Protocol | Policy

There’s a 17-year-old cybersecurity rule at the center of the Robinhood hack

The last time the SEC's regulations governing cybersecurity at financial institutions were updated, Snoop Dogg's 'Drop It Like It's Hot' was dominating the charts.

SEC headquarters in Washington

Consumers have been dealing with a wave of cyberattacks.

Photo: Saul Loeb/AFP via Getty Images

The data breach Robinhood recently disclosed sounds like the parade of hacks consumers have become numb to by 2021: Attackers fooled a customer support worker by phone, then gained access to millions of email addresses and tried to extort the company, Robinhood said.

Under current federal regulations, Robinhood's obligations to secure its systems before such a breach could happen, however, were anything but modern by the standards of tech.

Cybersecurity requirements for brokerages are largely governed by a SEC rule from the year 2000, which even after an amendment a few years later requires companies to put in place little more than "written policies and procedures that address administrative, technical, and physical safeguards for the protection of customer records and information."

The lack of specific cybersecurity requirements on Robinhood and other financial institutions — for instance, rules demanding encryption or multi-factor authentication — reflects an era when cyberattacks were far less sophisticated. At the time, policy-makers hoped to establish baseline standards for business behavior, rather than trying to keep up with the cutting edge of technology.

But as hackers obtain information on hundreds of millions of people in breach after breach and hold critical infrastructure hostage, even officials in other parts of the government have concluded that existing frameworks are insufficient to protect consumers' most delicate information and that updates are needed.

The FTC has its own rule, from 2003, on cybersecurity for financial institutions such as mortgage brokers and tax-prep firms that aren't under the SEC's purview. In October, however, the FTC announced an update to its regulation. The new rule, elements of which will become effective over the next year, is the culmination of a years-long process the FTC said was designed to address new technical trends and protect consumers.

"In the twenty years since the Rule was first issued, the complexity of information security has increased drastically, the use of computer networks in every aspect of life has expanded exponentially, and, most notably, an unending chain of damaging data breaches caused by inadequate security have cost Americans heavily," FTC chair Lina Khan and commissioner Rebecca Kelly Slaughter said in a statement supporting the new rules.

In contrast to the SEC's regulations, the new FTC rules include requirements for the use of encryption, multi-factor authentication, annual penetration testing, guardrails on access to information that employees don't need and disposal of some long-unused unnecessary data.

"It's become such a serious impact on the economy and on individuals' lives that it's now at that point" where the government wants to make changes, said Sharon Klein, chair of the privacy, security and data protection practice at the law firm Blank Rome.

Karthik Rangarajan, Robinhood's head of security, even testified at an FTC workshop last year. (Robinhood also engages in business lines other than brokering, such as cash management, that leave it subject to regulation by other agencies in addition to the SEC.) While Rangarajan didn't weigh in on every aspect of FTC's proposal at the time, he did repeatedly tout the importance of having responsibility for cybersecurity programs lying "on the security team, or on the single person that is the designated head of security." The newly updated FTC rule requires a single person to be identified as responsible for security as one of its prescriptions.

The SEC's rules, alternatively, have few such mandates and were last updated in late 2004, when Snoop Dogg's "Drop It Like It's Hot" was dominating the charts. Still, the SEC's interpretation of what companies must do has evolved since George W. Bush's first presidential term.

The SEC regulations say "policies and procedures must be reasonably designed" to ensure security and protect records, a standard that's developed alongside more recent cybersecurity best practices and court cases. The agency does enforce those more updated standards: It went after nine firms this year under those guidelines, all of which settled. Authorities may well find the potential gaps in training, and the broad access to personal data that Robinhood customer service workers appear to have had prior to the breach, failed to meet the "reasonable" standard in place today, Klein said.

The Robinhood hackers, for instance, got access to "an internal tool that presented them the option of tampering with user accounts" as well as the ability to see user information including balances and trades, according to a Vice report.

"Even old school, it's going to be pretty easy to find a violation in terms of what I'll call the lack of cyber-discipline or -hygiene," Klein said.

Robinhood said it had not uncovered evidence the intruders made any changes, Vice reported. "Certain authorized Robinhood employees have the ability to update accounts as necessary to provide customer support or service accounts, as is standard at most financial institutions and platforms," the company said in a statement.

But breaches are a perennial problem only getting worse, and if companies are trying to do their best to tackle the problem, many are still confused about what their best looks like. In 2019, the SEC released a Risk Alert saying it had found companies regulated by its cybersecurity rule that weren't even writing down their own safeguards — the most basic requirement of the agency's regulation.

The alert also identified "written policies and procedures that contained numerous blank spaces designed to be filled in" and written policies that completely overlooked key issues such as personal devices, broadly disseminated passwords and poor physical data security, "such as in unlocked file cabinets in open offices."

Against that backdrop, policy-makers have been looking to tighten cybersecurity policy all around. The new FTC rules take after New York State financial regulations that went into effect in 2017, and President Joe Biden recently issued an executive order on cybersecurity. Congress, too, continues to bandy around its perennial frustrations with rules for notifications for cyber incidents.

