The New York State Department of Financial Services (DFS) released a notification calling for a new cybersecurity regulatory framework for social media companies following an investigation on high-profile Twitter hacks in July 2020. The DFS stated that social media platforms lack adequate cybersecurity measures and did not have a CISO.
The DFS, in its investigation report, said that Twitter and other popular social media networks do not have a dedicated federal or state regulator to address the security risks to their digital operating models. These companies are mostly self-regulated and have no accountability for significant cybersecurity lapses. The DFS added that all social media firms, whose platforms reach millions of people globally, should be designated as critical institutions with prudent cybersecurity regulations.
“The Department is issuing this report to alert consumers and voters as they prepare to exercise their basic rights in American democracy, in one of the most consequential elections in generations,” the DFS said.
The recommendations come after the report disclosed the facts surrounding the Twitter hack and the reasons it occurred, which include:
- The hackers accessed Twitter’s systems with a simple technique: by calling Twitter employees and claiming to be from Twitter’s IT department. After the hackers duped four employees into giving them their login credentials, they hijacked the Twitter accounts of politicians, celebrities, and entrepreneurs, including Barack Obama, Kim Kardashian West, Jeff Bezos, Elon Musk, and several cryptocurrency companies regulated by the Department – accounts with millions of followers.
- The hackers tweeted simple “double your bitcoin” messages, with a link to send payments in bitcoins. In the end, they stole over $118,000 worth of bitcoins from consumers.
- The Department’s regulated cryptocurrency companies, Coinbase, Square, Gemini Trust Company, and Bitstamp responded quickly to block attempted transfers to the Bitcoin addresses the fraudsters used.
- Despite being a global social media platform boasting over 330 million average monthly users in 2019, Twitter lacked adequate cybersecurity protection. At the time of the attack, Twitter did not have a chief information security officer, adequate access controls and identity management, and adequate security monitoring – some of the core measures required by the Department’s first-in-the-nation cybersecurity regulation.
“Social media platforms have quickly become the leading source of news and information, yet no regulator has adequate oversight of their cybersecurity. The fact that Twitter was vulnerable to an unsophisticated attack shows that self-regulation is not the answer. As we approach an election in fewer than 30 days, we must commit to greater regulatory oversight of large social media companies. The integrity of our elections and markets depends on it. The swift and effective response of DFS-regulated cryptocurrency companies illustrates how effective regulation can foster innovation and growth, while also protecting consumers,” said Superintendent of Financial Services Linda A. Lacewell.