The data breach Robinhood recently disclosed sounds like the parade of hacks consumers have become numb to by 2021: Attackers fooled a customer support worker by phone, then gained access to millions of email addresses and tried to extort the company, Robinhood said.
Under current federal regulations, Robinhood's obligations to secure its systems before such a breach could happen, however, were anything but modern by the standards of tech.
Cybersecurity requirements for brokerages are largely governed by a SEC rule from the year 2000, which even after an amendment a few years later requires companies to put in place little more than "written policies and procedures that address administrative, technical, and physical safeguards for the protection of customer records and information."
The lack of specific cybersecurity requirements on Robinhood and other financial institutions — for instance, rules demanding encryption or multi-factor authentication — reflects an era when cyberattacks were far less sophisticated. At the time, policy-makers hoped to establish baseline standards for business behavior, rather than trying to keep up with the cutting edge of technology.
But as hackers obtain information on hundreds of millions of people in breach after breach and hold critical infrastructure hostage, even officials in other parts of the government have concluded that existing frameworks are insufficient to protect consumers' most delicate information and that updates are needed.
The FTC has its own rule, from 2003, on cybersecurity for financial institutions such as mortgage brokers and tax-prep firms that aren't under the SEC's purview. In October, however, the FTC announced an update to its regulation. The new rule, elements of which will become effective over the next year, is the culmination of a years-long process the FTC said was designed to address new technical trends and protect consumers.
"In the twenty years since the Rule was first issued, the complexity of information security has increased drastically, the use of computer networks in every aspect of life has expanded exponentially, and, most notably, an unending chain of damaging data breaches caused by inadequate security have cost Americans heavily," FTC chair Lina Khan and commissioner Rebecca Kelly Slaughter said in a statement supporting the new rules.
In contrast to the SEC's regulations, the new FTC rules include requirements for the use of encryption, multi-factor authentication, annual penetration testing, guardrails on access to information that employees don't need and disposal of some long-unused unnecessary data.
"It's become such a serious impact on the economy and on individuals' lives that it's now at that point" where the government wants to make changes, said Sharon Klein, chair of the privacy, security and data protection practice at the law firm Blank Rome.
Karthik Rangarajan, Robinhood's head of security, even testified at an FTC workshop last year. (Robinhood also engages in business lines other than brokering, such as cash management, that leave it subject to regulation by other agencies in addition to the SEC.) While Rangarajan didn't weigh in on every aspect of FTC's proposal at the time, he did repeatedly tout the importance of having responsibility for cybersecurity programs lying "on the security team, or on the single person that is the designated head of security." The newly updated FTC rule requires a single person to be identified as responsible for security as one of its prescriptions.
The SEC's rules, alternatively, have few such mandates and were last updated in late 2004, when Snoop Dogg's "Drop It Like It's Hot" was dominating the charts. Still, the SEC's interpretation of what companies must do has evolved since George W. Bush's first presidential term.
The SEC regulations say "policies and procedures must be reasonably designed" to ensure security and protect records, a standard that's developed alongside more recent cybersecurity best practices and court cases. The agency does enforce those more updated standards: It went after nine firms this year under those guidelines, all of which settled. Authorities may well find the potential gaps in training, and the broad access to personal data that Robinhood customer service workers appear to have had prior to the breach, failed to meet the "reasonable" standard in place today, Klein said.
The Robinhood hackers, for instance, got access to "an internal tool that presented them the option of tampering with user accounts" as well as the ability to see user information including balances and trades, according to a Vice report.
"Even old school, it's going to be pretty easy to find a violation in terms of what I'll call the lack of cyber-discipline or -hygiene," Klein said.
Robinhood said it had not uncovered evidence the intruders made any changes, Vice reported. "Certain authorized Robinhood employees have the ability to update accounts as necessary to provide customer support or service accounts, as is standard at most financial institutions and platforms," the company said in a statement.
But breaches are a perennial problem only getting worse, and if companies are trying to do their best to tackle the problem, many are still confused about what their best looks like. In 2019, the SEC released a Risk Alert saying it had found companies regulated by its cybersecurity rule that weren't even writing down their own safeguards — the most basic requirement of the agency's regulation.
The alert also identified "written policies and procedures that contained numerous blank spaces designed to be filled in" and written policies that completely overlooked key issues such as personal devices, broadly disseminated passwords and poor physical data security, "such as in unlocked file cabinets in open offices."
Against that backdrop, policy-makers have been looking to tighten cybersecurity policy all around. The new FTC rules take after New York State financial regulations that went into effect in 2017, and President Joe Biden recently issued an executive order on cybersecurity. Congress, too, continues to bandy around its perennial frustrations with rules for notifications for cyber incidents.
Cybercrime is likely to keep rising, particularly since the pandemic sent many workers home to potentially less-secure environments, and firms with financial information make for particularly attractive targets for attackers.
"They need to only get that right once, and you have to get it right every time," Klein said.