Policy

There’s a 17-year-old cybersecurity rule at the center of the Robinhood hack

The last time the SEC's regulations governing cybersecurity at financial institutions were updated, Snoop Dogg's 'Drop It Like It's Hot' was dominating the charts.

SEC headquarters in Washington

Consumers have been dealing with a wave of cyberattacks.

Photo: Saul Loeb/AFP via Getty Images

The data breach Robinhood recently disclosed sounds like the parade of hacks consumers have become numb to by 2021: Attackers fooled a customer support worker by phone, then gained access to millions of email addresses and tried to extort the company, Robinhood said.

Under current federal regulations, Robinhood's obligations to secure its systems before such a breach could happen, however, were anything but modern by the standards of tech.

Cybersecurity requirements for brokerages are largely governed by a SEC rule from the year 2000, which even after an amendment a few years later requires companies to put in place little more than "written policies and procedures that address administrative, technical, and physical safeguards for the protection of customer records and information."

The lack of specific cybersecurity requirements on Robinhood and other financial institutions — for instance, rules demanding encryption or multi-factor authentication — reflects an era when cyberattacks were far less sophisticated. At the time, policy-makers hoped to establish baseline standards for business behavior, rather than trying to keep up with the cutting edge of technology.

But as hackers obtain information on hundreds of millions of people in breach after breach and hold critical infrastructure hostage, even officials in other parts of the government have concluded that existing frameworks are insufficient to protect consumers' most delicate information and that updates are needed.

The FTC has its own rule, from 2003, on cybersecurity for financial institutions such as mortgage brokers and tax-prep firms that aren't under the SEC's purview. In October, however, the FTC announced an update to its regulation. The new rule, elements of which will become effective over the next year, is the culmination of a years-long process the FTC said was designed to address new technical trends and protect consumers.

"In the twenty years since the Rule was first issued, the complexity of information security has increased drastically, the use of computer networks in every aspect of life has expanded exponentially, and, most notably, an unending chain of damaging data breaches caused by inadequate security have cost Americans heavily," FTC chair Lina Khan and commissioner Rebecca Kelly Slaughter said in a statement supporting the new rules.

In contrast to the SEC's regulations, the new FTC rules include requirements for the use of encryption, multi-factor authentication, annual penetration testing, guardrails on access to information that employees don't need and disposal of some long-unused unnecessary data.

"It's become such a serious impact on the economy and on individuals' lives that it's now at that point" where the government wants to make changes, said Sharon Klein, chair of the privacy, security and data protection practice at the law firm Blank Rome.

Karthik Rangarajan, Robinhood's head of security, even testified at an FTC workshop last year. (Robinhood also engages in business lines other than brokering, such as cash management, that leave it subject to regulation by other agencies in addition to the SEC.) While Rangarajan didn't weigh in on every aspect of FTC's proposal at the time, he did repeatedly tout the importance of having responsibility for cybersecurity programs lying "on the security team, or on the single person that is the designated head of security." The newly updated FTC rule requires a single person to be identified as responsible for security as one of its prescriptions.

The SEC's rules, alternatively, have few such mandates and were last updated in late 2004, when Snoop Dogg's "Drop It Like It's Hot" was dominating the charts. Still, the SEC's interpretation of what companies must do has evolved since George W. Bush's first presidential term.

The SEC regulations say "policies and procedures must be reasonably designed" to ensure security and protect records, a standard that's developed alongside more recent cybersecurity best practices and court cases. The agency does enforce those more updated standards: It went after nine firms this year under those guidelines, all of which settled. Authorities may well find the potential gaps in training, and the broad access to personal data that Robinhood customer service workers appear to have had prior to the breach, failed to meet the "reasonable" standard in place today, Klein said.

The Robinhood hackers, for instance, got access to "an internal tool that presented them the option of tampering with user accounts" as well as the ability to see user information including balances and trades, according to a Vice report.

"Even old school, it's going to be pretty easy to find a violation in terms of what I'll call the lack of cyber-discipline or -hygiene," Klein said.

Robinhood said it had not uncovered evidence the intruders made any changes, Vice reported. "Certain authorized Robinhood employees have the ability to update accounts as necessary to provide customer support or service accounts, as is standard at most financial institutions and platforms," the company said in a statement.

But breaches are a perennial problem only getting worse, and if companies are trying to do their best to tackle the problem, many are still confused about what their best looks like. In 2019, the SEC released a Risk Alert saying it had found companies regulated by its cybersecurity rule that weren't even writing down their own safeguards — the most basic requirement of the agency's regulation.

The alert also identified "written policies and procedures that contained numerous blank spaces designed to be filled in" and written policies that completely overlooked key issues such as personal devices, broadly disseminated passwords and poor physical data security, "such as in unlocked file cabinets in open offices."

Against that backdrop, policy-makers have been looking to tighten cybersecurity policy all around. The new FTC rules take after New York State financial regulations that went into effect in 2017, and President Joe Biden recently issued an executive order on cybersecurity. Congress, too, continues to bandy around its perennial frustrations with rules for notifications for cyber incidents.

Cybercrime is likely to keep rising, particularly since the pandemic sent many workers home to potentially less-secure environments, and firms with financial information make for particularly attractive targets for attackers.

"They need to only get that right once, and you have to get it right every time," Klein said.

Fintech

Election markets are far from a sure bet

Kalshi has big-name backing for its plan to offer futures contracts tied to election results. Will that win over a long-skeptical regulator?

