DFS calls for regulators to target social media companies after Twitter hack

New York’s Department of Financial Services has called for social media companies to be regulated as systemically important institutions, saying a July hack of multiple public figures’ Twitter accounts raised serious cybersecurity concerns.

In a 14 October report, DFS said the July hack demonstrated the need for regulation of social media companies’ cybersecurity policies.

It recommends that large social media companies be designated as systemically important institutions, using the Dodd-Frank Act’s framework for systemically important financial institutions (SIFI) as a framework.

DFS said its own cybersecurity regulations – which require organisations it supervises to have comprehensive, risk-based cybersecurity programmes – had established an “effective” regulatory approach and would be a “good model” for social media companies to follow.

But it said an effective cybersecurity regulation for social media companies “should go even further”, as it targeted a smaller but more complex group of entities.

It said the US Congress should create an analogous institution to the Financial Stability Oversight Council, which designates SIFIs, to identify which social media companies should be considered systemically important.

Those institutions should be subjected to “enhanced regulation”, including stress tests to assess their vulnerability to cyber-attacks and other forms of interference.

Although DFS has no formal remit over social media companies, New York’s governor Andrew Cuomo asked it to investigate Twitter in July, after hackers stole over US$118,000 from Twitter users by taking over the accounts of numerous public figures – including former US president Barack Obama, Amazon and Tesla CEOs Jeff Bezos and Elon Musk, and Kimberly Kardashian West, a reality television star. The hackers also targeted the accounts of several cryptoasset companies.

The hackers used their possession of those widely-followed accounts to tweet out a “double your bitcoin” scam. DFS noted that “for several hours Twitter seemed unable to stop the hack”.

The hackers used “basic techniques more akin to a traditional scam artist” to accomplish their hack, the regulator said, impersonating figures from the company’s information technology department. “The extraordinary access the hackers obtained with this simple technique underscores Twitter’s cybersecurity vulnerability and the potential for devastating consequences,” it said.

“Given that Twitter is a publicly traded, US$37 billion technology company, it was surprising how easily the hackers were able to penetrate twitter’s network and gain access to internal tools allowing them to take over any Twitter user’s account,” the regulator remarked.

Twitter published a statement following the breach, saying it was “accelerating several pre-existing security workstreams and improvements to our tools.” It also said it would improve its methods for “detecting and preventing inappropriate access” to internal systems.

GBRR contacted Twitter for comment, but did not receive a response prior to publication.

DFS praised the three cryptoasset companies whose Twitter accounts were targeted by the hack – Coinbase, Gemini and Square – for rapidly blocking the bitcoin addresses posted on their accounts. It noted that a survey of 22 crypto companies not targeted by the hack showed that 15 blocked transfers to those addresses.

In August the alleged hacker, 17-year-old Graham Clark, pled not guilty to 30 counts of fraud in the Tampa Circuit Court in Florida. A 19-year-old British man, Mason Sheppard, and Orlando-based Nima Fazeli, have also been charged in connection with the incident and have also pled not guilty.

Get unlimited access to all Global Banking Regulation Review content