be a parent right now, with the uncertainty of knowing you can’t find your formula,” Modi told Protocol.

Keep Reading Show less
Nat Rubio-Licht

Nat Rubio-Licht is a Los Angeles-based news writer at Protocol. They graduated from Syracuse University with a degree in newspaper and online journalism in May 2020. Prior to joining the team, they worked at the Los Angeles Business Journal as a technology and aerospace reporter.

Latest Stories