Cybercrime is likely to keep rising, particularly since the pandemic sent many workers home to potentially less-secure environments, and firms with financial information make for particularly attractive targets for attackers.

"They need to only get that right once, and you have to get it right every time," Klein said.

The pandemic permanently changed Black Friday. Here’s how.

Here are the five biggest trends that will affect Black Friday and the holiday shopping season.

Here are the five biggest trends that will affect Black Friday and the holiday shopping season.

Photo: Jewel Samad/AFP via Getty Images

Click banner image for more Shopping Week coverage

Shopping is changing. It's not just the influence of COVID-19 altering what products we buy and how we buy them. It's also the many shifts in consumer behavior and retailer strategy — from the steady rise of ecommerce to the boom of on-demand delivery — years in the making, which have all been accelerated by the pandemic.

Keep Reading Show less
Nick Statt
Nick Statt is Protocol's video game reporter. Prior to joining Protocol, he was news editor at The Verge covering the gaming industry, mobile apps and antitrust out of San Francisco, in addition to managing coverage of Silicon Valley tech giants and startups. He now resides in Rochester, New York, home of the garbage plate and, completely coincidentally, the World Video Game Hall of Fame. He can be reached at nstatt@protocol.com.

The Bureau of Labor Statistics indicates that by 2026, the shortage of engineers in the U.S. will exceed 1.2 million, while 545,000 software developers will have left the market by that time. Meanwhile, business is becoming increasingly more digital-first, and teams need the tools in place to keep distributed teams aligned and able to respond quickly to changing business needs. That means businesses need to build powerful workplace applications without relying on developers.

In fact, according to Gartner, by 2025, 70% of new applications developed by enterprises will use low-code or no-code technologies and, by 2023, there will be at least four times as many active citizen developers as professional developers at large enterprises. We're on the cusp of a big shift in how businesses operate and how organization wide innovation happens.

Keep Reading Show less
Andrew Ofstad
As Airtable’s co-founder, Andrew spearheads Airtable’s long-term product bets and represents the voice of the customer in major product decisions. After co-founding the company, he helped scale Airtable’s original product and engineering teams. He previously led the redesign of Google's flagship Maps product, and before that was a product manager for Android.

It’s time to rethink Black Friday

The pandemic didn't end Black Friday, but it'll never look the same again.

We can expect Black Friday to stick around but lose relevance as retailers effectively dilute its meaning and purpose.

Illustration: Christopher T. Fong/Protocol

Click banner image for more Shopping Week coverage

"I'm selling meditation, so I shouldn't be stressed," said Charlie Rousset, the co-founder of sleep and relaxation gadget-maker Morphée. But even deep breathing can't help Rousset feel less on edge this Black Friday.

Keep Reading Show less
Janko Roettgers

Janko Roettgers (@jank0) is a senior reporter at Protocol, reporting on the shifting power dynamics between tech, media, and entertainment, including the impact of new technologies. Previously, Janko was Variety's first-ever technology writer in San Francisco, where he covered big tech and emerging technologies. He has reported for Gigaom, Frankfurter Rundschau, Berliner Zeitung, and ORF, among others. He has written three books on consumer cord-cutting and online music and co-edited an anthology on internet subcultures. He lives with his family in Oakland.

The pandemic permanently changed Black Friday. Here’s how.

Here are the five biggest trends that will affect Black Friday and the holiday shopping season.

Here are the five biggest trends that will affect Black Friday and the holiday shopping season.

Photo: Jewel Samad/AFP via Getty Images

Click banner image for more Shopping Week coverage

Shopping is changing. It's not just the influence of COVID-19 altering what products we buy and how we buy them. It's also the many shifts in consumer behavior and retailer strategy — from the steady rise of ecommerce to the boom of on-demand delivery — years in the making, which have all been accelerated by the pandemic.

Keep Reading Show less
Nick Statt
Nick Statt is Protocol's video game reporter. Prior to joining Protocol, he was news editor at The Verge covering the gaming industry, mobile apps and antitrust out of San Francisco, in addition to managing coverage of Silicon Valley tech giants and startups. He now resides in Rochester, New York, home of the garbage plate and, completely coincidentally, the World Video Game Hall of Fame. He can be reached at nstatt@protocol.com.
Protocol | Fintech

The pandemic keeps changing ecommerce. That makes fraud harder to fight.

As the second holiday season under COVID-19 gets underway, fraud finds new forms.

Online fraud is frustrating consumers and merchants.

Photo: fizkes/iStock/Getty Images Plus

Click banner image for more Shopping Week coverage

The second pandemic holiday shopping season is underway. That means cybersecurity experts get another chance to figure out how fraudsters operate in the COVID era.

Keep Reading Show less
Benjamin Pimentel

Benjamin Pimentel ( @benpimentel) covers fintech from San Francisco. He has reported on many of the biggest tech stories over the past 20 years for the San Francisco Chronicle, Dow Jones MarketWatch and Business Insider, from the dot-com crash, the rise of cloud computing, social networking and AI to the impact of the Great Recession and the COVID crisis on Silicon Valley and beyond. He can be reached at bpimentel@protocol.com or via Signal at (510)731-8429.

Latest Stories