Whether Kalshi’s election contracts could be considered gaming or whether they serve a true risk-hedging purpose is one of the top questions the CFTC is weighing in its review.

Photo illustration: Getty Images; Protocol

Crypto isn’t the only emerging issue on the CFTC’s plate. The futures regulator is also weighing a fintech sector that has similarly tricky political implications: election bets.

The Commodity Futures Trading Commission has set Oct. 28 as a date by which it hopes to decide whether the New York-based startup Kalshi can offer a form of wagering up to $25,000 on which party will control the House of Representatives and Senate after the midterms. PredictIt, another online market for election trading, has also sued the regulator over its decision to cancel a no-action letter.

Keep Reading Show less
Ryan Deffenbaugh
Ryan Deffenbaugh is a reporter at Protocol focused on fintech. Before joining Protocol, he reported on New York's technology industry for Crain's New York Business. He is based in New York and can be reached at rdeffenbaugh@protocol.com.
Sponsored Content

Great products are built on strong patents

Experts say robust intellectual property protection is essential to ensure the long-term R&D required to innovate and maintain America's technology leadership.

Every great tech product that you rely on each day, from the smartphone in your pocket to your music streaming service and navigational system in the car, shares one important thing: part of its innovative design is protected by intellectual property (IP) laws.

From 5G to artificial intelligence, IP protection offers a powerful incentive for researchers to create ground-breaking products, and governmental leaders say its protection is an essential part of maintaining US technology leadership. To quote Secretary of Commerce Gina Raimondo: "intellectual property protection is vital for American innovation and entrepreneurship.”

Keep Reading Show less
James Daly
James Daly has a deep knowledge of creating brand voice identity, including understanding various audiences and targeting messaging accordingly. He enjoys commissioning, editing, writing, and business development, particularly in launching new ventures and building passionate audiences. Daly has led teams large and small to multiple awards and quantifiable success through a strategy built on teamwork, passion, fact-checking, intelligence, analytics, and audience growth while meeting budget goals and production deadlines in fast-paced environments. Daly is the Editorial Director of 2030 Media and a contributor at Wired.
Enterprise

The Uber verdict shows why mandatory disclosure isn't such a bad idea

The conviction of Uber's former chief security officer, Joe Sullivan, seems likely to change some minds in the debate over proposed cyber incident reporting regulations.

Executives and boards will now be "a whole lot less likely to cover things up," said one information security veteran.

Photo: Al Drago/Bloomberg via Getty Images

If nothing else, the guilty verdict delivered Wednesday in a case involving Uber's former security head will have this effect on how breaches are handled in the future: Executives and boards, according to information security veteran Michael Hamilton, will be "a whole lot less likely to cover things up."

Following the conviction of former Uber chief security officer Joe Sullivan, "we likely will get better voluntary reporting" of cyber incidents, said Hamilton, formerly the chief information security officer of the City of Seattle, and currently the founder and CISO at cybersecurity vendor Critical Insight.

Keep Reading Show less
Kyle Alspach

Kyle Alspach ( @KyleAlspach) is a senior reporter at Protocol, focused on cybersecurity. He has covered the tech industry since 2010 for outlets including VentureBeat, CRN and the Boston Globe. He lives in Portland, Oregon, and can be reached at kalspach@protocol.com.

Climate

Delta and MIT are running flight tests to fix contrails

The research team and airline are running flight tests to determine if it’s possible to avoid the climate-warming effects of contrails.

Delta and MIT just announced a partnership to test how to mitigate persistent contrails.

Photo: Gabriela Natiello/Unsplash

Contrails could be responsible for up to 2% of all global warming, and yet how they’re formed and how to mitigate them is barely understood by major airlines.

That may be changing.

Keep Reading Show less
Michelle Ma

Michelle Ma (@himichellema) is a reporter at Protocol covering climate. Previously, she was a news editor of live journalism and special coverage for The Wall Street Journal. Prior to that, she worked as a staff writer at Wirecutter. She can be reached at mma@protocol.com.

Entertainment

Inside Amazon’s free video strategy

Amazon has been doubling down on original content for Freevee, its ad-supported video service, which has seen a lot of growth thanks to a deep integration with other Amazon properties.

Freevee’s investment into original programming like 'Bosch: Legacy' has increased by 70%.

Photo: Tyler Golden/Amazon Freevee

Amazon’s streaming efforts have long been all about Prime Video. So the company caught pundits by surprise when, in early 2019, it launched a stand-alone ad-supported streaming service called IMDb Freedive, with Techcrunch calling the move “a bit odd.”

Nearly four years and two rebrandings later, Amazon’s ad-supported video efforts appear to be flourishing. Viewership of the service grew by 138% from 2020 to 2021, according to Amazon. The company declined to share any updated performance data on the service, which is now called Freevee, but a spokesperson told Protocol the performance of originals in particular “exceeded expectations,” leading Amazon to increase investments into original content by 70% year-over-year.

Keep Reading Show less
Janko Roettgers

Janko Roettgers (@jank0) is a senior reporter at Protocol, reporting on the shifting power dynamics between tech, media, and entertainment, including the impact of new technologies. Previously, Janko was Variety's first-ever technology writer in San Francisco, where he covered big tech and emerging technologies. He has reported for Gigaom, Frankfurter Rundschau, Berliner Zeitung, and ORF, among others. He has written three books on consumer cord-cutting and online music and co-edited an anthology on internet subcultures. He lives with his family in Oakland.

Latest Stories
Bulletins